Page MenuHomePhabricator

SecurePoll auth-api.php needs to be rewritten to be a normal api module
Open, Needs TriagePublic

Description

PHP serialization is evil. auth-api.php should not use it. At the very least it needs to use JSON instead.

Even better would be to turn this into a normal MW "action" api module

I'm tagging this as good first task . Its really more a "medium" task, however translating auth-api.php into a proper api module should be fairly straightforward, so i think it fits with the tag.

Event Timeline

Hello,

I am new to wikimedia and I would love to work on this issue, for my first contribution. I have successfully setup the mediawiki core and the SecurePoll extension. I am trying to test the functionality of SecurePoll using the MediaWiki API, in order to best understand how to solve this issue. But when I do a POST request with "http://localhost//mediawiki/api.php?action=strikevote&option=strike&reason=duplicate&voteid=1" body{token=e75500c077dbf93c0ffd4..........35bac6133+\}, I get the response below. Even though I got the token with "http://localhost/mediawiki/api.php?action=query&meta=tokens&format=json&type=login"

{
    "error": {
        "code": "badtoken",
        "info": "Invalid CSRF token.",
        "*": "See http://localhost/mediawiki/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes."
    }
}

I wish I could get some directives on how to move forward.

@djkonro, Welcome to Wikimedia and thanks for your contribution. From what I see in your comment above, the token seems to be incomplete. The token should end with 2 forward slashes (in source codes) but 1 forward slash (in case using postman). See here: https://www.mediawiki.org/w/api.php?action=query&meta=tokens for an example token.

Same form of results on localhost, so try to make sure to right token is being copied over: http://localhost/wiki/mw-core/api.php?action=query&meta=tokens.

@D3r1ck01 Thanks for the assistance. The tokens I generate end with "..+\\" , but while testing simple login with the api using Postman, it seems I need to remove the second \ used for escaping.

True! So the double slash would be used in case you're using the token as a string, for example in codes. I'm trying to reproduce the bug locally.

Also, when generating the token, use type=csrf instead of type=login though I think that query defaults to csrf tokens.

Hello @djkonro, I've gotten what the issue is, please follow the steps below;

  1. Open a postman tab and generate a login token like this;

http://localhost/mediawiki/api.php?action=query&meta=tokens&type=login

  1. Use this login token to login with postman like so;

http://localhost/wiki/mw-core/api.php?action=login&lgname=Alangi_Derick body{lgpassword=<your-password> lgtoken=<your-login-token>}

  1. Back to the postman tab (to generate another token) but this time csrf and enter this GET request;

http://localhost/mediawiki/api.php?action=query&meta=tokens&type=csrf

  1. Copy the token generated and open another postman tab, then make POST request with copied token as body;

http://localhost/wiki/mw-core/api.php?action=strikevote&option=strike&reason=duplication&voteid=1 body{token=<your-copied-token-here>}

That should work!

@D3r1ck01 Thanks for the help!. The steps you provided work fine.

@D3r1ck01 Thanks for the help!. The steps you provided work fine.

Great one @djkonro. So in this case, I think you've got what it takes to move forward?

Change 463610 had a related patch set uploaded (by Djkonro; owner: Djkonro):
[mediawiki/extensions/SecurePoll@master] Change SecurePoll auth-api.php to a MediaWiki Action API module

https://gerrit.wikimedia.org/r/463610

djkonro added a subscriber: djkonro.
Krinkle added a subscriber: Krinkle.

Moving back for re-triage as it was previously in a hidden workboard column, likely forgotten. Per mw:Maintainers, the SecurePoll extension is now stewarded by PET, this means this task is not an external request for code review, but rather an internal sustainability need for SecurePoll itself. The above commit might be complete, or could serve as starting point.

Change 463610 had a related patch set uploaded (by Reedy; owner: Djkonro):
[mediawiki/extensions/SecurePoll@master] Change SecurePoll auth-api.php to a MediaWiki Action API module

https://gerrit.wikimedia.org/r/463610

Reedy added a subscriber: Reedy.

Moving back for re-triage as it was previously in a hidden workboard column, likely forgotten. Per mw:Maintainers, the SecurePoll extension is now stewarded by PET, this means this task is not an external request for code review, but rather an internal sustainability need for SecurePoll itself. The above commit might be complete, or could serve as starting point.

I've rebased and updated the patch. Also updated for Brad's CR from May 2019.

Tagging AHT as they're the ones actively doing work on it too, so might be interested in reviewing this too...

AMooney added a subscriber: AMooney.

Anti-Harassment let PET know if you need code review or anything.

In the past, AHT stepped in to support Trust & Safety with the time-sensitive matter of the Board Elections by providing help with SecurePoll. Unfortunately, at this time we can no longer support nor maintain SecurePoll. Per the Foundation leadership’s instructions, AHT is dedicating all of our time and energy to other critical efforts.