Page MenuHomePhabricator

Add a Logout link to Wikimedia Commons Query Service
Closed, ResolvedPublic

Description

Current implementation of oauth for WCQS (implemented by: https://phabricator.wikimedia.org/T251498) uses nginx for authorization and as such, doesn't add any gui elements related to being logged in. This may confuse users, because the fact that they are logged into commons.wikimedia.org isn't really obvious. This in turn may lead to security issues (leaving commons account logged in unintentionaly).

AC:
To the upper left corner to the WCQS GUI add:

Event Timeline

Zbyszko created this task.Jul 7 2020, 1:57 PM
Restricted Application added a project: Wikidata. · View Herald TranscriptJul 7 2020, 1:57 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript

Per @Lucas_Werkmeister_WMDE , changes are necessary to wikibase/init.js that looks the config and adds the linke to the #right-navbar if the config says the links should exist (gui repo). In our case, if the instance is configured for SDoC, link (and probably user name) should be there.

Hm, if you want to show the current user name, then you may need to add the WCQS GUI domain to the CORS whitelist. (Note that query.wikidata.org is not on the whitelist, compare T218568.) Unless the authorization proxy leaves the user name somewhere where the on-page JS can get it from without making an API request to Commons… maybe in a cookie?

CBogen added a subscriber: CBogen.Jul 7 2020, 3:15 PM

I don't think showing the current user name is critical at least for MVP.

Mstyles claimed this task.Jul 14 2020, 3:48 PM

Change 612680 had a related patch set uploaded (by Mstyles; owner: Mstyles):
[wikidata/query/gui@master] add logout link for wcqs

https://gerrit.wikimedia.org/r/612680

Change 612681 had a related patch set uploaded (by Mstyles; owner: Mstyles):
[operations/puppet@production] add logout config for wcqs

https://gerrit.wikimedia.org/r/612681

Because of the limitations of the cross-domain authorization, clicking on this link should also remove a session cookie for wcqs (wcqsSession), before linking to logout page. This can be don with js (I'll soon upload relevant change to cookie creation - currently it cannot be manipulated by js code).

Would it also be possible to make the GUI link to a special path on the WCQS proxy instead of Commons’ logout page, and then the WCQS proxy unsets the cookie before redirecting to Commons? I’m uneasy with making the cookie available to JavaScript.

Right! That's a far better option and should be easily doable.

Sounds great, thanks :)

Change 612680 merged by jenkins-bot:
[wikidata/query/gui@master] add logout link for wcqs

https://gerrit.wikimedia.org/r/612680

Change 612681 merged by Gehel:
[operations/puppet@production] add logout config for wcqs

https://gerrit.wikimedia.org/r/612681

Gehel closed this task as Resolved.Aug 17 2020, 12:46 PM