Page MenuHomePhabricator

Client Developer makes an API call from the Web browser
Closed, ResolvedPublic

Description

"As a Client Developer, I want to make API calls from a Web browser, so that I can use the Web platform to make Wikimedia client apps."

This is essentially "configure CORS so that developers can make calls from other services."

Ideally, we would just set it up so CORS would allow calls from any domain for any route on the server.

Unfortunately, we're also going to be serving the API portal from the same host, and the Web interface for MediaWiki requires having CORS block access to the API from other domains (I think).

So, best case is full server is available without CORS blocking. Second-best case is that the MediaWiki routes are available with whatever CORS baloney they need, and the API gateway routes are unblocked by CORS.

Event Timeline

eprodromou triaged this task as High priority.

This is another detail that came up from discussions. Since we're going to be routing the API Portal on the same hostname as the Gateway, we need to make sure that CORS works the right way for the APIs (doesn't block API use) and for the Web interface of the Portal.

Setting CORS on a per-path basis should be doable and I'll build this into the chart. Will we require any custom CORS policy for the API portal at all or can we assume that there will be no requirement for cross-site requests to the portal specifically?

In the WIP currently:

nosmo@ocasey ~/Code/mediawiki-config (master) $ curl -v -H "Origin: nosmo.me" -H "Host: api.wikimedia.org" -H "Authorization: Bearer $WEB_TOKEN" http://localhost:7000/wiki/ 2>&1 | grep -i access

nosmo@ocasey ~/Code/mediawiki-config (master) $ curl -v -H "Origin: example.com" -H "Host: api.wikimedia.org" -H "Authorization: Bearer $WEB_TOKEN" http://localhost:7000/core/v1/wikipedia/zh/foo/bar/baz 2>&1 | grep -i access
< access-control-allow-origin: example.com

nosmo@ocasey ~/Code/mediawiki-config (master) $ curl -v -H "Origin: nosmo.me" -H "Host: api.wikimedia.org" -H "Authorization: Bearer $WEB_TOKEN" http://localhost:7000/core/v1/wikipedia/zh/foo/bar/baz 2>&1 | grep -i access
< access-control-allow-origin: nosmo.me

Is this acceptable? Envoy does the substitution of the origin hostname in lieu of returning access-control-allow-origin: * but functionally we get the same behaviour.

Change 613160 had a related patch set uploaded (by Hnowlan; owner: Hnowlan):
[operations/deployment-charts@master] api-gateway: set CORS headers to allow all domains for API

https://gerrit.wikimedia.org/r/613160

Change 613160 merged by jenkins-bot:
[operations/deployment-charts@master] api-gateway: set CORS headers to allow all domains for API

https://gerrit.wikimedia.org/r/613160

Example:

nosmo@ocasey ~/ $ curl https://api.wikimedia.org/wiki/Test > /dev/null -v 2>&1 | grep access
# No output
nosmo@ocasey ~/ $ curl -v -H "Host: api.wikimedia.org" https://api.wikimedia.org/core/v1/wikipedia/en/page/Dublin -o /dev/null 2>&1 -H "Origin: example.com" | grep -i access
< access-control-allow-origin: example.com

Note that headers will only be set when an origin is specified.

It looks like this is working in the browser. I set up an app at http://apiclient.wiki/ (code at https://github.com/evanp/apiclient-wiki) that fetches pages from English Wikipedia without much of a hassle.

I'll add tests for editing pages, but I think the basics of this user story are complete. Thanks for the hard work, @hnowlan !