The API endpoint created in T260603 only supports anon edits. This is because the IP addresses for logged in edits are not available in core.
- If the popup should work on Special:Investigate pages. CheckUser should check to see if the request includes a query parameter of token. If it does it should validate the token and that the revision/log id is covered by the token. If so, it may return the IP address.
- If the popup should work on Special:CheckUser pages. CheckUser should check to see if the request includes a query parameter of checkUserLogId. If it does it should validate that the log id is a valid log entry within the last 24 hours (?) and that the log entry covers the revision/log id being requested. If so, it may return the IP address.
- If the popup should work anywhere user names are displayed (like Special:RecentChanges). Should the popup log the request? Should it ask for a log message? Or would it only work for IP reqeusts of users who have been logged already in CheckUser? If so, for how long? 90 days?
Regardless, requests for a revision/log id that belongs to a logged in user should not be publicly cached (it should include something like Cache-Control: private as a response header). But adding to the private cache is acceptable (I think?).
We could change the API to accept an IP address directly, rather than a revision/log id. However this raises some Privacy concerns as the IP address for a user could be revealed in the request logs on the server (which was the whole purpose of encrypting this data in the token on Special:Investigate). It also seems contrary to the IP Masking project.