Page MenuHomePhabricator
Create Task
Maniphest T374596

🥸 Wikibase REST API does not fully support temporary accounts
Closed, ResolvedPublic8 Estimated Story Points
Actions

Description

In order to enable browser-like clients interacting with Wikidata to register temporary accounts on WMF's central login wiki, responses to edits that resulted in using a "temporary account" should include the relevant data: name of the temporary account used, and the "redirect URL" that could be used to register the temporary account on the "central login wiki".

Successful edit responses (POST, PUT, PATCH, DELETE endpoints) should send the following HTTP headers if the edit involved creating a mediawiki temporary account:

  • X-Temporary-User-Created with a value being a temporary account user name
  • X-Temporary-User-Redirect, if a redirect URL value was generated by Mediawiki
  • the returnTo value expected by TempUserCreatedRedirect should be left empty for now (in production this will mean, redirected request will return to the Main Page)

At the same time, a temporary account should never be returned as the value of X-Authenticated-User (see T323261).

Description of the X-Temporary-User-Redirect header along the lines of: For the client that is a browser working with the WMF wikis: URL that client should redirect their user to ensure that the temporary account would be logged in on the central login wiki

While looking at the REST API code today, I noticed that it just throws away most of the information in the EditEntityStatus returned by EditEntity:

EntityUpdater::createOrUpdate()
		$status = $editEntity->attemptSave(
			$entity,
			$this->summaryFormatter->format( $editMetadata->getSummary() ),
			$newOrUpdateFlag | ( $editMetadata->isBot() ? EDIT_FORCE_BOT : 0 ),
			false,
			false,
			$editMetadata->getTags()
		);

		if ( !$status->isOK() ) {
			if ( $this->isPreventedEdit( $status ) ) {
				throw new EntityUpdatePrevented( (string)$status );
			}

			throw new EntityUpdateFailed( (string)$status );
		} elseif ( !$status->isGood() ) {
			$this->logger->warning( (string)$status );
		}

		return $status->getRevision();

The savedTempUser and context from the status are not used by the REST API, as far as I can tell. I assume this means that the REST API never calls the TempUserCreatedRedirect hook, and doesn’t redirect the user to loginwiki; consequently, a temporary user created via the REST API will only exist on the Wikibase repo wiki and be even more temporary than it should be.

Task breakdown

  • Add X-Temporary-User-Created and X-Temporary-User-Redirect headers to responses where the request came from a temp user
  • Remove X-Authenticated-User header from responses where the request came from an anonymous user

Related Objects
Search...

Event Timeline

Lucas_Werkmeister_WMDE created this task.Sep 12 2024, 9:20 AM
Lucas_Werkmeister_WMDE added a comment.Sep 13 2024, 9:51 AM

I assume this means that the REST API […] doesn’t redirect the user to loginwiki

Hm, I hadn’t fully thought this through when I wrote that. Should the REST API return an HTTP-level redirect in its response, like I implied there? Or should it include a redirect URL in its response data, like the Action API does, potentially with additional API parameters like returnto, returntoquery and returntoanchor?

kostajh subscribed.Sep 13 2024, 11:40 AM
In T374596#10143557, @Lucas_Werkmeister_WMDE wrote:

I assume this means that the REST API […] doesn’t redirect the user to loginwiki

Hm, I hadn’t fully thought this through when I wrote that. Should the REST API return an HTTP-level redirect in its response, like I implied there? Or should it include a redirect URL in its response data, like the Action API does, potentially with additional API parameters like returnto, returntoquery and returntoanchor?

I would recommend looking at what VisualEditor (T332435: Update VisualEditor for IP masking(and DiscussionTools do, both in terms of response data, and handling redirects.

kostajh moved this task from Inbox to Backlog on the Temporary accounts board.Sep 13 2024, 11:41 AM
Ifrahkhanyaree_WMDE added a project: Wikibase Reuse Team.Sep 16 2024, 11:47 AM
Ifrahkhanyaree_WMDE moved this task from Incoming tickets outside WPP to To polish on the Wikibase Reuse Team board.
WMDE-leszek subscribed.Sep 17 2024, 8:49 PM

I was trying to turn this rather low level technical description into a definition of an intended behaviour. Starting at Visual Editor tickets and patches didn't help me understand it loads, but I tried to follow some hints from @Lucas_Werkmeister_WMDE.

Excerpt from Action API response - I suspect the intended behaviour would be that REST API response also includes this information in some form

...
    "tempusercreated": "~2024-REDACTED",
    "tempuserredirect": "https://login.wikimedia.beta.wmflabs.org/wiki/Special:CentralLogin/start?token=REDACTED",
...

I am quite convinced that Wikibase REST API, unlike Action API, shouldn't be setting any cookies, neither respond with HTTP redirects.
I've failed to check what Mediawiki REST API does in similar cases -- putting page seems to have a hard requirement of providing a bearer token which would imply this is logged-in users only API?

Note:

  • the temporary user name should not be communicated through Wikibase REST API's X-Authenticated-User header (it is not as of Sep 17 2024) as it would be violating the design guideline of temporary accounts functionality: "Temporary accounts should feel ephemeral. People should not think they have an account when they do not"
WMDE-leszek updated the task description. (Show Details)Sep 19 2024, 8:32 AM
Silvan_WMDE updated the task description. (Show Details)Sep 19 2024, 11:11 AM
WMDE-leszek moved this task from To polish to Polished on the Wikibase Reuse Team board.Sep 19 2024, 11:24 AM
Ifrahkhanyaree_WMDE moved this task from Backlog to Next on the Wikibase REST API (WPP) board.Sep 19 2024, 4:10 PM
kostajh added a comment.Sep 20 2024, 9:24 AM

Note, there is some internal discussion of this here.

Ifrahkhanyaree_WMDE moved this task from Polished to Ready for planning on the Wikibase Reuse Team board.Oct 1 2024, 8:11 AM
Ifrahkhanyaree_WMDE moved this task from Ready for planning to Sprint 30 on the Wikibase Reuse Team board.Oct 1 2024, 9:48 AM
Ifrahkhanyaree_WMDE edited projects, added Wikibase Reuse Team (Sprint 30); removed Wikibase Reuse Team.
Ifrahkhanyaree_WMDE set the point value for this task to 8.Oct 1 2024, 9:53 AM
Ollie.Shotton_WMDE updated the task description. (Show Details)Oct 2 2024, 9:49 AM
Jakob_WMDE renamed this task from Wikibase REST API does not fully support temporary accounts to 🥸 Wikibase REST API does not fully support temporary accounts.Oct 2 2024, 9:57 AM
Arian_Bozorg mentioned this in T373975: General QA of Wikidata and temporary accounts on testwiki.Oct 7 2024, 1:48 PM
Silvan_WMDE updated the task description. (Show Details)Oct 8 2024, 9:24 AM
Silvan_WMDE updated the task description. (Show Details)Oct 8 2024, 9:30 AM
Muhammad_Yasser_Jazirahly_WMDE subscribed.Oct 8 2024, 9:30 AM
Muhammad_Yasser_Jazirahly_WMDE updated the task description. (Show Details)Oct 8 2024, 6:51 PM
Muhammad_Yasser_Jazirahly_WMDE moved this task from To Do to Product Verification on the Wikibase Reuse Team (Sprint 30) board.Oct 14 2024, 12:29 PM
Ifrahkhanyaree_WMDE closed subtask T376261: 🥸 Remove X-Authenticated-User response header if the request came from an anonymous user as Resolved.Oct 15 2024, 9:49 AM
Ifrahkhanyaree_WMDE closed subtask T376260: 🥸 Add X-Temporary-User-Created and X-Temporary-User-Redirect response headers if the request came from an anonymous user as Resolved.
Ifrahkhanyaree_WMDE edited projects, added Wikibase Reuse Team (Sprint 31); removed Wikibase Reuse Team (Sprint 30).Oct 15 2024, 9:52 AM
Ifrahkhanyaree_WMDE moved this task from To Do to Product Verification on the Wikibase Reuse Team (Sprint 31) board.
Ifrahkhanyaree_WMDE moved this task from Product Verification to Done on the Wikibase Reuse Team (Sprint 31) board.Oct 15 2024, 2:25 PM
Ollie.Shotton_WMDE moved this task from Next to Done on the Wikibase REST API (WPP) board.Oct 25 2024, 9:35 AM
Ifrahkhanyaree_WMDE closed this task as Resolved.Nov 1 2024, 10:21 AM
Ifrahkhanyaree_WMDE claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits