From adb31e832d9ad27025e0d428fa2ecac6e5862d1a Mon Sep 17 00:00:00 2001
From: Demian Katz <demian.katz@villanova.edu>
Date: Wed, 3 Jan 2024 14:33:05 -0500
Subject: [PATCH] Implement new authentication mechanism.

---
 config/vufind/Folio.ini                       |  4 +++
 module/VuFind/src/VuFind/ILS/Driver/Folio.php | 27 +++++++++++++++++--
 .../src/VuFindTest/ILS/Driver/FolioTest.php   |  1 +
 3 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/config/vufind/Folio.ini b/config/vufind/Folio.ini
index a424cd8faa3..c01be78a427 100644
--- a/config/vufind/Folio.ini
+++ b/config/vufind/Folio.ini
@@ -16,6 +16,10 @@ debug_get_requests = false
 ; any real/sensitive data before including it in tests!
 ;json_log_file = "/usr/local/vufind/local/cache/folio.json"
 
+; If set to true, the driver will use the legacy /authn/login method instead of the
+; more secure /auth/login-with-expiry method introduced in the Poppy release.
+legacy_authentication = true
+
 [IDs]
 ; Which FOLIO ID is VuFind using as its internal bibliographic ID?
 ; Options:
diff --git a/module/VuFind/src/VuFind/ILS/Driver/Folio.php b/module/VuFind/src/VuFind/ILS/Driver/Folio.php
index 625d8392d5c..eb718d5dc1b 100644
--- a/module/VuFind/src/VuFind/ILS/Driver/Folio.php
+++ b/module/VuFind/src/VuFind/ILS/Driver/Folio.php
@@ -864,6 +864,16 @@ protected function getDueDate($itemId, $showTime)
         return '';
     }
 
+    /**
+     * Should we use the legacy authentication mechanism?
+     *
+     * @return bool
+     */
+    protected function useLegacyAuthentication(): bool
+    {
+        return $this->config['API']['legacy_authentication'] ?? false;
+    }
+
     /**
      * Support method to perform a username/password login to Okapi.
      *
@@ -874,12 +884,13 @@ protected function getDueDate($itemId, $showTime)
      */
     protected function performOkapiUsernamePasswordAuthentication(string $username, string $password): Response
     {
+        $newMethod = !($this->config['API']['legacy_authentication'] ?? false);
         $tenant = $this->config['API']['tenant'];
         $credentials = compact('tenant', 'username', 'password');
         // Get token
         return $this->makeRequest(
             method: 'POST',
-            path: '/authn/login',
+            path: $this->useLegacyAuthentication() ? '/authn/login' : '/authn/login-with-expiry',
             params: json_encode($credentials),
             debugParams: '{"username":"...","password":"..."}'
         );
@@ -895,7 +906,19 @@ protected function performOkapiUsernamePasswordAuthentication(string $username,
      */
     protected function extractTokenFromResponse(Response $response): string
     {
-        return $response->getHeaders()->get('X-Okapi-Token')->getFieldValue();
+        if ($this->useLegacyAuthentication()) {
+            return $response->getHeaders()->get('X-Okapi-Token')->getFieldValue();
+        }
+        $folioUrl = $this->config['API']['base_url'];
+        $cookies = new \Laminas\Http\Cookies();
+        $cookies->addCookiesFromResponse($response, $folioUrl);
+        $results = $cookies->getAllCookies();
+        foreach ($results as $cookie) {
+            if ($cookie->getName() == 'folioAccessToken') {
+                return $cookie->getValue();
+            }
+        }
+        throw new \Exception('Could not find token in response');
     }
 
     /**
diff --git a/module/VuFind/tests/unit-tests/src/VuFindTest/ILS/Driver/FolioTest.php b/module/VuFind/tests/unit-tests/src/VuFindTest/ILS/Driver/FolioTest.php
index fb8d09c1fe4..f0b1cb9b9f8 100644
--- a/module/VuFind/tests/unit-tests/src/VuFindTest/ILS/Driver/FolioTest.php
+++ b/module/VuFind/tests/unit-tests/src/VuFindTest/ILS/Driver/FolioTest.php
@@ -58,6 +58,7 @@ class FolioTest extends \PHPUnit\Framework\TestCase
             'tenant' => 'config_tenant',
             'username' => 'config_username',
             'password' => 'config_password',
+            'legacy_authentication' => 'true',
         ],
     ];