Page MenuHomePhabricator
Create Task
Maniphest T126257

The API should not require CSRF tokens for an OAuth request
Open, LowestPublic3 Estimated Story Points
Actions

Description

OAuth uses the Authentication header, not cookies, so it's not vulnerable to CSRF attacks. Requiring extra token lookup requests from apps using OAuth is unnecessary extra complexity.

Conditions of acceptance

  • SessionProvider::safeAgainstCsrf() is already set for REST APIs; the work required here is to respect that within the Action API.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
api: don't require CSRF token if using a CSRF-safe SessionProvidermediawiki/coremaster+17 -12
Customize query in gerrit

Related Objects

Event Timeline

Tgr created this task.Feb 8 2016, 7:19 PM
Tgr raised the priority of this task from to Needs Triage.
Tgr updated the task description. (Show Details)
Tgr added projects: MediaWiki-Action-API, MediaWiki-extensions-OAuth.
Tgr added subscribers: Tgr, csteipp, Anomie.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptFeb 8 2016, 7:19 PM
Krenair subscribed.Feb 8 2016, 7:24 PM
zhuyifei1999 subscribed.Feb 8 2016, 7:25 PM
zhuyifei1999 mentioned this in T125779: pywikibot OAuth should properly handle expired tokens, instead of endless loop..Feb 8 2016, 7:44 PM
Ricordisamoa subscribed.Feb 8 2016, 7:51 PM
Anomie added a comment.Feb 8 2016, 9:24 PM

I'm inclined to decline this: requiring the CSRF tokens doesn't hurt anything besides an extra round-trip once to fetch the token and a few bytes to send it, and it's likely to be much more complex[1] to sometimes require them and sometimes not than it is to just always require them.

I also note that clients that support both OAuth and non-OAuth authentication (e.g. anything that wants to support non-WMF wikis too) will have to already have to have the code for handling the tokens, so it's not even likely to save them anything.

[1]: Specifically, much more complex in the code that actually checks that the token is valid. And unnecessary complexity in security code is generally considered bad.

Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-Action-API board.Feb 9 2016, 2:24 PM
Tgr triaged this task as Lowest priority.Mar 7 2017, 3:52 AM
Tgr merged a task: T170438: Edit token should not be required when an Authorization (OAuth) header is present.Jul 12 2017, 4:46 PM
Tgr added a subscriber: dbarratt.
Tgr mentioned this in T172033: Decide how RESTBase proxies of Action API modules should deal with CSRF tokens.Jul 29 2017, 10:41 AM
Tgr mentioned this in T223239: REST API Parameter Validation.May 26 2019, 5:37 PM
dbarratt added a subscriber: EvanProdromou.Jun 14 2019, 6:28 PM

@EvanProdromou ran into this one again today. :)

dbarratt mentioned this in T232176: Enable cross-origin resource sharing (CORS) for requests in Core REST API.Sep 10 2019, 11:20 PM
Tgr mentioned this in T232692: Should MediaWiki stop storing sessions on the server?.Sep 8 2020, 12:53 AM
dbarratt mentioned this in T245474: CORS not enabled for OAuth 2.0 .Sep 8 2020, 7:24 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:03 PM
Nikerabbit subscribed.Jul 23 2021, 1:14 PM

I have spend a day debugging CSRF failures when making edits using OAuth... it seems that for some reason MediaWiki doesn't persist those sessions. In any case, if there was no CSRF token requirement, this wouldn't be an issue.

Tgr added a comment.Jul 28 2021, 12:13 AM

They should be persisted the same way normal sessions are.

Nikerabbit added a comment.Jul 28 2021, 7:09 AM

Just briefly not to derail this task: My problem was fixed by removing $wgPHPSessionHandling = 'disable'; (I suppose I had it enabled in earlier attempts to resolve lost session issues). Not sure why PHP session handling is deprecated in the 1.27 release notes.

Tgr added a comment.Jul 28 2021, 8:05 PM

In theory PHP session handling is not needed (assuming none of your other code tries to directly interact with PHP sessions - there's a warning mode for the variable to log when that happens) and degrades performance. We never tried to disable it for Wikimedia wikis so that should be taken with a grain of salt though.

Enterprisey subscribed.Sep 2 2021, 7:33 AM
Tgr mentioned this in T322944: Allow authenticated requests via OAuth to the Action API from any origin.Nov 21 2022, 5:21 AM
TuukkaH subscribed.Jun 29 2023, 3:22 PM
waldyrious subscribed.Feb 6 2025, 12:04 AM
Ponor subscribed.Jun 27 2025, 9:57 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJun 27 2025, 9:57 PM
Maintenance_bot added a project: MW-Interfaces-Team.Jun 27 2025, 10:30 PM
Tgr added a subscriber: BPirkle.Jun 30 2025, 12:59 PM

@BPirkle this was fixed for rMW804842910317: Allow SessionProviderInterface to say if it is safe against CSRF for the REST API, right?

I think the action API still requires a CSRF token though, even if SessionProvider::safeAgainstCsrf() is set.

SD0001 subscribed.Jul 2 2025, 8:13 PM

Sounds like this is easy to fix for the Action API based on SessionProvider::safeAgainstCsrf().

gerritbot added a comment.Jul 2 2025, 8:13 PM

Change #1165975 had a related patch set uploaded (by SD0001; author: SD0001):

[mediawiki/core@master] api: don't require CSRF token if using a CSRF-safe SessionProvider

https://gerrit.wikimedia.org/r/1165975

gerritbot added a project: Patch-For-Review.Jul 2 2025, 8:13 PM
BPirkle added a comment.Jul 6 2025, 2:27 PM

@BPirkle this was fixed for rMW804842910317: Allow SessionProviderInterface to say if it is safe against CSRF for the REST API, right?

Correct.

JTweed-WMF edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.Jul 7 2025, 3:00 PM
BPirkle moved this task from Incoming (Needs Triage) to Radar (other teams work) on the MW-Interfaces-Team board.Aug 5 2025, 4:36 PM

No objection to this change. Looks like this has a proposed patch and reviewers, so moving it to our Radar column. Let us know if we can help.

Tgr mentioned this in T373826: NetworkSessionProvider / CirrusSearch Streaming Updater causing 'session' log spam and possibly Sessionstore (Kask) problems.Aug 26 2025, 7:16 PM
Tgr mentioned this in T403519: Several mwapi (Python) based tools are failing to edit: badtoken: Invalid CSRF token..Sep 3 2025, 9:28 AM
SD0001 added a comment.Sep 10 2025, 3:31 AM

I can't get my patch to work. This is an interesting task and I shouldn't have jumped on it with limited time available. If anyone wants to take this over, please do.

TehKittyCat subscribed.Oct 14 2025, 5:29 AM
HCoplin-WMF updated the task description. (Show Details)Nov 20 2025, 4:10 PM
HCoplin-WMF moved this task from Radar (other teams work) to Next Up on the MW-Interfaces-Team board.
HCoplin-WMF set the point value for this task to 3.
gerritbot added a comment.Nov 20 2025, 6:39 PM

Change #1165975 abandoned by SD0001:

[mediawiki/core@master] api: don't require CSRF token if using a CSRF-safe SessionProvider

Reason:

inactive WIP patch

https://gerrit.wikimedia.org/r/1165975

Maintenance_bot removed a project: Patch-For-Review.Nov 20 2025, 7:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits