Page MenuHomePhabricator

passport-mediawiki does not set oauth_token
Closed, ResolvedPublic

Description

(The npm page for passport-mediawiki links to Phabrictor but we don't seem to have a component for it so I'll just use OAuth for the time being.)

See T112635 for details.

Event Timeline

Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added subscribers: Tgr, Milimetric, Vrghost1.

This is roughly what I'm using:

var express = require( 'express' );
var session = require( 'express-session' );
var passport = require( 'passport' );

var MediaWikiStrategy = require( 'passport-mediawiki-oauth' ).OAuthStrategy;

passport.use( new MediaWikiStrategy( {
		baseURL: 'http://localhost/',
		consumerKey: 'consumer key here',
		consumerSecret: 'consumer secret here'
	},
	function ( token, tokenSecret, profile, done ) {
		return done( null, profile );
	}
) );

passport.serializeUser( function ( user, done ) {
	done( null, user );
} );

passport.deserializeUser( function ( user, done ) {
	done( null, user );
} );

var app = express();

app.use( session( {
	secret: 'secret',
	resave: false,
	saveUninitialized: false
} ) );

app.use( passport.initialize() );
app.use( passport.session() );

function test( req, res ) {
	if ( req.user === undefined ) {
		res.send( 'not logged in<br><a href="./login?next=' + req.path + '">loginnext</a>' );
	} else {
		res.send( 'logged in as ' + req.user.displayName + '<br><a href="./logout?next=' + req.path + '">logoutnext</a>' );
	}
}

app.get( '/', test );

app.get( '/login', function ( req, res, next ) {
	req.session.next = req.query.hasOwnProperty( 'next' ) ? req.query.next : undefined;
	next();
}, passport.authenticate( 'mediawiki' ) );

app.get( '/oauth-callback', passport.authenticate( 'mediawiki' ), function ( req, res ) {
	res.redirect( req.session.hasOwnProperty( 'next' ) ? req.session.next : '/' );
} );

app.get( '/logout', function ( req, res ) {
	req.logout();
	res.redirect( req.query.hasOwnProperty( 'next' ) ? req.query.next : '/' );
} );

app.listen( 5000 );

So have been looking into this issue, and as far as I can tell the issue seems to be that passport-mediawiki-oauth does not pick up the oauth token it should receive from
/index.php?title=Special%3AOAuth%2Finitiate

Not certain if that is because it does not get the response or if that is because it can't read it.
Looking at what does come back, I think it gets a oauth_signature, not certain if this is the oauth_token, its the only data that changes.

I decoded the data by just putting params in a for loop, but not certain why it gets quot;
Got quot;oob data
Got quot;,oauth_consumer_key data
Got quot;449c71620457972e86ef20e083ccb87b data
Got quot;,oauth_nonce data
Got quot;u7s5XhbhxZnaq2ga9ozxY17NdbS9CcME data
Got quot;,oauth_signature_method data
Got quot;HMAC-SHA1 data
Got quot;,oauth_timestamp data
Got quot;1442585187 data
Got quot;,oauth_version data
Got quot;1.0 data
Got quot;,oauth_signature data
Got quot;xgYRgEpfmfcOLevbtlXJv7QWOf8= data

@Ricordisamoa: Tried that, seems to have the same issue. No oauth_token once it gets to that stage.
Which version of mediawiki and oauth are you using?
MediaWiki 1.24.1
PHP 5.4.16 (apache2handler)
No version information on Oauth

MediaWiki1.26alpha (59ebff6)
Node.jsv4.1.0
OAuth(0c62441)

Please read T71499.

There is one other thing that is surprising me.
The default setting for passport (yours and the other one) seems to assume that they should initiate against index.php. But if I do that it breaks (well, more that it is already broken), will try upgrading it to 1.25 and see if that makes any difference.

@Ricordisamoa: As a test, would it be possibly for you to point your app to my wiki at
http://v-ghost.port0.org:8081/dbfswiki/
Just to see if it works (its a development system) Especially if you pick up a oauth_token.

I have just upgraded to 1.25, and implemented oauth, and thats it currently.
If you email me at bengtbj@gmail.com I can set you up with a used id as well.

One step forward, a few steps sideways?

So managed to move this forward over the weekend, and at least I now know that the initiation works, kind of. It calls the right address, below is the requests and response

>> Request { port: 80,
>>   path: '/dbfswiki/index.php',
>>   host: 'industryedge.dbfsknowledge.com',
>>   method: 'POST',
>>   headers: 
>>    { authorization: 'OAuth oauth_callback="oob",oauth_consumer_key="677c8153822eef68cb6da88378d13122",oauth_nonce="Z95MjhjzOnZ3B35UkeoZuOH09oiOIaxA",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1442833671",oauth_version="1.0",oauth_signature="WqZaFzQYnq3%2Brch0%2Bi2d2KZEsKM%3D"',
>>      host: 'industryedge.dbfsknowledge.com',
>>      accept: '*/*',
>>      connection: 'close',
>>      'user-agent': 'Node authentication',
>>      'content-length': 32,
>>      'content-type': 'application/x-www-form-urlencoded' },
>>   body: 'title=Special%3AOauth%2Finitiate' }
>> Response { statusCode: 200,
>>   headers: 
>>    { server: 'nginx',
>>      date: 'Mon, 21 Sep 2015 11:07:50 GMT',
>>      'content-type': 'text/plain;charset=UTF-8',
>>      'content-length': '68',
>>      connection: 'close',
>>      vary: 'Accept-Encoding',
>>      'x-content-type-options': 'nosniff',
>>      expires: 'Thu, 01 Jan 1970 00:00:00 GMT',
>>      'cache-control': 'no-cache, no-store, max-age=0, must-revalidate',
>>      pragma: 'no-cache' },
>>   trailers: {},
>>   httpVersion: '1.1',
>>   url: '',
>>   method: null,
>>   body: 'Error: An error occurred in the OAuth protocol: Invalid consumer key' }

So, it thinks the consumer key is incorrect. I then checked the debug log and found the following two lines, where it looks like it ignores the consumer key when it looks for the key. Any suggestions?

[OAuth] MediaWiki\Extensions\OAuth\SpecialMWOAuth::execute: Consumer '' getting temporary credentials
[OAuth] MediaWiki\Extensions\OAuth\SpecialMWOAuth::execute: Exception Invalid consumer key

Start request POST /dbfswiki/index.php
HTTP HEADERS:
HOST: industryedge.dbfsknowledge.com
X-FORWARDED-HOST: industryedge.dbfsknowledge.com
X-FORWARDED-SERVER: industryedge.dbfsknowledge.com
X-FORWARDED-FOR: 109.147.224.82
FORWARDED-REQUEST-URI: /dbfswiki/index.php
HTTP-X-FORWARDED-PROTO: http
HTTPS: off
X-FORWARDED-PROTO: http
X-FORWARDED-SSL: off
CONNECTION: close
CONTENT-LENGTH: 32
ACCEPT: */*
USER-AGENT: Node authentication
CONTENT-TYPE: application/x-www-form-urlencoded
[caches] main: EmptyBagOStuff, message: SqlBagOStuff, parser: SqlBagOStuff
[caches] LocalisationCache: using store LCStoreCDB
Unstubbing $wgParser on call of $wgParser::setHook from registerEmbedDocumentHandler
Parser: using preprocessor: Preprocessor_DOM
Fully initialised
Connected to database 0 at localhost
Connected to database 0 at localhost
IP: 109.147.224.82
Query dbfswiki (1) (slave): SELECT /* SqlBagOStuff::getMulti 109.147.224.82 */  keyname,value,exptime  FROM `objectcache`   WHERE keyname = 'dbfswiki:messages:en'
MessageCache::load: Loading en... got from global cache
Gadget::loadStructuredList: MediaWiki:Gadgets-definition parsed, cache entry dbfswiki:gadgets-definition:7 updated
Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions::__construct
[OAuth] MediaWiki\Extensions\OAuth\MWOAuthRequest::fromRequest: Post String = Special:Oauth/initiate
[OAuth] MediaWiki\Extensions\OAuth\MWOAuthRequest::fromRequest: parameters:
Array
(
    [title] => Special:Oauth/initiate
)
**

> [OAuth] MediaWiki\Extensions\OAuth\SpecialMWOAuth::execute: Consumer '' getting temporary credentials
> [OAuth] MediaWiki\Extensions\OAuth\SpecialMWOAuth::execute: Exception Invalid consumer key

**
LoadBalancer::reuseConnection: this connection was not opened as a foreign connection
Query dbfswiki (2) (slave): BEGIN /* DatabaseBase::query (JobQueueDB::doGetSiblingQueuesWithJobs) 109.147.224.82 */
Query dbfswiki (3) (slave): SELECT /* JobQueueDB::doGetSiblingQueuesWithJobs 109.147.224.82 */  DISTINCT job_cmd  FROM `job`   WHERE job_cmd IN ('refreshLinks','refreshLinks2','htmlCacheUpdate','sendMail','enotifNotify','fixDoubleRedirect','uploadFromUrl','AssembleUploadChunks','PublishStashedFile','null','synchroniseThreadArticleData','renameUser','createPdfThumbnailsJob','SMW\\UpdateJob','SMW\\RefreshJob','SMW\\UpdateDispatcherJob','SMW\\DeleteSubjectJob','SMWUpdateJob','SMWRefreshJob')
LoadBalancer::reuseConnection: this connection was not opened as a foreign connection
Request ended normally
Vrghost1 claimed this task.

After a lot of faffing about. I managed to get around the issue by doing a fresh install to 1.25.2.
Do not thing I can get it running in 1.24 at all. Seems like lack of error messages that made sense to me was the actual reason.
For anyone else that have this issue.

If it is a private wiki, you have to set up Whitelist to include OAuth, the coded did not pick that up (not certain it should, just that that took me quite a while to realise) (And yes, kind of obvious now).

$wgWhitelistRead = array('Special:OAuth' );

Memcache is required, and older version of OAuth does not give an error message providing that info (newer does)

Thanks everyone for your time, sorry if I wasted some of it, it was not my intention.

Thanks everyone for your time, sorry if I wasted some of it, it was not my intention.

On the contrary, your help in figuring this out is very much appreciated.

If it is a private wiki, you have to set up Whitelist to include OAuth

So this is a passport-mediawiki bug where it should report a HTTP 403 error but does not?

I think a 403 would have been more useful as that error message would have pointed me in the right direction a lot quicker.
Also as I can't think of a scenario where oauth:initiate would be called other than server to server, so getting the login screen seems wrong.
Don't know if pages can have custom read access denied behaviour though?