Page MenuHomePhabricator

Allow Api-User-Agent header in API Gateway requests
Closed, ResolvedPublic

Description

Expected behavior

To comply with the User Agent policy, clients that cannot set the User-Agent header are "encouraged" to set the Api-User-Agent header. To support this, I would like to include the Api-User-Agent header in the JavaScript examples in the API Portal. For example:

let response = await fetch( 'https://api.wikimedia.org/core/v1/wikipedia/en/page/Earth', 
    {
        headers: {
            'Api-User-Agent': 'APP_NAME (EMAIL_OR_CONTACT_PAGE)',
            'Authorization': 'Bearer ACCESS_TOKEN'
        }
    }
);
response.json()
  .then(console.log).catch(console.error)

Observed behavior

The example above gives the error blocked by CORS policy: Request header field api-user-agent is not allowed by Access-Control-Allow-Headers in preflight response. This happens with both the core and feed namespaces.

When I try the example above with the MediaWiki Core REST API, I get the same error. However, when I try with a RESTBase API endpoint (https://en.wikipedia.org/api/rest_v1/page/title/Earth), the Api-User-Agent is allowed and the example works.

Proposal

Allow the Api-User-Agent header in API Gateway requests, similar to T76340: API CORS preflight response should allow Api-User-Agent header

Event Timeline

Does this task also cover the MediaWiki REST API?

mw:API:REST API/Reference has several JavaScript examples which I assume are meant to send an Api-User-Agent header, such as:

async function doFetch() {
  const rsp = await fetch(
    "https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20",
    {'Api-User-Agent': 'MediaWiki REST API docs examples/0.1 (https://www.mediawiki.org/wiki/API_talk:REST_API)'}
  );
  const data = await rsp.json();
  return data;
}

The Api-User-Agent line in this code has no effect – the second parameter of fetch() is an init settings object, and "Api-User-Agent" is not one of the known keys of that object, and so it is ignored and the request is made without an Api-User-Agent header.

I tried to fix this:

async function doFetch() {
  const rsp = await fetch(
    "https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20",
    { headers: {
      'Api-User-Agent': 'MediaWiki REST API docs examples/0.1 (https://www.mediawiki.org/wiki/API_talk:REST_API)',
    } }
  );
  const data = await rsp.json();
  return data;
}

But it turns out that Api-User-Agent is not an allowed header:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20. (Reason: header ‘api-user-agent’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://en.wikipedia.org/w/rest.php/v1/search/page?q=jupiter&limit=20. (Reason: CORS request did not succeed).
NetworkError when attempting to fetch resource.

That sounds like the same issue as the one described in this task, except that it’s not targeting the API Gateway.

Hi @Lucas_Werkmeister_WMDE, great points. Looks like we need two additional tasks here: one to allow Api-User-Agent in the MediaWiki REST API requests and one to fix the examples in mw:API:REST API/Reference in the short term. I'll go ahead and open those. Thanks for doing these tests and writing this up!

Change 693506 had a related patch set uploaded (by Ppchelko; author: Ppchelko):

[operations/deployment-charts@master] Allow Api-User-Agent for API request CORS

https://gerrit.wikimedia.org/r/693506

Change 693508 had a related patch set uploaded (by Ppchelko; author: Ppchelko):

[mediawiki/core@master] Make REST CORS allowed headers respect site configuration.

https://gerrit.wikimedia.org/r/693508

Two patches above should take care of the issue.

Change 693506 merged by jenkins-bot:

[operations/deployment-charts@master] Allow Api-User-Agent for API request CORS

https://gerrit.wikimedia.org/r/693506

Ok, the api.wikimedia.org version works now. need to get some review for the core patch to make core endpoints work as well.

Change 693508 merged by jenkins-bot:

[mediawiki/core@master] Make REST CORS allowed headers respect site configuration.

https://gerrit.wikimedia.org/r/693508

apaskulin assigned this task to Pchelolo.

Looks like Api-User-Agent headers are now accepted by both the API Gateway and MediaWiki REST API. Thanks, Petr!