Page MenuHomePhabricator

if using json with callback parameter in api on and you use the non-anon token, the error message is confusing
Closed, ResolvedPublic


  • User fetches token with just format=json
  • User tries to make an edit using format=json&callback=foo not realizing that a different token is required (or they accidentally have callback checked in api sandbox without realizing [easier to do than it sounds])
  • User gets a badtoken error

Expected behaviour:

It'd be nice if the error message was more helpful. Its non-obvious that the token when using callback= is totally different. Also maybe apisandbox should fetch the anon token if callback=foo parameter is set.

Event Timeline

Bawolff created this task.May 19 2017, 5:19 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMay 19 2017, 5:19 PM
Anomie added a subscriber: Anomie.May 19 2017, 6:03 PM

The API doesn't know how the token was obtained, it just knows that it doesn't work for the current user. In this particular case, that's because passing the 'callback' parameter forces the request to be treated as if the user is not logged in.

While ApiSandbox could detect if the 'callback' parameter is set, I'm a bit wary of that solution since turning it on and off could result in some confusing behavior. It's also possible that other parameters could result in the same effect, for example specifying a value of '*' for 'origin'.

I think I'd rather have the API somehow signal when $main->lacksSameOriginSecurity() causes the request to be handled as logged-out, and have ApiSandbox display a general warning whenever that signal is present.

Change 354646 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] ApiSandbox: Indiciate when login is suppressed

Anomie claimed this task.May 20 2017, 10:28 AM
Anomie moved this task from Needs details or plan to Needs Review on the MediaWiki-API board.

Change 354646 merged by jenkins-bot:
[mediawiki/core@master] ApiSandbox: Indicate when login is suppressed

Anomie closed this task as Resolved.Jun 21 2017, 5:00 PM

The resolution here is to have the results page clearly indicate that the request was processed as a logged-out user and that the automatic token handling does not work in that case. The result will still, however, display the badtoken error since a bad token was indeed submitted.