Stuff I noticed while doing T254947: Security Review Request for WikimediaApiPortalOAuth Extension
[DONE] 1. Config default
Fixed by https://gerrit.wikimedia.org/r/639946
"WikimediaApiPortalOAuthMetaRestURL": { "value": "", "description": "URL to rest.php on Meta" }
If that's to meta... You might aswell just set it in extension.json and override (if needed for beta) as appropriate, rather than setting it in CommonSettings/InitialiseSettings.php later. "extensions should have sane config defaults". Also, there's no validation that this is actually set anywhere. Setting a default that isn't "" would probably fix that requirement
[DONE] 2. Confirm-email message
The extra "joining" text was removed.
"wikimediaapiportaloauth-email-not-confirmed": "Thanks for joining Wikimedia! Before you can create your first API client, please [[Special:ConfirmEmail|confirm your email address]]."
"joining Wikimedia"? Feels oddly worded. "joining the Wikimedia Movement" or something might make more sense
3. OAuth admins link
"wikimediaapiportaloauth-ui-client-status-proposed-help": "Before your client can be authorized by other users, it must be reviewed and approved by Wikimedia OAuth admins.",
Wikimedia OAuth admins feels like it should be linked to somewhere
4. Credentials doc link
"wikimediaapiportaloauth-ui-client-secret-alert": "Save these credentials securely. You won't be able to access them again through the API Portal.",
Seems ripe for a link for some documentation, like in wikimediaapiportaloauth-ui-client-field-confidential. Maybe also mention they can be reset.
5. Extension description
"wikimediaapiportaloauth-desc": "Enables users of the Wikimedia API Portal to create and manage OAuth clients remotely",
Remotely? Feels an odd choice of words, when all the wikis are hosted "remotely". "on wikis that aren't Meta" would make more sense, but still sounds odd
6. Status help messages
"wikimediaapiportaloauth-ui-client-status-proposed": "Approval pending", "wikimediaapiportaloauth-ui-client-status-proposed-help": "Before your client can be authorized by other users, it must be reviewed and approved by Wikimedia OAuth admins.", "wikimediaapiportaloauth-ui-client-status-rejected": "Rejected", "wikimediaapiportaloauth-ui-client-status-expired": "Expired", "wikimediaapiportaloauth-ui-client-status-disabled": "Disabled", "wikimediaapiportaloauth-ui-client-status-approved": "Approved",
Why does only proposed have a -help message? Seems worthwhile to document them all...
7. Term clarification
"wikimediaapiportaloauth-ui-client-field-account-type-bot": "API token: Call the API with a personal token tied to your Wikimedia account.",
What is a Wikimedia account? What is a personal token? (Maybe give more information as to what this is actually used for)
[DONE] 8. Extension version
"version": "",
This should be used or removed from extension.json
9. Permissions clarification
"wikimediaapiportaloauth-ui-client-field-permissions-read": "Read-only", "wikimediaapiportaloauth-ui-client-field-permissions-read-write": "Read/write",
Writing to what? What counts as a write action?
10. JS fallback
Tracked in T256697
There's also no no-JS fallback... I know we've discussed it for other related work/extensions, and isn't a high priority... But potentially stuff TODO down the line.