Page MenuHomePhabricator
Create Task
Maniphest T319508

Investigate: How the API can be used to create accounts and log in
Open, Needs TriagePublic
Actions

Description

From T317595: Investigate: Can we load the Create account / Login forms in a modal from an article page?

The api endpoints exist for creating an account and logging in.

From @Tgr:

Construct your own dialog in Javascript, using the clientlogin and createaccount APIs. (I don't think the security concerns are convincing, for reasons which have already been described in T71596.) This was never done before so I'd expect surprises and potentially improvements needed to the APIs. It should be done eventually, and the APIs have been written with exactly this use case in mind, so it would be a worthwhile improvement to MediaWiki core, although an overkill for your use case IMO. The APIs return an abstract form definition, the client code would have to turn that into an actual form inside the modal. In theory this would cover captchas, 2FA and any number of other workflows that can be part of the login or signup workflow, depending on what extensions are installed - you would just get the definition of the form field, without having to know what kind of information workflow step is happening. In practice, as I said, no one has done this before, so I'd expect to hit usability and maybe functionality problems (which should be fixed, but make this a larger effort than it first sounds). One thing I can think of right off the bat is that the CentralAuth cross-wiki login sequence is not covered by any API.

Please investigate how they could be used by the front-end to (create an account and subsequently) log a user in. Please document any problems you encounter as you test these APIs out. I am specifically calling this part out:

In theory this would cover captchas, 2FA and any number of other workflows that can be part of the login or signup workflow, depending on what extensions are installed - you would just get the definition of the form field, without having to know what kind of information workflow step is happening. In practice, as I said, no one has done this before, so I'd expect to hit usability and maybe functionality problems

Presumably, you'll start by POSTing to them manually to see what happens. Can whatever's returned be used to generate a form? Or does a form need to be manually written so that parameters can be passed to the endpoint?

Related Objects

Event Timeline

STran created this task.Oct 6 2022, 8:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 6 2022, 8:45 AM
STran updated the task description. (Show Details)Oct 6 2022, 8:45 AM
STran mentioned this in T319509: Investigate: How would CentralAuth interact with IPBEE.
STran mentioned this in T319511: Implement the IPBEE login form.Oct 6 2022, 8:54 AM
STran mentioned this in T317595: Investigate: Can we load the Create account / Login forms in a modal from an article page?.
Tgr added a comment.Oct 25 2022, 8:17 AM

Special:Login uses the same API internally (or rather AuthManager::getAuthenticationRequests and AuthManager::[begin|continue][Authentication|AccountCreation] which the API is a very thin wrapper around) but adds some form customization functionality around it, see AuthManagerSpecialPage::fieldInfoToFormDescriptor, LoginSignupSpecialPage::postProcessFormDescriptor and the AuthChangeFormFields hook in various extensions (and in core where it calls LoginSignupSpecialPage::getFieldDefinitions). So you might need to recreate some of that functionality or share it with the API. In most cases shouldn't be strictly required to make the auth form functional, but it contains a ton of visual polish. For some extensions (ConfirmEdit and WebAuthn are the ones I can think of off the top of my head) without the frontend customizations the form wouldn't be intelligible to the user at all, even if technically it's possible to use.

Tgr added a comment.Oct 25 2022, 8:19 AM

(The field info array received by AuthManagerSpecialPage::fieldInfoToFormDescriptor is the same data structure that you can get via the API.)

Niharika moved this task from Untriaged to Triage/To be Estimated on the Anti-Harassment board.Dec 5 2022, 10:16 PM
Pppery moved this task from Triage/To be Estimated to Analytics on the Anti-Harassment board.May 10 2024, 1:11 AM
Pppery moved this task from Analytics to Triage/To be Estimated on the Anti-Harassment board.
TAdeleye_WMF edited projects, added Trust and Safety Product Team (PM); removed Anti-Harassment.May 14 2024, 4:29 PM
TAdeleye_WMF moved this task from PM to Needs Triage on the Trust and Safety Product Team board.May 14 2024, 4:30 PM
TAdeleye_WMF edited projects, added Trust and Safety Product Team; removed Trust and Safety Product Team (PM).
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits