Page MenuHomePhabricator

OAuth-authorised editing to log with the respective editor's IP address, and review user agent details
Closed, ResolvedPublic

Description

tl;dr
Please change OAuth-authorised edits from logging as 127.0.0.1 and to that of the editor; and consider better UA logging.

Long story
Following a tutorial session with @csteipp to stewards about the OAuth approval process; for the stewards I ran a checkuser test on myself on Wikidata. I have edits there utilising one of Magnus's tools.

The CU result showed the edits as coming from 127.0.0.1. Such a result is less than ideal, especially were a block to be made including IP address that presumably such a block would stop all OAuth applications. Ideally such edits wouldshow inthe Checkuser results as

  1. of the IP address of the editor undertaking the edits via the OAuth
  2. with a user agent that clearly identifies the originating browser and the OAuth tool

Initially setting confidential.

Event Timeline

Maniphest changed the visibility from "Public (No Login Required)" to "Custom Policy".Oct 28 2015, 6:57 AM
Maniphest changed the edit policy from "All Users" to "Custom Policy".
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 28 2015, 6:57 AM
Billinghurst updated the task description. (Show Details)
Billinghurst added a project: WMF-NDA.
Billinghurst changed Security from None to Other confidential issue.
Billinghurst edited subscribers, added: Billinghurst, csteipp; removed: Aklapper.

127.0.0.1 is odd-- it should be the IP of the labs server.

To get the actual editor's IP, the OAuth application (e.g., Magnus'es tool in this case) would need to pass an X-Forwarded-For header when talking to MediaWiki, and the tool's IP would need to marked as trusted in TrustedXFF extension.

Can you point me at the edit that you made, and I'll see if I can track down why it's reporting localhost?

Billinghurst added a comment.EditedOct 30 2015, 10:20 AM

Hmm, there are both 10.x.x.x and 127.0.0.1

127.0.0.1 (block) (02:48, 7 August 2015 -- 01:50, 29 October 2015) [55] (~583164 from all users)
10.68.18.44 (block) (14:50, 26 August 2015 -- 14:52, 26 August 2015) [12] (~1189008 from all users)
  • check for one week only gives this snippet among the morass

    Billinghurst (talk | contribs | block) (Check) (00:43, 28 October 2015 -- 01:50, 29 October 2015) [5] (checkuser) 127.0.0.1 curl/7.35.0
  • A check on the IP address shows

    [xxxxxxxxxxx] (talk | contribs | block) (Check) (18:42, 31 August 2015 -- 20:54, 31 August 2015) [24] 10.68.18.44 widar

I didn't find my actual use, one of many and it actually only gave results for 31 August for "get users"

A check of my use at Commons, shows edits within 10.68.17.0/24 and 10.68.18.0/24, nothing for 127.0.0.1, though it does display 127.0.0.1 edits (all curl) through the general user space. Similar results showing on meta, though more plentiful (again nothing for me personally).

So it is unknown to me whether it is OAuth related or not for the edits within 127.0.01, however, there are edits showing at WD for me at that IP, and the only editing that I know that I do is via browser and the use of the Magnus's

www.wikidata.org/w/index.php?title=User:Magnus Manske/authority control.js

When I check enWS I see minimal edits (MediaWiki message delivery ), stating curl; similarly check of meta shows similar, though

The tools do identify themselves with specific user agents, so we can scrap that component from my (ill-informed) commentary.

@Trijnstel, to note that I temporarily gave myself CU rights at Commons to check my edits and to investigate this matter further.
@Elfix

Tgr added a subscriber: Tgr.Mar 7 2017, 4:05 AM

See also {T159785}.

Tgr added a comment.Mar 7 2017, 11:07 PM

Filed T159889 to support this better on the OAuth side.

Bawolff closed this task as Resolved.Feb 27 2018, 12:06 AM
Bawolff added a subscriber: Bawolff.

So the issue of it logging 127.0.0.1 seems fixed now based on comments.

And the issue of we should use user IP not the tool's IP is T159889.

With that in mind, I think this bug should be marked resolved and made public.

Bawolff changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 27 2018, 12:06 AM
Bawolff changed the edit policy from "Custom Policy" to "All Users".