Page MenuHomePhabricator

SecurePoll auth-api.php needs to be rewritten to be a normal api module
Open, Needs TriagePublic

Description

PHP serialization is evil. auth-api.php should not use it. At the very least it needs to use JSON instead.

Even better would be to turn this into a normal MW "action" api module

I'm tagging this as good first task . Its really more a "medium" task, however translating auth-api.php into a proper api module should be fairly straightforward, so i think it fits with the tag.

Event Timeline

Bawolff created this task.Sep 13 2018, 6:57 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 13 2018, 6:57 AM
djkonro claimed this task.Sep 26 2018, 10:56 AM

Hello,

I am new to wikimedia and I would love to work on this issue, for my first contribution. I have successfully setup the mediawiki core and the SecurePoll extension. I am trying to test the functionality of SecurePoll using the MediaWiki API, in order to best understand how to solve this issue. But when I do a POST request with "http://localhost//mediawiki/api.php?action=strikevote&option=strike&reason=duplicate&voteid=1" body{token=e75500c077dbf93c0ffd4..........35bac6133+\}, I get the response below. Even though I got the token with "http://localhost/mediawiki/api.php?action=query&meta=tokens&format=json&type=login"

{
    "error": {
        "code": "badtoken",
        "info": "Invalid CSRF token.",
        "*": "See http://localhost/mediawiki/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes."
    }
}

I wish I could get some directives on how to move forward.

xSavitar added a subscriber: xSavitar.EditedSep 27 2018, 7:34 AM

@djkonro, Welcome to Wikimedia and thanks for your contribution. From what I see in your comment above, the token seems to be incomplete. The token should end with 2 forward slashes (in source codes) but 1 forward slash (in case using postman). See here: https://www.mediawiki.org/w/api.php?action=query&meta=tokens for an example token.

Same form of results on localhost, so try to make sure to right token is being copied over: http://localhost/wiki/mw-core/api.php?action=query&meta=tokens.

@D3r1ck01 Thanks for the assistance. The tokens I generate end with "..+\\" , but while testing simple login with the api using Postman, it seems I need to remove the second \ used for escaping.

xSavitar added a comment.EditedSep 27 2018, 9:05 AM

True! So the double slash would be used in case you're using the token as a string, for example in codes. I'm trying to reproduce the bug locally.

Also, when generating the token, use type=csrf instead of type=login though I think that query defaults to csrf tokens.

Hello @djkonro, I've gotten what the issue is, please follow the steps below;

  1. Open a postman tab and generate a login token like this;

http://localhost/mediawiki/api.php?action=query&meta=tokens&type=login

  1. Use this login token to login with postman like so;

http://localhost/wiki/mw-core/api.php?action=login&lgname=Alangi_Derick body{lgpassword=<your-password> lgtoken=<your-login-token>}

  1. Back to the postman tab (to generate another token) but this time csrf and enter this GET request;

http://localhost/mediawiki/api.php?action=query&meta=tokens&type=csrf

  1. Copy the token generated and open another postman tab, then make POST request with copied token as body;

http://localhost/wiki/mw-core/api.php?action=strikevote&option=strike&reason=duplication&voteid=1 body{token=<your-copied-token-here>}

That should work!

@D3r1ck01 Thanks for the help!. The steps you provided work fine.

@D3r1ck01 Thanks for the help!. The steps you provided work fine.

Great one @djkonro. So in this case, I think you've got what it takes to move forward?

Change 463610 had a related patch set uploaded (by Djkonro; owner: Djkonro):
[mediawiki/extensions/SecurePoll@master] Change SecurePoll auth-api.php to a MediaWiki Action API module

https://gerrit.wikimedia.org/r/463610

Ammarpad added a subscriber: Ammarpad.
Restricted Application added a project: Platform Engineering. · View Herald TranscriptNov 27 2019, 6:46 AM
djkonro removed djkonro as the assignee of this task.Thu, Nov 19, 11:45 AM
djkonro added a subscriber: djkonro.