Page MenuHomePhabricator
Create Task
Maniphest T72059

Update mediawiki.api for new API token handling
Closed, ResolvedPublic
Actions

Description

See I2793a3f2dd64a4bebb0b4d065e09af1e9f63fb89. Current method (action=tokens) will still work, but emits deprecation notices.

Details

Reference
bz70059
SubjectRepoBranchLines +/-
Update mw.Api so it uses new token handlingmediawiki/coremaster+24 -6
mediawiki.api: Use action=query&meta=tokens instead of action=tokensmediawiki/coremaster+69 -28
Customize query in gerrit

Related Objects
Search...

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:29 AM
bzimport added a project: MediaWiki-JavaScript.
bzimport set Reference to bz70059.
bzimport added a subscriber: Unknown Object (MLST).
Legoktm created this task.Aug 26 2014, 7:32 PM
matmarex edited projects, added MediaWiki-General, JavaScript; removed MediaWiki-JavaScript.Dec 31 2014, 10:15 PM
Liuxinyu970226 subscribed.Feb 19 2015, 11:30 PM
He7d3r updated the task description. (Show Details)Jun 24 2015, 4:48 PM
He7d3r added a project: good first task.
He7d3r set Security to None.
m4tx claimed this task.Jul 8 2015, 11:49 AM
gerritbot subscribed.Jul 8 2015, 4:02 PM

Change 223572 had a related patch set uploaded (by M4tx):
Update mw.Api so it uses new token handling

https://gerrit.wikimedia.org/r/223572

gerritbot added a project: Patch-For-Review.Jul 8 2015, 4:02 PM
Ricordisamoa subscribed.Jul 8 2015, 4:27 PM

See also https://gerrit.wikimedia.org/r/166872 and https://gerrit.wikimedia.org/r/175667

Ricordisamoa added a comment.Jul 12 2015, 9:58 AM

Not good first task IMNSHO.

Krinkle updated the task description. (Show Details)Oct 21 2015, 3:41 AM
Krinkle removed a project: JavaScript.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 21 2015, 3:41 AM
Krinkle removed m4tx as the assignee of this task.Oct 21 2015, 3:42 AM
Krinkle raised the priority of this task from Medium to High.
Krinkle merged a task: T74094: mw.api.getToken should not use deprecated api.php?action=tokens.
Krinkle updated the task description. (Show Details)
Krinkle edited projects, added MediaWiki-Action-API, JavaScript; removed MediaWiki-General.
Krinkle removed a subtask: T74094: mw.api.getToken should not use deprecated api.php?action=tokens.
Krinkle added subscribers: Anomie, He7d3r, Krenair and 2 others.
Krinkle removed a subscriber: wikibugs-l-list.

Raising priority because this is causing problems with newer token types not supported in the hardcoded list of the now-deprecated action=tokens API.

See T88044 and https://gerrit.wikimedia.org/r/242050, in which getToken("rollback"); fails.

Per @Anomie (T74094#1470837), we need to know what was wrong with https://gerrit.wikimedia.org/r/166872 (rMWaacdb664a10d: mediawiki.api: Use action=query&meta=tokens instead of action=tokens) so that we can resolve this bug.

Krinkle added a parent task: T88044: Make rollback use POST instead of GET (use AJAX in GUI).Oct 21 2015, 3:44 AM
Legoktm added a comment.Oct 21 2015, 5:59 AM
In T72059#1741013, @Krinkle wrote:

Per @Anomie (T74094#1470837), we need to know what was wrong with https://gerrit.wikimedia.org/r/166872 (rMWaacdb664a10d: mediawiki.api: Use action=query&meta=tokens instead of action=tokens) so that we can resolve this bug.

The problem was that it hardcoded specific core token types, so extension API endpoints that should use csrf with meta=tokens broke.

Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-Action-API board.Oct 21 2015, 1:25 PM
Anomie added a comment.Oct 21 2015, 1:39 PM

Chances are that the JS code can look at /w/api.php?action=paraminfo&modules=tokens|query+tokens and assume that anything accepted by action=tokens but not by action=query&meta=tokens should be mapped to "csrf".

As for "userrights" and "rollback", the old versions of those were accessed via action=query&list=users&ustoken=userrights and action=query&prop=revisions&rvtoken=rollback, respectively. Getting rid of that oddity was one of the reasons for new token handling.

BTW, if you know the module in question (e.g. "block" or "flow+close-open-topic"), you can fetch the token type needed from action=paraminfo.

Krinkle claimed this task.Oct 26 2015, 8:56 PM
Krinkle removed projects: Patch-For-Review, good first task.
Krinkle added a project: Performance-Team.
Krinkle moved this task from Inbox, needs triage to Doing (old) on the Performance-Team board.
gerritbot added a comment.Nov 3 2015, 12:46 AM

Change 250601 had a related patch set uploaded (by Krinkle):
[WIP] mediawiki.api: Use action=query&meta=tokens instead of action=tokens

https://gerrit.wikimedia.org/r/250601

gerritbot added a project: Patch-For-Review.Nov 3 2015, 12:46 AM
Krinkle added a comment.Nov 4 2015, 7:34 PM
In T72059#1742196, @Anomie wrote:

Chances are that the JS code can look at /w/api.php?action=paraminfo&modules=tokens|query+tokens and assume that anything accepted by action=tokens but not by action=query&meta=tokens should be mapped to "csrf".

Proposed change https://gerrit.wikimedia.org/r/250601 has a hardcoded legacy map for the built-in ApiToken types: 'edit', 'delete', 'protect', 'move', 'block', 'unblock', 'email', 'import', 'options'.

For en.wikipedia.org (Types in ApiTokens that are not in ApiQueryTokens):

"centralauth",

For meta.wikimedia.org:

"aggregategroups",
"centralauth",
"groupreview",
"translatesandbox",
"translationreview",
"translationstash",
  • centralauth: Not needed. This token type is deprecated and can't be migrated because it is conceptually incompatible with the new token system in MediaWiki because it requires session-based token generation that is cached somewhere (not based on simple salts). Its replacement is a separate action API that is already in production. Once callers via mediawiki.api are updated we can go ahead without it.
  • Translate extension (all others): Not needed. It implements both old types for older MediaWiki versions and uses standard csrf type for current MediaWiki. However it doesn't support compatibility with clients. Its APIs is only consumed by the front-end of the extension. It supports the old tokens only if the MediaWiki install is MediaWiki 1.24 or earlier. It registers both token hooks, but only the new one works (since ApiBase no longer uses getTokenSalt, so it only validates csrf for Translate APIs). I've recommend Nikerabbit to only register the old hook in the old install to avoid confusion.

Searching through all Wikimedia Git repositories I find no other extensions using the deprecated ApiTokensGetTokenTypes hook.

Krinkle moved this task from Doing (old) to Blocked (old) on the Performance-Team board.Nov 4 2015, 8:17 PM
Nikerabbit closed subtask T117797: Translate extension should not depend on deprecated ApiTokens module as Resolved.Nov 18 2015, 5:34 PM
gerritbot added a comment.Nov 20 2015, 1:57 AM

Change 250601 merged by jenkins-bot:
mediawiki.api: Use action=query&meta=tokens instead of action=tokens

https://gerrit.wikimedia.org/r/250601

ReleaseTaggerBot added projects: MW-1.27-release (WMF-deploy-2015-12-08_(1.27.0-wmf.8)), MW-1.27-release-notes.Nov 20 2015, 2:00 AM
Krinkle closed this task as Resolved.Nov 20 2015, 5:23 AM
Krinkle removed a project: Patch-For-Review.
Liuxinyu970226 unsubscribed.Nov 21 2015, 11:43 AM
Krinkle moved this task from Blocked (old) to Doing (old) on the Performance-Team board.Aug 5 2016, 1:20 AM
gerritbot added a comment.Nov 20 2017, 7:50 AM

Change 223572 abandoned by Legoktm:
Update mw.Api so it uses new token handling

Reason:
Implemented in 298cf413dbc3fa4ee750758e7272ca401da4862c

https://gerrit.wikimedia.org/r/223572

Aklapper removed subscribers: Anomie, TrevorParscal.Oct 16 2020, 5:41 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits