Page MenuHomePhabricator

Authenticate as mediawiki user when accessing item data using GET /entities/items/{item_id}
Closed, ResolvedPublic5 Estimated Story Points

Description

As a developer of a tool accessing Wikibase data, I want to authenticate as a mediawiki user, so that I can use any permissions granted to the user account

Authentication should happen using HTTP header providing bearer token

Mediawiki REST API is designed to work with Mediawiki's OAuth's extension, and it provides bearer token's on behalf of the authorized user: https://www.mediawiki.org/wiki/OAuth/For_Developers#OAuth_2

BDD

As an API user
GIVEN items are only visible for logged-in users
AND I have authenticated as a mediawiki user
WHEN I make a GET request to /entities/items/{item_id}
AND I provide a valid OAuth bearer token in an Authorization header
THEN I receive 200 HTTP response from the API
AND response contains item data
AND response headers include X-Authenticated-User header with authenticated user's username as a value

As an API user
GIVEN items are only visible for logged-in users
AND I make a request as a anonymous user
WHEN I make a GET request to /entities/items/{item_id}
AND do not provide Authorization header
THEN I receive 403 HTTP response from the API

[likely provided by the Mediawiki REST API framework, might not require work on Wikibase REST API side]
As an API user
WHEN I make a GET request to /entities/items/{item_id}
AND I provide an invalid OAuth bearer token in an Authorization header
THEN I receive 403 HTTP response from the API

Notes

  • @Jakob_WMDE reports about the Implementation: we can get the authenticated user in our rest route handler via $this->getAuthority()->getUser()
  • Configuring OAuth consumers on Beta Wikidata is NOT in scope of that story
  • Storing bearer tokens on disk (in cookies) must be avoided.
  • OAuth mediawiki extension becomes a de facto requirement to use Wikibase REST API. Without the extension available, Wikibase REST API will treat all requests as coming from non-logged in users. Wikibase REST API is not going to reveal any private/non-public data which should not be available to not logged-in users as long as Mediawiki REST API framework "basic authorization" is not skipped (see MWBasicRequestAuthorizer class).

References, other remarks

Event Timeline

WMDE-leszek set the point value for this task to 5.Mar 30 2022, 10:46 AM

Change 776941 had a related patch set uploaded (by Jakob; author: Jakob):

[mediawiki/extensions/Wikibase@master] REST: Add authentication header

https://gerrit.wikimedia.org/r/776941

As far as I can tell MediaWiki responds with a 403 for auth errors and does not distinguish between authentication failure due to an invalid token or being unauthorized. Both cases give me:

{
	"error": "rest-read-denied",
	"httpCode": 403,
	"httpReason": "Forbidden"
}

It also seems quite tricky to change this without jumping through hoops :/

thanks @Jakob_WMDE. I think for the time being it is acceptable to rely on Mediawiki's behaviour. We might want to change it once there is a need in a client to differentiate between those two cases.

Change 776941 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] REST: Add authentication header

https://gerrit.wikimedia.org/r/776941

I've tested few different scenarios and all seems to work like expected. Thanks!

Change 778992 had a related patch set uploaded (by Ollie Shotton; author: Ollie Shotton):

[mediawiki/extensions/Wikibase@master] REST: Don't require write access for GetItem

https://gerrit.wikimedia.org/r/778992

Change 778992 merged by jenkins-bot:

[mediawiki/extensions/Wikibase@master] REST: Don't require write access for GetItem

https://gerrit.wikimedia.org/r/778992