Page MenuHomePhabricator

OAuth requests to MediaWiki endpoints not supporting OAuth should be rejected
Open, Needs TriagePublicBUG REPORT

Description

When sending an OAuth request to index.php, it will be interpreted as a valid anonymous request:

$ curl -sS -H "Authorization: Bearer 0000" -o /dev/null -D - https://en.wikipedia.org/wiki/Main_Page
HTTP/2 200
...

(It will be anonymous even if the access token is valid.)

It'd probably probably be less confusing to respond with a HTTP 400 or 403.

Event Timeline

Change 935818 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point

https://gerrit.wikimedia.org/r/935818

Change 935818 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point

https://gerrit.wikimedia.org/r/935818

Note that this had to be partially reverted again (T341656); when we redo this, we need to ensure Special:OAuth keeps working.

Filed T341759: Create functional tests for core OAuth functionality, although given the lack of maintainership the task is aspirational.

Change 939791 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point (round 2)

https://gerrit.wikimedia.org/r/939791

Change 939791 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Fail when OAuth is used with a non-API entry point (round 2)

https://gerrit.wikimedia.org/r/939791