git.evergreen-ils.org Git - Evergreen.git/commit

author	Bill Erickson <berick@esilibrary.com>
	Tue, 8 Oct 2013 19:52:12 +0000 (15:52 -0400)
committer	Mike Rylander <mrylander@gmail.com>
	Thu, 31 Jul 2014 12:15:16 +0000 (08:15 -0400)
commit	1143fc881dd4f4cefeb643c6cc80f046739c1346
tree	766322e7c3f56da0a0bcb6aad31b23fb2ffc8942	tree
parent	e46f3323b4acb152d666b92c0ba5f4442b9ac2c0	commit \| diff

LP#1348731: Optional Auth login nonce to differentiate same-username logins

If multiple login attempts are made using the same username within a
very short period of time, a race condition exists where, upon
completion of the first login, the auth init cache data for any pending
logins are removed, since there can only be one instance of cached init
data per username.

This adds support for allowing the caller to pass in a random string
which is added to the cache key as a way to differentiate between logins
using the same username.

The seed is passed into auth init as an optional secondary parameter
and passed again (via the "nonce" argument) to auth complete to ensure
consistent cache keys across both interactions.

Example:

my $nonce = rand($$);

my $seed = request(
    'open-ils.auth',
    'open-ils.auth.authenticate.init', $username, $nonce );

my $response = request(
    'open-ils.auth',
    'open-ils.auth.authenticate.complete',
    {
        username => $username,
        password => md5_hex($seed . md5_hex($password)),
        type     => 'opac',
        nonce    => $nonce
    }
);

The race condition has been observed with the SIP2 gateway when
multiple devices have been configured to use the same account.

Signed-off-by: Bill Erickson <berick@esilibrary.com>
Signed-off-by: Galen Charlton <gmc@esilibrary.com>
Signed-off-by: Mike Rylander <mrylander@gmail.com>