Add OAuth to Citation bot
Closed, ResolvedPublic5 Estimated Story Points
Actions

Assigned To

Authored By

	kaldari
	Jun 12 2019, 9:55 PM

Description

Value proposition

The Citation Bot web interface doesn't have any kind of authentication for users who wish to run the bot on the wiki. Thus, it can be used to circumvent blocks or interaction bans on Wikipedia (albeit in a limited fashion). Here's a report of such use for harassment. Note that the edits made by the bot itself are fine, the issue is that the bot is being used to follow around other users despite the interaction ban on user triggering the bot.

Most user-activated bots these days use OAuth to handle authentication, but Citation bot was built in the days before OAuth existed. It should be relatively easy, however, to add OAuth to the bot interface using one of the PHP OAuth libraries.

Acceptance criteria:

It isn't possible to use https://tools.wmflabs.org/citations/ without authenticating via OAuth.
The actual edit is made via the authenticated user's account.

Useful links:

Event Timeline

kaldari created this task.Jun 12 2019, 9:55 PM

Restricted Application added subscribers: MGChecker, Aklapper. · View Herald TranscriptJun 12 2019, 9:55 PM

kaldari added a project: acl*security.Jun 12 2019, 9:55 PM

kaldari removed a project: acl*security.

kaldari changed the visibility from "Public (No Login Required)" to "Anti-Harassment (Project)".

• Niharika triaged this task as Medium priority.Jun 12 2019, 11:41 PM

• Niharika moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.

I was thinking about this -- I don't think OAuth is enough to stop this behavior. We will need to add a check about whether the user is also blocked, potentially from the page they're asking the bot to edit.

Consider this scenario:

I'm blocked from editing "Foobar"
I see that @Niharika is editing Foobar, so I go to the Citation bot
It asks me to login with OAuth -- which I can do, so I can interact with the bot
I tell it to do its thing on "Foobar"
My signature or my username appears in the edit summary, so @Niharika can tell I was the culprit -- but she has absolutely no way to stop me.

I think we will need to do more than just add OAuth. My recommendation:

Add OAuth
Before submitting a page to the bot, use the MediaWiki API to check whether the user is blocked on that page
Only allow submission if the user is allowed on that context/page

That would add some work but I don't think it's insane; we have that API endpoint available already. We will need to make sure it's validating it properly.

I was thinking that we not only authenticate with OAuth but also use the OAuth credentials to make the actual edit as well (similar to how IABot's user activated edits work). That way blocked users would be blocked from making the edits automatically and we would always be able to prove who made a particular Citation bot edit (and it couldn't be denied as spoofing).

@Mooeypoo - I've updated the acceptance criteria to address your concerns.

Yup, that would work as well; I wasn't sure if it was okay to change that without some agreement from community if the bot is widespread, which is why I (wrongly) assumed that wasn't an option :)

BTW, product-wise, the blocked user may not see that their request to edit pages failed, since we won't have access to that unless we use the API? I'm not sure about this, and it might be just fine for now, but it's worth noting.

• Niharika updated the task description. (Show Details)Jun 13 2019, 12:55 AM

• aezell subscribed.Jun 13 2019, 2:31 PM

dbarratt claimed this task.Jun 13 2019, 2:37 PM

dbarratt edited projects, added Anti-Harassment (Lāmed - ל); removed Anti-Harassment.

dbarratt moved this task from Ready to In Progress on the Anti-Harassment (Lāmed - ל) board.

Oh yeah, the community really wants Citation bot to stop doing user-activated edits as Citation bot. In fact they've debated blocking the bot because of it.

A volunteer dev started working on this recently. Their pull request is at https://github.com/ms609/citation-bot/pull/1624. A good starting point would be to review the patch and see how far they got.

@dbarratt - I've added you as a maintainer to the citations and citations-dev tool forge projects. All testing should be done in citations-dev and then once it's running smoothly, the code can be moved to the main citations tool as well. Web interface for citations-dev: https://tools.wmflabs.org/citations-dev/

@kaldari thanks!

@dbarratt Let me know if you need any design help on this. I imagine we can just modify the landing page to be a big Login with OAuth screen for the sake of simplicity.

• Niharika set the point value for this task to 5.Jun 13 2019, 6:10 PM

I created a new PR ontop of the existing one:
https://github.com/ms609/citation-bot/pull/1780

it's working (as far as I can tell), there's a bit of a UX issue that I'm looking into, but it's currently working.

ok, I've made the small UX change. After you fill out the form (or use the gadget) it will ask you to authenticate, then it will redirect you back to your original request.

This PR should be good to review now:
https://github.com/ms609/citation-bot/pull/1780

The changes were merged and deployed by the maintainers: https://tools.wmflabs.org/citations/

It looks like the callback url is wrong:
https://github.com/ms609/citation-bot/issues/1767#issuecomment-502329568

@dbarratt - When I try to submit the form on the web interface, I get "Error authenticating. Resetting. Please try again." Is that related to the callback issue?

In T225675#5260329, @kaldari wrote:

@dbarratt - When I try to submit the form on the web interface, I get "Error authenticating. Resetting. Please try again." Is that related to the callback issue?

Yeah I believe so. :/

The bot should work as soon as this consumer is approved:
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/7daa1b8fcc04fb584da0a76baf115f5c