Page MenuHomePhabricator

Users should be able to make API requests against some central wikis (e.g. commons, wikidata) as if logged-in, even if they never visited that wiki
Open, Needs TriagePublic

Description

Some wikis serve as "backend", and gadgets make write API requests against them without sending the user there. E.g. one might edit an infobox with WE-Framework which makes a Wikidata edit in the background. There are similar use cases for Commons file uploads. We should make sure this works even if the user never visited that wiki before (and thus has no local user account there and/or is not logged in).

Event Timeline

Tgr created this task.Jun 26 2015, 3:21 AM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added a subscriber: Tgr.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 26 2015, 3:21 AM

Isn't this what the centralauthtoken is for?

Tgr added a comment.Jun 26 2015, 3:29 AM

The status quo is that when you first log in (even if you autologin, ie. visit a wiki where you were not logged in while having a valid global session), CentralAuth creates accounts and logs you in on all English wikis and all multilingual wikis (including Commons and Wikidata). This is considered a bug (T18864). There is a security argument that autologin should not happen at all (T21161). The same account creation does not seem to happen on registration itself, so if a user registers on enwiki and never goes to any other site, they won't have Commons/Wikidata accounts.

We can use $wgCentralAuthAutoCreateWikis to make sure accounts on wikis always exist, but this does not really help as CORS API request will still fail (? I think so but haven't tested) because the user does not have a session cookie for the second-level domain belonging to that site.

hoo added a subscriber: hoo.Jun 26 2015, 3:21 PM
Tgr added a comment.Jun 26 2015, 7:43 PM

Isn't this what the centralauthtoken is for?

Huh, forgot about that completely. Does it autocreate the user if needed? It seems like it would. If that's the case then the only thing needed is to make sure people can find out about it easier and maybe provide a JS library to make it less annoying to gadget writers, something along the lines of mw.Api.postWithToken. (And maybe not change it after every request? That seems a bit awkward.)

Restricted Application added a subscriber: Steinsplitter. · View Herald TranscriptJun 26 2015, 7:43 PM

Yes, it does autocreate if necessary.

Tgr added a comment.Jun 26 2015, 11:58 PM

I wonder if anything became of Brion's proxying suggestion? From a client standpoint it seems much more convenient.

Tgr added a comment.Jul 1 2015, 10:42 PM

the only thing needed is to make sure people can find out about it easier and maybe provide a JS library to make it less annoying to gadget writers, something along the lines of mw.Api.postWithToken.

T66636 would probably fulfull that role.

The distinction between this report and T104932 seems quite thin.

Tgr added a comment.Jul 18 2015, 9:36 PM

The distinction between this report and T104932 seems quite thin.

This is about API requests, that one is about Special:OAuth.

Tgr renamed this task from Users should be able to make requests against some central wikis (e.g. commons, wikidata) as if logged-in, even if they never visited that wiki to Users should be able to make API requests against some central wikis (e.g. commons, wikidata) as if logged-in, even if they never visited that wiki.Jul 18 2015, 9:36 PM
Tgr set Security to None.