Page MenuHomePhabricator
Create Task
Maniphest T392278

Create a MW REST API endpoint for fetching CSRF tokens
Open, Needs TriagePublic3 Estimated Story Points
Actions

Description

Description

CSRF tokens are required for making calls within the sandbox, as they are executed by the browser on behalf of users.

Conditions of acceptance

  • Create a new endpoint that allows the user to request a token from within the MW REST API.
  • Endpoint is surfaced within the MW REST API as a vBeta endpoint for testing purposes.
    • Route: GET rest.php/vBeta/tokens/csrf --> Route naming up for debate/input -- we may release other types of developer tokens/authentication mechanisms, such as a developer JWT and/or OAuth workflows.
  • Returns a token that can then be used within additional REST request bodies.

Implementation details

Action API endpoint for fetching CSRF tokens: https://www.mediawiki.org/wiki/API:Tokens

Related Objects
Search...

Event Timeline

HCoplin-WMF created this task.Apr 18 2025, 2:45 AM
HCoplin-WMF updated the task description. (Show Details)
HCoplin-WMF moved this task from Incoming (Needs Triage) to Backlog (Triaged and Ready) on the MW-Interfaces-Team board.Apr 23 2025, 6:01 PM
BPirkle added a comment.Jul 16 2025, 3:51 PM

Minor detail: we changed our convention from "vBeta" (which never reached production) to "-beta" suffixes. See T395713: REST: Beta Modules - support beta suffix in module ids and versions. All that changes is the experimental route at which the proposed endpoint is exposed.

HCoplin-WMF edited parent tasks, added: T402455: [REST Sandbox] Improve OpenAPI spec generation & Sandbox experience for MediaWiki REST APIs; removed: T392087: [5.5.3 Milestone]: Create "Beta" module for testing endpoints.Aug 21 2025, 1:20 PM
BPirkle added a comment.Nov 5 2025, 1:52 PM

See also T409251: Special:RestSandbox should auto-fill tokens, or have a button to auto-fill tokens

BPirkle mentioned this in T409251: Special:RestSandbox should auto-fill tokens, or have a button to auto-fill tokens.Nov 5 2025, 2:00 PM
HCoplin-WMF added a comment.Nov 13 2025, 4:49 PM

Notes from Estimation:

  • Create a new module for authentication/token handling, where this is the first endpoint. (noting that CSRF is not actually auth, so we should chat about what to name said module. Maybe 'Access'?)
  • Future enhancements may also surface OAuth token handling more elegantly.
  • Implementation notes:
    • Recommend doing an investigation of what the actual behavior is within the Action API; consider if we should rebuild/replicate that in MW REST independently of the Action API, with a consideration for the risk of divergence in behavior.
    • We can directly wrap the Action API endpoint. There is an existing pattern and handler for wrapping Action API endpoints, so it is not new, but perhaps less than ideal.
HCoplin-WMF set the point value for this task to 3.Nov 13 2025, 4:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits