edge-sip2 returns "valid patron password" field in 64 message even with password validation turned off
Description
CSP Request Details
1. Describe issue impact on business
The server will attempt to validate a password even if the verification is set to off, and will populate the "valid password" field with the result, causing some software to return a failed login.
2. What institutions are affected? (field “Effected Institutions” in Jira to be populated)
Those running the Meescan self-check software.
3. What is the workaround if exists?
Unknown.
4. What areas will be impacted by fix (i.e. what areas need to be retested)
Patron password verification.
5. Brief explanation of technical implementation and the level of effort (in workdays) and technical risk (low/medium/high)
This is a relatively small change. Essentially is it not going to populate a returned field of the 'verification required' setting is not populated.
6. Brief explanation of testing required and level of effort (in workdays). Provide test plan agreed with by QA Manager and PO.
Test ability to self-check with Meescan software with patron password verification disabled.
7. What is the roll back plan in case the fix does not work?
Use previous version.
CSP Rejection Details
None
Potential Workaround
None
Checklist
hideActivity
Show:

Kurt Nordstrom February 26, 2025 at 6:56 PM
I'll add the details today

Tim Auger February 26, 2025 at 5:20 PM
Great! can you add the corresponding CSP request details and I will take it to the release team to request backporting to a CSP.

Kurt Nordstrom February 19, 2025 at 10:31 PM
I don't have any issues with that.

Tim Auger February 19, 2025 at 10:20 PM
We have a customer that wants this in a Q CSP. Do you have any issues with that? If not, can I ask you to fill in the CSP request fields and I will take care of the rest?

Anya October 28, 2024 at 2:11 PM
Support: in case you did not see my message 3.2.8 CSP is fine with us.
Done
Created August 28, 2024 at 9:02 PM
Updated February 26, 2025 at 9:55 PM
Resolved October 22, 2024 at 9:59 AM
TestRail: Cases
TestRail: Runs
When processing a 63 (Patron Information) message, the edge-sip2 server attempts to validate the patron password even with the setting
"patronPasswordVerificationRequired": false
in theacsTenantConfig
configuration entry, and even if the 63 message does not include anAD
(patron password) field. The resulting 64 (Patron Information Response) message contains the fieldCQN
(valid patron password: no).This can cause Meescan self-check software to return a “Login Failed” message to the user, although no actual login is required to return the Patron Information Response. How this affects other self-check vendors is unknown.
The standard is not clear on what expected behavior is (
CQ
is an optional field in the Patron Information Response), but it seems sensible that ifpatronPasswordVerificationRequired
isfalse
and the patron password is not included in the 63 message, there should be no attempt to validate the password and theCQ
field should probably be omitted.