Page MenuHomePhabricator
Create Task
Maniphest T252591

REST API endpoints give confusing errors for invalid OAuth2 access tokens
Open, LowPublic
Actions

Description

When calling a REST endpoint and supplying an OAuth2 access token, if the access token is invalid, the caller receives a "403 Permission Denied" with details of "rest-read-denied".

This can be reproduced by executing:

curl -v -H "Content-Type: application/json" -H "authorization: Bearer this-is-aninvalid-token" https://en.wikipedia.beta.wmflabs.org/w/rest.php/coredev/v0/page/Barack_Obama

This occurs regardless of the wiki's configuration settings, and no possible configuration settings will fix this. This is unhelpful, because it does not point the caller to the actual cause of the error (invalid access token), and instead implies that permissions are at fault.

What actually happens in that the MWOAuthSessionProvider plumbing, in this case, creates an anonymous user with absolutely no rights, not even the rights normally associated with the anonymous user. The REST API endpoints then check for the “read” right via isReadAllowed, and that check fails. https://gerrit.wikimedia.org/g/mediawiki/core/+/7ac4ec51cc0608366b4873bf892770af4d6b7f20/includes/Rest/BasicAccess/BasicRequestAuthorizer.php#34

The mediawiki debug log contains “MediaWiki\Extensions\OAuth\MWOAuthSessionProvider::getAllowedUserRights: No provider metadata, returning no rights allowed”. This is slightly less unhelpful, but not much.

More helpful would be to return an error indicating that the access token was invalid.

Details

SubjectRepoBranchLines +/-
Add new hook RestApiBeforeExecuteHandlermediawiki/coremaster+47 -6
Call new hook RestApiBeforeExecuteHandler on exceptionmediawiki/extensions/OAuthmaster+7 -3
Customize query in gerrit

Related Objects

Event Timeline

BPirkle created this task.May 12 2020, 7:56 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 12 2020, 7:56 PM
Tgr subscribed.May 12 2020, 8:12 PM

Presumably this is because the REST endpoint was not integrated with MWOAuthSessionProvider::makeException.

BPirkle added a project: Platform Team Initiatives (MW REST API in PHP).May 12 2020, 8:16 PM
BPirkle added a project: Platform Engineering.May 12 2020, 8:28 PM
eprodromou triaged this task as Medium priority.May 12 2020, 8:38 PM
eprodromou edited projects, added Platform Team Workboards (Clinic Duty Team); removed Platform Engineering.
eprodromou moved this task from Inbox to Ready (WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
BPirkle claimed this task.May 14 2020, 6:36 PM
BPirkle moved this task from Ready (WIP:5) to Doing(WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.
BPirkle added a comment.May 15 2020, 2:32 AM

Thank you @Tgr . I confirmed this locally by putting this little snippet in rest.php, and I got a much happier message:

try {
	$main = new ApiMain();
	Hooks::run( 'ApiBeforeMain', [ &$main ] );
	EntryPoint::main();
} catch ( Throwable $e ) {
	wfHttpError( 500, 'Exception', $e->getMessage() );
}

Clearly, this code is not suitable for production for several reasons. Among other things, creating an empty ApiMain just to run the hook is silly.

This is my first experience with ApiBeforeMain, so there may be context I'm missing. It would be straightforward to create a new hook for use by the REST API and give it parallel treatment in MWOAuthSessionProvider::makeException. But that feels a little messy. Is there something cleaner you'd suggest?

Tgr added a comment.May 15 2020, 2:41 PM

The fundamental issue here is that the session is initialized in Setup.php, which is outside of the main try..catch block of the API and so the exception would not go through the usual error logging / output formatting logic. So one option is to make that logic not rely on the try block and register it early as the PHP error handler; but it's probably easy to get into service dependency loops that way.

Other than that, I'm not sure what could be changed. If we rely on the exception being thrown inside the main try..catch block, it has to be caught soon enough that the catching code knows how to intelligently handle it (by setting up an empty anonymous session). The exception could be left to bubble up all the way to the caller of SessionManager::getSessionForRequest and handled there, but that doesn't really seem cleaner.

So probably the only thing I'd change were to move makeException to a helper method available to any session provider. CentralAuthTokenSessionProvider also uses it, and it would be needed by any other provider where failure to authenticate means no access instead of anonymous user access.

gerritbot added a comment.May 19 2020, 11:20 PM

Change 597370 had a related patch set uploaded (by BPirkle; owner: BPirkle):
[mediawiki/core@master] Add new hook RestApiBeforeExecuteHandler

https://gerrit.wikimedia.org/r/597370

gerritbot added a project: Patch-For-Review.May 19 2020, 11:20 PM

Change 597372 had a related patch set uploaded (by BPirkle; owner: BPirkle):
[mediawiki/extensions/OAuth@master] Call new hook RestApiBeforeExecuteHandler on exception

https://gerrit.wikimedia.org/r/597372

BPirkle added a comment.May 19 2020, 11:50 PM

Uploaded patch to integrate a new hook - RestApiBeforeExecuteHandler - with the Core REST API infrastructure. I introduced a new hook because ApiBeforeMain requires an ApiMain instance, and ApiMain isn't used by the Core REST API infrastructure.

Uploaded a separate patch to use the new hook in the OAuth extension.

I did not introduce a helper function for makeException based on the Rule of Three, but that's a good suggestion to keep in mind if this comes up again.

Still to do: update CentralAuth to use the new hook. Thought I'd get feedback on the first two patches before creating that one.

daniel moved this task from Doing(WIP:5) to Waiting for Review on the Platform Team Workboards (Clinic Duty Team) board.Aug 18 2020, 9:36 PM
Pchelolo subscribed.Sep 4 2020, 2:45 PM

I have issues with this approach. Copied from gerrit:

Alternatively to a hook you could add a new field in the SessionInfo, store error in there and then check for it in MWBasicAuthorizer. Approach with the hook sucks cause the session initialization code indirectly needs to know about what is using it afterwards. The existence of this patch is a demonstration of the problem with the hook approach. I won't veto merging this, but I think there's opportunity for improvement here. Basically you abuse the hook system for passing around the information - the registration of the hook handler serves as a way to pass an error flag.

BPirkle moved this task from Waiting for Review to Ready (WIP:5) on the Platform Team Workboards (Clinic Duty Team) board.EditedSep 17 2020, 7:59 PM

This needs more attention based on comments from reviewers. Moving back to "Ready" until I start working on this again, to more accurately reflect its current status.

AMooney moved this task from Ready (WIP:5) to Later on the Platform Team Workboards (Clinic Duty Team) board.Mar 16 2021, 5:32 PM
BPirkle removed BPirkle as the assignee of this task.Nov 9 2021, 9:30 PM

Removing myself as assignee, as I am not actively working on this.

WMDE-leszek subscribed.Jul 4 2022, 9:37 PM
Tgr merged a task: T327610: MediaWiki REST API framework returns wrong error on OAuth validation failure.Jan 23 2023, 4:07 AM
Tgr mentioned this in T238852: Exceptions from MWOAuthSessionProvider are not being thrown for the REST API.
Tgr merged a task: T238852: Exceptions from MWOAuthSessionProvider are not being thrown for the REST API.
Tgr added a project: MediaWiki-REST-API.
Tgr added a subscriber: Anomie.
Anomie unsubscribed.Feb 1 2023, 1:52 PM
Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Apr 9 2023, 7:54 PM
Tgr mentioned this in T340919: OAuth requests to MediaWiki endpoints not supporting OAuth should be rejected.Jul 3 2023, 1:00 AM
aaron added a project: MW-Interfaces-Team.Feb 1 2024, 4:40 PM
EBernhardson subscribed.Feb 1 2024, 5:47 PM

It seems like the problem here is code that runs prior to endpoint specific code needs a generic way to inform the output layer that what error has occured. Today what we are doing is registering hook handlers for each specific output layer, and throwing different output specific exceptions.

An idea could be a collector we register to the service container. Anything running too-early in the system could add it's errors there. Each endpoint would query it during their own initialization. After querying it the collector would disable itself (throw exceptions) on future attempts to register errors to prevent registering errors too-late in the request. Could call it SetupErrorCollector or some such.

Tgr added a comment.Feb 1 2024, 10:54 PM
In T252591#9507023, @EBernhardson wrote:

An idea could be a collector we register to the service container. Anything running too-early in the system could add it's errors there. Each endpoint would query it during their own initialization. After querying it the collector would disable itself (throw exceptions) on future attempts to register errors to prevent registering errors too-late in the request. Could call it SetupErrorCollector or some such.

+1, I was thinking along the same lines when this came up previously (but then forgot about it).

FJoseph-WMF lowered the priority of this task from Medium to Low.Mar 19 2024, 6:24 PM
FJoseph-WMF moved this task from Incoming (Needs Triage) to Backlog (Triaged and Ready) on the MW-Interfaces-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL