Background
API access token management is messy. Today, the Action API must be used to fetch and manage required tokens, including CSRF and MediaWiki session management. OAuth may be managed through RESTful endpoints, but the specific endpoints are not easily discoverable. As we increase reliance on access tokens to better understand our users and enforce policies, it is critical that we make it clear for what is expected, and easy to follow the required workflows.
Conditions of acceptance
- Clean up CSRF token management
- REST Endpoint for fetching CSRF Tokens
- CSRF Tokens are not required when OAuth is used
- Improve CSRF Token handling in the REST API
- Create CSRF API module within MediaWiki
- Spec passes linting
- Module is visible and documented in the REST Sandbox
- REST endpoint exists for fetching and managing all expected tokens
- Endpoints for fetching and managing OAuth tokens are clearly documented, discoverable, and usable
- Endpoints reflect any changes being made by MWP for OAuth refresh flows
- Create OAuth API Module (if one does not already exists)
- Spec passes linting
- Module is visible and documented in the REST Sandbox
- A dedicated API group is created for API token management --> Blocked by T414527: [5.2.8 Epic]: Create API Grouping Mechanism
- Contained endpoints are fully documented and discoverable
- [Potential/Stretch/TBD] Pull API group as a prefix somewhere in the REST Sandbox, so users know they are related --> Needs more detail
- Existing MW REST API specs are updated to describe available and expected access types.
- "security" object is used to outline the options for tokens
- "security" object is applied to relevant endpoints within the OpenAPI spec
- Token module and related docs are linked through "externalDocs" object