edge-sip2 returns "valid patron password" field in 64 message even with password validation turned off

Description

When processing a 63 (Patron Information) message, the edge-sip2 server attempts to validate the patron password even with the setting "patronPasswordVerificationRequired": false in the acsTenantConfig configuration entry, and even if the 63 message does not include an AD (patron password) field. The resulting 64 (Patron Information Response) message contains the field CQN (valid patron password: no).

This can cause Meescan self-check software to return a “Login Failed” message to the user, although no actual login is required to return the Patron Information Response. How this affects other self-check vendors is unknown.

The standard is not clear on what expected behavior is (CQ is an optional field in the Patron Information Response), but it seems sensible that if patronPasswordVerificationRequired is false and the patron password is not included in the 63 message, there should be no attempt to validate the password and the CQ field should probably be omitted.

CSP Request Details

1. Describe issue impact on business The server will attempt to validate a password even if the verification is set to off, and will populate the "valid password" field with the result, causing some software to return a failed login. 2. What institutions are affected? (field “Effected Institutions” in Jira to be populated) Those running the Meescan self-check software. 3. What is the workaround if exists? Unknown. 4. What areas will be impacted by fix (i.e. what areas need to be retested) Patron password verification. 5. Brief explanation of technical implementation and the level of effort (in workdays) and technical risk (low/medium/high) This is a relatively small change. Essentially is it not going to populate a returned field of the 'verification required' setting is not populated. 6. Brief explanation of testing required and level of effort (in workdays). Provide test plan agreed with by QA Manager and PO. Test ability to self-check with Meescan software with patron password verification disabled. 7. What is the roll back plan in case the fix does not work? Use previous version.

CSP Rejection Details

None

Potential Workaround

None

Linked issues

is duplicated by

SIP2-228

Patron Information request issues Patron login when patronPasswordVerificationRequired = false

Checklist

hide

Activity

Show:

Kurt Nordstrom February 26, 2025 at 6:56 PM

I'll add the details today

Tim Auger February 26, 2025 at 5:20 PM

Great! can you add the corresponding CSP request details and I will take it to the release team to request backporting to a CSP.

Kurt Nordstrom February 19, 2025 at 10:31 PM

I don't have any issues with that.

Tim Auger February 19, 2025 at 10:20 PM

We have a customer that wants this in a Q CSP. Do you have any issues with that? If not, can I ask you to fill in the CSP request fields and I will take care of the rest?

Anya October 28, 2024 at 2:11 PM

Support: in case you did not see my message 3.2.8 CSP is fine with us.

Done

Details

Assignee

Kurt Nordstrom

Reporter

Wayne Schneider

Labels

support

Priority

Development Team

Siphon

Fix versions

3.3.0

Release

Ramsons (R2 2024)

RCA Group

TBD

Affects versions

3.2.5

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created August 28, 2024 at 9:02 PM

Updated February 26, 2025 at 9:55 PM

Resolved October 22, 2024 at 9:59 AM

Configure

TestRail: Cases

TestRail: Runs