Page MenuHomePhabricator

WikimediaApiPortalOAuth nit picks/minor CR
Open, MediumPublic

Description

Stuff I noticed while doing T254947: Security Review Request for WikimediaApiPortalOAuth Extension

[DONE] 1. Config default

Fixed by https://gerrit.wikimedia.org/r/639946

		"WikimediaApiPortalOAuthMetaRestURL": {
			"value": "",
			"description": "URL to rest.php on Meta"
		}

If that's to meta... You might aswell just set it in extension.json and override (if needed for beta) as appropriate, rather than setting it in CommonSettings/InitialiseSettings.php later. "extensions should have sane config defaults". Also, there's no validation that this is actually set anywhere. Setting a default that isn't "" would probably fix that requirement

[DONE] 2. Confirm-email message

The extra "joining" text was removed.

	"wikimediaapiportaloauth-email-not-confirmed": "Thanks for joining Wikimedia! Before you can create your first API client, please [[Special:ConfirmEmail|confirm your email address]]."

"joining Wikimedia"? Feels oddly worded. "joining the Wikimedia Movement" or something might make more sense

3. OAuth admins link
	"wikimediaapiportaloauth-ui-client-status-proposed-help": "Before your client can be authorized by other users, it must be reviewed and approved by Wikimedia OAuth admins.",

Wikimedia OAuth admins feels like it should be linked to somewhere

4. Credentials doc link
	"wikimediaapiportaloauth-ui-client-secret-alert": "Save these credentials securely. You won't be able to access them again through the API Portal.",

Seems ripe for a link for some documentation, like in wikimediaapiportaloauth-ui-client-field-confidential. Maybe also mention they can be reset.

5. Extension description
	"wikimediaapiportaloauth-desc": "Enables users of the Wikimedia API Portal to create and manage OAuth clients remotely",

Remotely? Feels an odd choice of words, when all the wikis are hosted "remotely". "on wikis that aren't Meta" would make more sense, but still sounds odd

6. Status help messages
	"wikimediaapiportaloauth-ui-client-status-proposed": "Approval pending",
	"wikimediaapiportaloauth-ui-client-status-proposed-help": "Before your client can be authorized by other users, it must be reviewed and approved by Wikimedia OAuth admins.",
	"wikimediaapiportaloauth-ui-client-status-rejected": "Rejected",
	"wikimediaapiportaloauth-ui-client-status-expired": "Expired",
	"wikimediaapiportaloauth-ui-client-status-disabled": "Disabled",
	"wikimediaapiportaloauth-ui-client-status-approved": "Approved",

Why does only proposed have a -help message? Seems worthwhile to document them all...

7. Term clarification
	"wikimediaapiportaloauth-ui-client-field-account-type-bot": "API token: Call the API with a personal token tied to your Wikimedia account.",

What is a Wikimedia account? What is a personal token? (Maybe give more information as to what this is actually used for)

[DONE] 8. Extension version
	"version": "",

This should be used or removed from extension.json

9. Permissions clarification
	"wikimediaapiportaloauth-ui-client-field-permissions-read": "Read-only",
	"wikimediaapiportaloauth-ui-client-field-permissions-read-write": "Read/write",

Writing to what? What counts as a write action?

10. JS fallback

Tracked in T256697

There's also no no-JS fallback... I know we've discussed it for other related work/extensions, and isn't a high priority... But potentially stuff TODO down the line.

Event Timeline

Change 639946 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/extensions/WikimediaApiPortalOAuth@master] Set default value for $wgWikimediaApiPortalOAuthMetaRestURL

https://gerrit.wikimedia.org/r/639946

Reedy updated the task description. (Show Details)

I also note the loading bar appearing and then not showing anything different feels odd...

Maybe some placeholder text should go there... "You currently have no clients registered" rather than just nothing which could look like things are broken or haven't been loaded properly etc

Screenshot 2020-11-08 at 17.51.12.png (464×2 px, 54 KB)

I also note the loading bar appearing and then not showing anything different feels odd...

Maybe some placeholder text should go there... "You currently have no clients registered" rather than just nothing which could look like things are broken or haven't been loaded properly etc

Screenshot 2020-11-08 at 17.51.12.png (464×2 px, 54 KB)

Which Gilles has registered some concerns about in T254950: Performance review of WikimediaApiPortalOAuth extension too

Change 639946 merged by jenkins-bot:
[mediawiki/extensions/WikimediaApiPortalOAuth@master] Set default value for $wgWikimediaApiPortalOAuthMetaRestURL

https://gerrit.wikimedia.org/r/639946

Change 661146 had a related patch set uploaded (by Alex Paskulin; owner: Alex Paskulin):
[mediawiki/extensions/WikimediaApiPortalOAuth@master] config: Remove version number

https://gerrit.wikimedia.org/r/661146

Change 661146 merged by jenkins-bot:
[mediawiki/extensions/WikimediaApiPortalOAuth@master] config: Remove version number

https://gerrit.wikimedia.org/r/661146

apaskulin triaged this task as Medium priority.Feb 9 2021, 11:44 PM