From 02b7b5681b06709c327ba54d7d88afc006c98568 Mon Sep 17 00:00:00 2001
From: Glenn Rice <grice1@missouriwestern.edu>
Date: Sat, 24 Feb 2024 15:08:02 -0600
Subject: [PATCH] Add a configuration option in webwork2.mojolicious.dist.yml
 for allowing unsecured rpc usage.

The option allow_unsecured_rpc (which defaults to off) allows the
html2xml and render_rpc endpoints to be used without cookies, and thus
skipping two factor authentication.  This should never be enabled for a
typical webwork server.  This should only be enabled if you want to
allow serving content via these endpoints to links in external websites
with usernames and passwords embedded in them such as for PreTeXt
textbooks.
---
 conf/webwork2.mojolicious.dist.yml | 7 +++++++
 lib/WeBWorK.pm                     | 5 +++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/conf/webwork2.mojolicious.dist.yml b/conf/webwork2.mojolicious.dist.yml
index cb4397297e..106f36b57b 100644
--- a/conf/webwork2.mojolicious.dist.yml
+++ b/conf/webwork2.mojolicious.dist.yml
@@ -239,3 +239,10 @@ debug:
 hardcopy:
   # If 1, don't delete temporary files created when a hardcopy is generated.
   preserve_temp_files: 0
+
+# Set this to 1 to allow the html2xml and render_rpc endpoints to disable
+# cookies and thus skip two factor authentication. This should never be enabled
+# for a typical webwork server.  This should only be enabled if you want to
+# allow serving content via these endpoints to links in external websites with
+# usernames and passwords embedded in them such as for PreTeXt textbooks.
+allow_unsecured_rpc: 0
diff --git a/lib/WeBWorK.pm b/lib/WeBWorK.pm
index 7b6c28413a..c9c8480880 100644
--- a/lib/WeBWorK.pm
+++ b/lib/WeBWorK.pm
@@ -91,12 +91,13 @@ async sub dispatch ($c) {
 	if ($c->current_route =~ /^(render_rpc|instructor_rpc|html2xml)$/) {
 		$c->{rpc} = 1;
 
-		$c->stash(disable_cookies => 1) if $c->current_route eq 'render_rpc' && $c->param('disableCookies');
+		$c->stash(disable_cookies => 1)
+			if $c->current_route eq 'render_rpc' && $c->param('disableCookies') && $c->config('allow_unsecured_rpc');
 
 		# This provides compatibility for legacy html2xml parameters.
 		# This should be deleted when the html2xml endpoint is removed.
 		if ($c->current_route eq 'html2xml') {
-			$c->stash(disable_cookies => 1);
+			$c->stash(disable_cookies => 1) if $c->config('allow_unsecured_rpc');
 			for ([ 'userID', 'user' ], [ 'course_password', 'passwd' ], [ 'session_key', 'key' ]) {
 				$c->param($_->[1], $c->param($_->[0])) if defined $c->param($_->[0]) && !defined $c->param($_->[1]);
 			}