Page MenuHomePhabricator
Create Task
Maniphest T126257

The API should not require CSRF tokens for an OAuth request
Open, LowestPublic
Actions

Description

OAuth uses the Authentication header, not cookies, so it's not vulnerable to CSRF attacks. Requiring extra token lookup requests from apps using OAuth is unnecessary extra complexity.

Related Objects

Event Timeline

Tgr created this task.Feb 8 2016, 7:19 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: MediaWiki-Action-API, MediaWiki-extensions-OAuth.
Tgr added subscribers: Tgr, csteipp, Anomie.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 8 2016, 7:19 PM
Krenair subscribed.Feb 8 2016, 7:24 PM
zhuyifei1999 subscribed.Feb 8 2016, 7:25 PM
zhuyifei1999 mentioned this in T125779: pywikibot OAuth should properly handle expired tokens, instead of endless loop..Feb 8 2016, 7:44 PM
Ricordisamoa subscribed.Feb 8 2016, 7:51 PM
Anomie added a comment.Feb 8 2016, 9:24 PM

I'm inclined to decline this: requiring the CSRF tokens doesn't hurt anything besides an extra round-trip once to fetch the token and a few bytes to send it, and it's likely to be much more complex[1] to sometimes require them and sometimes not than it is to just always require them.

I also note that clients that support both OAuth and non-OAuth authentication (e.g. anything that wants to support non-WMF wikis too) will have to already have to have the code for handling the tokens, so it's not even likely to save them anything.

[1]: Specifically, much more complex in the code that actually checks that the token is valid. And unnecessary complexity in security code is generally considered bad.

Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-Action-API board.Feb 9 2016, 2:24 PM
Tgr triaged this task as Lowest priority.Mar 7 2017, 3:52 AM
Tgr merged a task: T170438: Edit token should not be required when an Authorization (OAuth) header is present.Jul 12 2017, 4:46 PM
Tgr added a subscriber: dbarratt.
Tgr mentioned this in T172033: Decide how RESTBase proxies of Action API modules should deal with CSRF tokens.Jul 29 2017, 10:41 AM
Tgr mentioned this in T223239: REST API Parameter Validation.May 26 2019, 5:37 PM
dbarratt added a subscriber: EvanProdromou.Jun 14 2019, 6:28 PM

@EvanProdromou ran into this one again today. :)

dbarratt mentioned this in T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.Sep 10 2019, 11:20 PM
Tgr mentioned this in T232692: Should MediaWiki stop storing sessions on the server?.Sep 8 2020, 12:53 AM
dbarratt mentioned this in T245474: CORS not enabled for OAuth 2.0 .Sep 8 2020, 7:24 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:03 PM
Nikerabbit subscribed.Jul 23 2021, 1:14 PM

I have spend a day debugging CSRF failures when making edits using OAuth... it seems that for some reason MediaWiki doesn't persist those sessions. In any case, if there was no CSRF token requirement, this wouldn't be an issue.

Tgr added a comment.Jul 28 2021, 12:13 AM

They should be persisted the same way normal sessions are.

Nikerabbit added a comment.Jul 28 2021, 7:09 AM

Just briefly not to derail this task: My problem was fixed by removing $wgPHPSessionHandling = 'disable'; (I suppose I had it enabled in earlier attempts to resolve lost session issues). Not sure why PHP session handling is deprecated in the 1.27 release notes.

Tgr added a comment.Jul 28 2021, 8:05 PM

In theory PHP session handling is not needed (assuming none of your other code tries to directly interact with PHP sessions - there's a warning mode for the variable to log when that happens) and degrades performance. We never tried to disable it for Wikimedia wikis so that should be taken with a grain of salt though.

Enterprisey subscribed.Sep 2 2021, 7:33 AM
Tgr mentioned this in T322944: Allow authenticated requests via OAuth to the Action API from any origin.Nov 21 2022, 5:21 AM
TuukkaH subscribed.Jun 29 2023, 3:22 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits