Skip to content

User authentication in Koha

We’ve been making use of Koha as the library systems at North Harrow Library recently, and overall it’s been a great piece of software. The only real issue is that given that it’s written in Perl, I’ve found it difficult to contribute to the project. To add a few extra elements I’ve been working out how the database works at the backend, and I didn’t find a tutorial detailing how Koha does its user authentication. I’m going to detail it here for anyone else who might be trying to solve a different problem, and though my solution is written in Ruby hopefully it should provide enough information to authenticate Koha users in your language of choice.

Koha uses BCrypt as its encryption mechanism, which is implemented in most languages, making it easy to write a bridge for another application. Quite simply, all you really need to do is search the database for the corresponding user and grab the user’s hashed password, then hash the attempted password and see if they match. I spent about an hour trying to figure out how Koha stores the salt used to hash passwords, but it turns out with BCrypt the salt is stored in the password itself. In fact, Ruby’s BCrypt implementation allows use to use the stored password as the salt field and extracts the relevant portion automatically (you can learn more about how this aspect works here

A sample implementation is as follows:

def self.auth(username, password)

  dataset = DB["SELECT password FROM borrowers WHERE userid = ?", username]
  return false unless dataset.first # handle the case where there's no row for this username and return false
  pw = dataset.first[:password]
  pw == BCrypt::Engine.hash_secret(password, pw) # return true if the database password is the same as the attempted password salted with the stored password and then hashed

end

That’s really it! You can now authenticate users outside of Koha itself.

Published inKoha

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *