#!/usr/bin/perl

# Copyright 2007 LibLime
#
# This file is part of Koha.
#
# Koha is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# Koha is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Koha; if not, see <https://www.gnu.org/licenses>.
#

use Modern::Perl;

use CGI      qw ( -utf8 );
use C4::Auth qw/check_api_auth get_session/;
use XML::Simple;

my $query = CGI->new;

# The authentication strategy for the biblios web
# services is as follows.
#
# 1. biblios POSTs to the authenticate API with URL-encoded
# form parameters 'userid' and 'password'.  If the credentials
# belong to a valid user with the 'editcatalogue' privilege,
# a session cookie is returned and a Koha session created.  Otherwise, an
# appropriate error is returned.
# 2. For subsequent calls to the biblios APIs, the user agent
# should submit the same session cookie.  If the cookie is
# not supplied or does not correspond to a valid session, the API
# will redirect to this authentication API.
# 3. The session cookie should not be (directly) sent back to the user's
# web browser, but instead should be stored and submitted by biblios.

my $csrf_token;
my ( $status, $cookie, $sessionID ) = check_api_auth( $query, { editcatalogue => 'edit_catalogue' } );
if ( $status eq "ok" ) {
    $csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } );
} else {
    my $session = C4::Auth::get_session("");
    $session->param( 'ip',          $session->remote_addr() );
    $session->param( 'lasttime',    time() );
    $session->param( 'sessiontype', 'anon' );
    $session->param( 'interface',   'api' );
    $session->flush();
    $sessionID = $session->id();
    $cookie    = $query->cookie(
        -name     => 'CGISESSID',
        -value    => $sessionID,
        -HttpOnly => 1,
        -secure   => ( C4::Context->https_enabled() ? 1 : 0 ),
        -sameSite => 'Lax'
    );
    $csrf_token = Koha::Token->new->generate_csrf( { session_id => scalar $sessionID } );
}
print $query->header( -type => 'text/xml', cookie => $cookie, -'CSRF-TOKEN' => $csrf_token );
print XMLout( { status => $status }, NoAttr => 1, RootName => 'response', XMLDecl => 1 );
