Oauth variables and url to clean up
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Yug
	Sep 29 2025, 2:24 PM

Description

Current

Variables and urls are hardcoded. It should not.

config.ini

I tried to move to a new Oauth consumer but failed. I think we need a light clean up on the config.ini, Oauth and related hard coded urls. Indeed, I found these hard coded lines :

/lingualibre/authentication.py#L18 : url = "https://www.mediawiki.org/w/api.php"
/customauth/views.py#L114: url = "https://meta.wikimedia.org/w/rest.php/oauth2/access_token"
/lingualibre/settings.py#L155 : WIKIMEDIA_OAUTH_TOKEN_URL = "https://meta.wikimedia.org/w/rest.php/oauth2/access_token" .
/upload_batches/helpers/upload2commons.py :"auto_refresh_url": "https://meta.wikimedia.org/w/rest.php/oauth2/access_token".
/config.ini.sample

Is there a reason to have those Oauth related url hard coded and not built upon a config.ini variable ?
@pushkar707 , as for (3) added in June, is there a reason for https://www.mediawiki.org ? It's not Meta, not Commons for which we have proper Oauths. It observably works but the logic to add one more target for our Oauth request is weird. Any reason for that ?
I'm considering centralizing this further in config.ini Oauth consumer variables.
I wont do it now due to the backlog of MRs we already have to retest on toolforge.

EDIT: Oh, doc/AUTHENTICATION.md

markdown

2. User Authentication and Data Retrieval

    At the `/oauth/wikimedia/success` route, the frontend Vue component parses the `code` from the URL query parameter and sends a request to the backend at `POST {{backend-domain-name}}/oauth/verify/wikimedia/` endpoint.

    Request body:

    `json
    { "code": "AUTH_CODE" }
    `

    The backend (`WikimediaOAuthCallbackView`) uses this code to obtain an access token and a refresh token from Wikimedia by calling `POST https://meta.wikimedia.org/w/rest.php/oauth2/access_token`

    Furhter, the backend sends a second request to `GET https://www.mediawiki.org/w/api.php?action=query&meta=userinfo&format=json&formatversion=2` and gets user's wikimedia username and creates a new user in database for that username if it doesn't already there.

    The access token, refresh token, and its expiration time are stored in the UserAuth model.

Related Objects

Mentioned In: T375653: Add Lingua Libre Django to translatewiki.net
T399374: Milestone 2025Q3 : Manage Lingua Libre Django migration
Mentioned Here: T375653: Add Lingua Libre Django to translatewiki.net

Event Timeline

Yug created this task.Sep 29 2025, 2:24 PM

Yug triaged this task as Medium priority.

Yug mentioned this in T399374: Milestone 2025Q3 : Manage Lingua Libre Django migration.

Yug mentioned this in T375653: Add Lingua Libre Django to translatewiki.net.Sep 29 2025, 2:42 PM

Yug updated the task description. (Show Details)Sep 29 2025, 2:49 PM

Yug updated the task description. (Show Details)Sep 29 2025, 2:53 PM

Yug updated the task description. (Show Details)Sep 29 2025, 3:08 PM

In T375653#11217673, @Yug wrote:

> B 🔸T405919 Oauth related url are hardcoded. Please note Pushkar our main dev pointed out some API requests on user data must be done on other sites, so it's why he picked meta as the consumer's target.

Could you (@Yug or @Pushkar7077) elaborate more? What are the API requests that absolutely need to go through Meta rather than Commons?

In T405919#11224842, @Yug wrote:

@pushkar707 , as for (3) added in June, is there a reason for https://www.mediawiki.org ? It's not Meta, not Commons for which we have proper Oauths. It observably works

I guess it works because the current consumer is applicable to all projects – which includes mediawiki.org (and over a thousand other wikis). However, I also find it strange, and hope that it can be replaced with Commons or Meta unless there’s a strong reason for using it.

We are still focused on UI and JS behavioral fixes at the moment. When our code-base will be calmer, I will push again this Oauth task.

Yug renamed this task from Oauth related url are hardcoded to Oauth variables and url to clean up.Oct 8 2025, 3:53 PM

Yug updated the task description. (Show Details)

Yug updated the task description. (Show Details)Oct 21 2025, 8:03 AM

Yug updated the task description. (Show Details)Oct 21 2025, 10:34 AM

✅ MR91

Oauth clean up (2): meta.mediawiki.org -> commons.wikimedia.org
Oauth clean up (1): mediawiki.org -> commons.wikimedia.org

cc @Tacsipacsi , our Oauth now rely on Commons alone. 👍🏼🎉

	F66710425: Screenshot from 2025-09-29 16-17-46.png
	Sep 29 2025, 2:49 PM

	F66710426: Screenshot from 2025-09-29 16-17-33.png
	Sep 29 2025, 2:49 PM

	F66710423: Screenshot from 2025-09-29 16-47-22.png
	Sep 29 2025, 2:49 PM

Oauth variables and url to clean upClosed, ResolvedPublicActions