-
Task
-
Resolution: Done
-
High
-
None
-
S21 SIMPLY Oct 1 - Oct 15, S22 SIMPLY Oct 16 - Oct 30
Per Slack conversation in Library Simplified / #development
It's possible to create several discovery mechanisms for the same URL. You can then register your circulation manager multiple times and end up with different shared secrets for the same library (only one of which will work).
On the library registry side, we can't distinguish "I'm registering this library again through a second discovery mechanism for the same URL" (a case we don't want to support) from "I'm registering again because I lost my shared secret, but you know it's me because I still control the server URL" (a case we do want to support).
—
ok, just to get it straight in my head, i think this is what happened
we've got two library registries
one of them has Montgomery registered with an old-style shared secret
we go into the second one and register Montgomery
the circulation manager goes to the library registry and says "hi, I'm Montgomery, I don't have a shared secret"
the library registry checks for a library registered under the https://montgomery URL and doesn't find one
if a shared secret had been provided, the library registry would have looked for that, found the http://montgomery registration, and updated the URL
but no shared secret was provided, and the URL didn't match, so the library registry thought this was a brand new library
if the URL had matched, the library registry would have verified your ownership of http://montgomery and updated the shared secret (rather than creating a new library). at that point the second "library registry" integration would have the correct shared secret and the first "library registry" integration would have out-of-date data
we want to avoid both of those cases
the change needs to happen on the circulation manager side because there are some cases that are identical to this from the library registry's perspective, but we want them to happen
the obvious one is that we have to support more than one library, and you need to be able to register a library without already knowing a shared secret
the other one is that if you lose your shared secret but you still control the URL, you can get a new secret by refreshing your registration, no harm done