Uploaded image for project: 'SimplyE 2.0'
  1. SimplyE 2.0
  2. SIMPLY-2342

Prohibit multiple discovery mechanisms with the same URL

XMLWordPrintable

    • S21 SIMPLY Oct 1 - Oct 15, S22 SIMPLY Oct 16 - Oct 30

      Per Slack conversation in Library Simplified / #development

      It's possible to create several discovery mechanisms for the same URL. You can then register your circulation manager multiple times and end up with different shared secrets for the same library (only one of which will work).

      On the library registry side, we can't distinguish "I'm registering this library again through a second discovery mechanism for the same URL" (a case we don't want to support) from "I'm registering again because I lost my shared secret, but you know it's me because I still control the server URL" (a case we do want to support).

      ok, just to get it straight in my head, i think this is what happened
      we've got two library registries
      one of them has Montgomery registered with an old-style shared secret
      we go into the second one and register Montgomery
      the circulation manager goes to the library registry and says "hi, I'm Montgomery, I don't have a shared secret"
      the library registry checks for a library registered under the https://montgomery URL and doesn't find one
      if a shared secret had been provided, the library registry would have looked for that, found the http://montgomery registration, and updated the URL
      but no shared secret was provided, and the URL didn't match, so the library registry thought this was a brand new library
      if the URL had matched, the library registry would have verified your ownership of http://montgomery and updated the shared secret (rather than creating a new library). at that point the second "library registry" integration would have the correct shared secret and the first "library registry" integration would have out-of-date data
      we want to avoid both of those cases
      the change needs to happen on the circulation manager side because there are some cases that are identical to this from the library registry's perspective, but we want them to happen
      the obvious one is that we have to support more than one library, and you need to be able to register a library without already knowing a shared secret
      the other one is that if you lose your shared secret but you still control the URL, you can get a new secret by refreshing your registration, no harm done

            leonardrichardson Leonard Richardson [X] (Inactive)
            risawolf Risa Wolf
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: