Page MenuHomePhabricator

Security Review Request for WikimediaApiPortalOAuth Extension
Open, Stalled, MediumPublic

Description

Primary Contacts: @CCicalese_WMF @WDoranWMF

What do you need?:
We would like a review of the WikimediaApiPortalOAuth extension which we intend to use on a new Wikimedia wiki that will be publicly accessible.

Brief description:

We are developing a publicly accessible API portal. The work is described by the API Gateway documentation plan.

As part of this project we will be launching a new wiki on which we plan to use the WikimediaApiPortalOAuth extension.

Do you have a project plan or project documentation?

API Gateway documentation plan

What is the 'go live' date for this project

The 'go live' date for this project is currently anticipated to be July 30th.

This task is a placeholder. I will update the description when the extension is ready for review

Event Timeline

Restricted Application added a project: secscrum. · View Herald TranscriptJun 9 2020, 10:17 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
sbassett changed the task status from Open to Stalled.Wed, Jun 17, 4:00 PM
sbassett moved this task from Incoming to Back Orders on the secscrum board.
sbassett added a subscriber: sbassett.

Backlogging and stalling for Security-Team for now.

@sbassett The OAuth Extension final patch is ready. Is it appropriate for the review to happen on the patch or should we proceed to merging first?

Reedy added a subscriber: Reedy.Tue, Jun 30, 4:08 PM

@sbassett The OAuth Extension final patch is ready. Is it appropriate for the review to happen on the patch or should we proceed to merging first?

I would suggest fixing it up and merging it first.

There's some changes that don't need to block a review, some are just nit picks... But some changes do change how/where messages are used, which might change escaping, parameters etc. Shouldn't be much work to get it somewhere near

Obviously we don't want to give translators extra work, but I don't think translation has been enabled on the repo yet, so some churn probably isn't an issue at this point, as some message changes have been detailed on the CR by Alex and I.

@WDoranWMF - As @Reedy implied above, we'd like the code to be as close to production-deployable as possible before we expend cycles on a formal security review. The patch doesn't have to be merged IMO, but it should be ready to have the Submit button clicked and then ride the train.

sbassett triaged this task as Medium priority.Wed, Jul 8, 3:20 PM

@sbassett Great, thank you. We're working on ensuring it is in that state now. I will update when we have completed all steps up to merge.