Investigate how to implement authentication for the Reconciliation API with existing tools/modules
Investigation starting points:
- MediaWiki core
- Other extensions that define REST handlers
Timebox
4 hrs
Investigate how to implement authentication for the Reconciliation API with existing tools/modules
Investigation starting points:
Timebox
4 hrs
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | • toan | T283153 Add authentication for REST API | |||
Resolved | • toan | T283155 Investigate how REST APIs are using authentication | |||
Resolved | • toan | T283156 Implement authentication on the REST API |
Reading through the docs I came across this paragraph
https://www.mediawiki.org/wiki/API:REST_API
Permissions and authorization
The REST API is designed to be used with the OAuth extension for user authentication and authorization. However, regardless of the authentication method, the API responds to the presence of a logged-in user and returns content appropriate to that user's permissions.
A little further digging this seems to mean we should use the mediawiki-oauthclient and follow these steps https://github.com/wikimedia/mediawiki-oauthclient-php/blob/master/README.md
Another interesting finding was https://github.com/wikimedia/mediawiki-extensions-WikibaseStatementUpdater which seems to be an extension that uses this client and the above described way. We could probably follow this as a guide for adding this. The authentication process happens here https://github.com/wikimedia/mediawiki-extensions-WikibaseStatementUpdater/blob/master/src/WikibaseStatementUpdaterSpecialPage.php
I started looking into how we could use it here https://github.com/wmde/WikibaseReconcileEdit/compare/oauth but gave up since this is the investigation part of this task.
Other ways of authentication/authority checks
looking at LanguageLinksHandler which also uses SimpleHandler
it uses in REL1_35 an object called PermissionsManager, and in master/REL1_36 this has been replaced by Handler::getAuthority()
I still think Oauth might be the better way here though.
Should not use oauth but rather the existing PermissionsManager similar to this https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/IPInfo/+/refs/heads/master/src/RestHandler/LogHandler.php