Steps to replicate the issue (include links if applicable):
- make a wiki private by using $wgGroupPermissions['*']['read'] = false. By private I mean visitors can not view or edit any page, but logged in user can, so will need to make sure $wgGroupPermissions['user']['read'] = true
- create an OAuth1 or OAuth2 consumer registration record as the administrator, check the checkbox "This consumer is for use only by XXX", record down the
- try make a GET call to end point "https://<wiki domain>/api.php?action=query&format=json&titles=TestPage" using either OAuth1 or OAuth2 method.
What happens?:
both OAuth1 and OAuth2 are getting following error:
{ "error": { "code": "readapidenied", "info": "You need read permission to use this module.", "*": "See https://www.xxxx.live//api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes." } }
What should have happened instead?:
expecting something like this:
{ "batchcomplete": "", "query": { "pages": { "245": { "pageid": 245, "ns": 0, "title": "TestPage" } } } }
I did some basic troubleshooting based on the suggestions from the IRC channel, I turned on detailed logging using $wgDebugLogFile, it looks like the Authorization header value is always empty, but I am expecting the token to be passed in the header lie this: "Authorization: Bearer eyJ0eXAiOiJKV1QiLC....", for e.g. I tried postman, python, curl, but no matter what I try, it seems the wiki refuse to recognize the "Authorization" header value for some reason... below is the wiki logs when using curl to make a GET call to /api.php?action=query&format=json&titles=TestPage
Start request GET /api.php?action=query&format=json&titles=TestPage IP: 71.249.xx.xx HTTP HEADERS: ACCEPT: */* HOST: www.xxxxx.com USER-AGENT: curl/7.64.1 (end headers)
The log looks like this when using Postman:
Start request GET /api.php?action=query&format=json&titles=TestPage IP: 71.249.xx.xx HTTP HEADERS: ACCEPT: */* ACCEPT-ENCODING: gzip, deflate, br CONNECTION: keep-alive HOST: www.xxxxx.com POSTMAN-TOKEN: e04f0555-c36e-4ec2-b40c-b78d927c4a63 USER-AGENT: PostmanRuntime/7.29.2 (end headers)
Software version (skip for WMF-hosted wikis like Wikipedia):
Product Version
MediaWiki 1.39.1
PHP 7.4.33 (cgi-fcgi)
MySQL 5.7.41
ICU 69.1
Lua 5.1.5
Other information (browser name/version, screenshots, etc.):