"As a User, I want to provide OAuth 1.0 credentials, so that I get credit for my work."
User should be able to provide OAuth 1.0 credentials for any request.
This is a stopgap until the OAuth 2.0 component is complete. Ideally, users should be able to use OAuth 1.0 or 2.0 without us needing to rewrite all our handler code. So, implementing this at the MW rest router point is probably a good idea.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Invalid | None | T229661 Core REST API in MediaWiki | |||
| Resolved | None | T229662 Minimal client REST API | |||
| Resolved | tstarling | T230914 User authentication with OAuth 1.0 |
After our meeting, I've been getting kind of queasy thinking about CSRF and all the hassles it entails.
For an early release, I'd rather be safe than sorry. Could we make this task restrict authentication ONLY to OAuth 1.0, and OAuth 2.0 once that's ready?
We can come back around and deal with session authentication for e.g. gadgets in the future, but right now I'd prefer we keep it simple.
As far as I can see, there are no proposed write actions, so CSRF should not be a problem initially. Allowing OAuth but ignoring session authentication is not "keeping it simple", because nothing in MediaWiki does that, whereas allowing both forms of authentication was done with a few lines of code and has now been merged.
Thanks, Tim. I'm going to open a new ticket for discussing disabling the session authentication for the REST endpoints, and we can figure it out there.