allows SymphonyClient to operate without the guests UserID and PIN

[whereismyjetpack]

No description provided.

[whereismyjetpack]

Instead of taking the guests userID from symphony, we get it from the REMOTE_USER variable. This will get set by Apache in qa/stage/prod. locally we can put this in with something like

https://addons.mozilla.org/en-US/firefox/addon/modheader-firefox/

SymphonyClient was modified to use it's own credentials instead of ones supplied by the symphony callback.

Instead of logging in and returning the current user, we login as "staff" and then lookup remote_user, and return that.

This PR introduces two new configuration parameters
Settings.symws.username and Settings.symws.password We'll provide test accounts for developers to use.

TODO

• test barred accounts
• test user logged in, but not in symphony (djb44)
• create test accounts for developer use
• configure non production servers with mod_openidc, and protect all paths
• any other testing that may need to take place.

[whereismyjetpack]

I return nil in the symphony service if a patron isn't in the database, or if the webservice doesn't return nil. i should probably return {} or a Hash with a useful message?

I made the request header configurable, and while I was at it allowed some settings to be configurable from the environment (this allows a much easier kubernetes config, etc) some of the other settings may want to be overridden in the same way..

This is still very much a WIP, but we've got a pretty good working config now.

[banukutlu]

Just noting this here so to remember when testing:

Barred can't do anything
Delinquent can do anything
Blocked can renew and place holds only
Collection is the same as Blocked

Any of them should be able to update address

[whereismyjetpack]

This code is running at https://myaccount-qa.dev.k8s.libraries.psu.edu (it's not being automatically deployed or anything, but i wanted an isolated place to test this)

This deployment is using the MYACCOUNT user that was created for myaccount, there's still some work to be done, i'd like to bubble up more friendly error messages instead of redirecting to /500, for one. I will get those credentials over to @banukutlu and @cdmo safely by next week.

[whereismyjetpack]

Based off of our conversation in Teams yesterday, I coded up a crude "masquerade" feature.

I Introduced a new Settings value of admin_users if the remote_user is in that list, and they initially login with the query parameter of ?masquerade=abc123 they will be switched to that user. If this is a useful feature, we could potentially expose it in the UI or something, but this gets Ruth unstuck from testing

Previously, when calling logout, it would redirect to the home page, now that the web-server is enforcing authentication, it would just log you right back in. I coded up a crude logout view, so that the session doesn't get reinstated.

[banukutlu]

Just noting this here so to remember when testing:

Barred can't do anything
Delinquent can do anything
Blocked can renew and place holds only
Collection is the same as Blocked

Any of them should be able to update address

@ruthtillman Have you been able to test with different accounts?

[ruthtillman]

Yes, I have been able to test all of these!

[banukutlu]

I think we can add an exclude for SymphonyClient to https://github.com/psu-libraries/myaccount/blob/main/.rubocop.yml

[banukutlu]

yes, we can redirect to a custom error page for this case as you mentioned @whereismyjetpack, we can add that in a later PR 👍 I will add an issue for that. I think it is good for now, we all would love to see this PR deployed.

[banukutlu]

LGTM 👌 🎉 thanks @whereismyjetpack 🍻