Page MenuHomePhabricator
Create Task
Maniphest T268791

Allow Api-User-Agent header in API Gateway requests
Closed, ResolvedPublic
Actions

Description

Expected behavior

To comply with the User Agent policy, clients that cannot set the User-Agent header are "encouraged" to set the Api-User-Agent header. To support this, I would like to include the Api-User-Agent header in the JavaScript examples in the API Portal. For example:

let response = await fetch( 'https://api.wikimedia.org/core/v1/wikipedia/en/page/Earth', 
    {
        headers: {
            'Api-User-Agent': 'APP_NAME (EMAIL_OR_CONTACT_PAGE)',
            'Authorization': 'Bearer ACCESS_TOKEN'
        }
    }
);
response.json()
  .then(console.log).catch(console.error)

Observed behavior

The example above gives the error blocked by CORS policy: Request header field api-user-agent is not allowed by Access-Control-Allow-Headers in preflight response. This happens with both the core and feed namespaces.

When I try the example above with the MediaWiki Core REST API, I get the same error. However, when I try with a RESTBase API endpoint (https://en.wikipedia.org/api/rest_v1/page/title/Earth), the Api-User-Agent is allowed and the example works.

Proposal

Allow the Api-User-Agent header in API Gateway requests, similar to T76340: API CORS preflight response should allow Api-User-Agent header

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Make REST CORS allowed headers respect site configuration.mediawiki/coremaster+32 -5
Allow Api-User-Agent for API request CORSoperations/deployment-chartsmaster+9 -19
Customize query in gerrit

Related Objects
Search...

Event Timeline

apaskulin created this task.Nov 25 2020, 9:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 25 2020, 9:46 PM
eprodromou claimed this task.Dec 1 2020, 6:45 PM
eprodromou added a project: Platform Team Workboards (Green).Dec 7 2020, 7:46 PM
eprodromou added a parent task: T255034: Wikimedia API Gateway Long-term Use.
eprodromou removed a project: Platform Team Workboards (Green).Dec 16 2020, 4:59 PM
apaskulin removed eprodromou as the assignee of this task.Jan 8 2021, 12:50 AM
apaskulin added a subscriber: eprodromou.
Lucas_Werkmeister_WMDE subscribed.May 6 2021, 3:22 PM

Does this task also cover the MediaWiki REST API?

mw:API:REST API/Reference has several JavaScript examples which I assume are meant to send an Api-User-Agent header, such as:

async function doFetch() {
  const rsp = await fetch(
    "https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20",
    {'Api-User-Agent': 'MediaWiki REST API docs examples/0.1 (https://www.mediawiki.org/wiki/API_talk:REST_API)'}
  );
  const data = await rsp.json();
  return data;
}

The Api-User-Agent line in this code has no effect – the second parameter of fetch() is an init settings object, and "Api-User-Agent" is not one of the known keys of that object, and so it is ignored and the request is made without an Api-User-Agent header.

I tried to fix this:

async function doFetch() {
  const rsp = await fetch(
    "https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20",
    { headers: {
      'Api-User-Agent': 'MediaWiki REST API docs examples/0.1 (https://www.mediawiki.org/wiki/API_talk:REST_API)',
    } }
  );
  const data = await rsp.json();
  return data;
}

But it turns out that Api-User-Agent is not an allowed header:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20. (Reason: header ‘api-user-agent’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20. (Reason: CORS request did not succeed).
NetworkError when attempting to fetch resource.

That sounds like the same issue as the one described in this task, except that it’s not targeting the API Gateway.

apaskulin added a comment.EditedMay 7 2021, 5:05 PM

Hi @Lucas_Werkmeister_WMDE, great points. Looks like we need two additional tasks here: one to allow Api-User-Agent in the MediaWiki REST API requests and one to fix the examples in mw:API:REST API/Reference in the short term. I'll go ahead and open those. Thanks for doing these tests and writing this up!

apaskulin updated the task description. (Show Details)May 7 2021, 5:11 PM
apaskulin mentioned this in T282259: Allow Api-User-Agent header in MediaWiki REST API requests.
apaskulin mentioned this in T282263: Fix JavaScript examples in the MediaWiki REST API reference docs.May 7 2021, 5:43 PM
gerritbot added a comment.May 22 2021, 12:15 AM

Change 693506 had a related patch set uploaded (by Ppchelko; author: Ppchelko):

[operations/deployment-charts@master] Allow Api-User-Agent for API request CORS

https://gerrit.wikimedia.org/r/693506

gerritbot added a project: Patch-For-Review.May 22 2021, 12:15 AM
gerritbot added a comment.May 22 2021, 12:33 AM

Change 693508 had a related patch set uploaded (by Ppchelko; author: Ppchelko):

[mediawiki/core@master] Make REST CORS allowed headers respect site configuration.

https://gerrit.wikimedia.org/r/693508

Pchelolo subscribed.May 22 2021, 12:34 AM

Two patches above should take care of the issue.

gerritbot added a comment.May 24 2021, 3:23 PM

Change 693506 merged by jenkins-bot:

[operations/deployment-charts@master] Allow Api-User-Agent for API request CORS

https://gerrit.wikimedia.org/r/693506

Pchelolo added a comment.May 24 2021, 7:47 PM

Ok, the api.wikimedia.org version works now. need to get some review for the core patch to make core endpoints work as well.

gerritbot added a comment.Jun 2 2021, 2:44 PM

Change 693508 merged by jenkins-bot:

[mediawiki/core@master] Make REST CORS allowed headers respect site configuration.

https://gerrit.wikimedia.org/r/693508

ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.9; 2021-06-07).Jun 2 2021, 3:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jun 2 2021, 3:11 PM
apaskulin closed this task as Resolved.Jun 9 2021, 2:44 AM
apaskulin assigned this task to Pchelolo.

Looks like Api-User-Agent headers are now accepted by both the API Gateway and MediaWiki REST API. Thanks, Petr!

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits