Page MenuHomePhabricator
Create Task
Maniphest T165797

if using json with callback parameter in api on and you use the non-anon token, the error message is confusing
Closed, ResolvedPublic
Actions

Description

  • User fetches token with just format=json
  • User tries to make an edit using format=json&callback=foo not realizing that a different token is required (or they accidentally have callback checked in api sandbox without realizing [easier to do than it sounds])
  • User gets a badtoken error

Expected behaviour:

It'd be nice if the error message was more helpful. Its non-obvious that the token when using callback= is totally different. Also maybe apisandbox should fetch the anon token if callback=foo parameter is set.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ApiSandbox: Indicate when login is suppressedmediawiki/coremaster+14 -2
Customize query in gerrit

Event Timeline

Bawolff created this task.May 19 2017, 5:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2017, 5:19 PM
Anomie subscribed.May 19 2017, 6:03 PM

The API doesn't know how the token was obtained, it just knows that it doesn't work for the current user. In this particular case, that's because passing the 'callback' parameter forces the request to be treated as if the user is not logged in.

While ApiSandbox could detect if the 'callback' parameter is set, I'm a bit wary of that solution since turning it on and off could result in some confusing behavior. It's also possible that other parameters could result in the same effect, for example specifying a value of '*' for 'origin'.

I think I'd rather have the API somehow signal when $main->lacksSameOriginSecurity() causes the request to be handled as logged-out, and have ApiSandbox display a general warning whenever that signal is present.

Anomie moved this task from Unsorted to Needs details or plan on the MediaWiki-Action-API board.May 19 2017, 9:49 PM
gerritbot subscribed.May 20 2017, 9:43 AM

Change 354646 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] ApiSandbox: Indiciate when login is suppressed

https://gerrit.wikimedia.org/r/354646

gerritbot added a project: Patch-For-Review.May 20 2017, 9:43 AM
Anomie claimed this task.May 20 2017, 10:28 AM
Anomie moved this task from Needs details or plan to Needs Review on the MediaWiki-Action-API board.
gerritbot added a comment.Jun 20 2017, 9:02 PM

Change 354646 merged by jenkins-bot:
[mediawiki/core@master] ApiSandbox: Indicate when login is suppressed

https://gerrit.wikimedia.org/r/354646

ReleaseTaggerBot added a project: MW-1.30-release-notes (WMF-deploy-2017-06-27_(1.30.0-wmf.7)).Jun 20 2017, 10:00 PM
Anomie closed this task as Resolved.Jun 21 2017, 5:00 PM
Anomie added a comment.Jun 21 2017, 5:02 PM

The resolution here is to have the results page clearly indicate that the request was processed as a logged-out user and that the automatic token handling does not work in that case. The result will still, however, display the badtoken error since a bad token was indeed submitted.

Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits