Page MenuHomePhabricator
Create Task
Maniphest T419130

Exempt some routes from rate limiting and JWT validity checks in the API gateway
Open, HighPublic
Actions

Description

There should be a way to exempt some routes from checks so that requests to them always pass through the gateway, even when the sender is otherwise rate-limited, and even when the request has an invalid JWT. We have three use cases for this:

  • The /oauth2/access_token endpoint, which is used to request a new access token (using a refresh token or client credentials) when the old one expires. We want to ignore invalid JWTs, because signing this request with the expired access token is an easy mistake to make (right now this probably wouldn't work at the MediaWiki level either, but we should fix that); and we want to ignore rate limits, because since the access token expired, the user will be seen as unauthenticated when doing this request. If their lower, IP-based unauthenticated rates are already used up (they are on a cgNAT or run another, anonymous client from the same IP or whatever), they won't be able to reauthenticate.
    • Maybe we should do the same for the /oauth2/authorize endpoint which is used to get an access token interactively (by sending the user to the authorization dialog). Less likely to be an actual problem, but there isn't really any disadvantage to doing it.
  • The login-related action API endpoints (action=login, action=clientlogin, action=query&meta=tokens, maybe action=query&meta=authmanagerinfo), to allow users to become authenticated even when they are using a busy IP or their user-agent is being abused.
  • The event intake endpoint (https://intake-logging.wikimedia.org/v1/events), if that goes through the API gateway at all. We probably don't want to break event logging just because the user has hit their API quota; we especially don't want to break JS error logging, since we want to use that to log rate limit errors. (JWT errors on this endpoint aren't possible as far as I can see, so this is about rate limiting only.)

The gateway only needs to deter abusive use of our infrastracture, not protect against DDoS (that happens at the edge), and neither of these endpoints can be abused, or are interesting to scrapers at all, and neither of them is particularly sensitive to high load, so exempting them should be fine AFAICS.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
rest gateway: prevent abuse of exempt api modulesoperations/deployment-chartsmaster+353 -26
rest-gateway: per-route jwt overridesoperations/deployment-chartsmaster+339 -38
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT396400 [Epic] Improvements to Authentication workflows
 OpenArielGlennT395459 Use OAuth rather than password-based login for Wikimedia mobile apps
 OpenNoneT323867 Clarify use of non-confidential OAuth 2.0 clients
 OpenNoneT323855 OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret
 OpenNoneT399291 Epic: API Rate Limiting Architecture
 OpenNoneT412585 Epic: Enforce API rate limits (WE5.1.3c)
 OpenNoneT417779 rest gateway: enforce rate limits (stage two)
 ResolveddanielT417778 rest gateway: enforce rate limits (stage one)
 ResolveddanielT417780 rest gateway: include x-wmf-* headers in response
 ResolveddanielT417781 haproxy: strip x-wmf-* headers from responses
 ResolvedVgutierrezT417825 CDN: include x-is-browser in all requests to the backend
 ResolvedJAllemandouT417864 haproxy: capture x-wmf-* headers in webrequest data set
 ResolvedDAlangi_WMFT415007 Login with `action=login` and bot password does not create a JWT session cookie
 Resolved TgrT418999 Remove trailing slash in issuer for bot password JWT cookies
 ResolvedJAllemandouT418455 haproxy: capture `x_trusted_request` in webrequest data set
 DuplicateNoneT418458 MW/API + haproxy: capture `x-wmf-auth-type` in webrequest data set
 ResolveddanielT410273 api rate limiting: Assign ratelimit class based on IP range
 ResolveddanielT413186 rest gateway: support multiple rate limit policies per route
 ResolveddanielT418042 rest gateway: use rlc from sessionJwt cookie even when a bearer token is used
 OpenNoneT418835 rest gateway: ensure sessionJwt matches bearer token
 Resolved TgrT417833 Set a JWT cookie for OAuth 1 requests and OAuth 2 owner-only requests
 Open TgrT418606 Include session type in x-analytics header
 ResolvedmatmarexT418953 Add better error message for HTTP 429 errors to mw.Api#getErrorMessage
 ResolvedmatmarexT418957 Add client-side logging for non-MediaWiki action API errors (HTTP 429)
 ResolveddanielT418969 Rate limiting gateway should allow cross-origin requests from web browsers to read the HTTP 429 response
 OpendanielT419796 API rate limits: define tiers for logged-in (browser) users
 ResolveddanielT420467 rest gateway: merge "authed-other" ratelimit class into "authed-bot"
 OpendanielT422471 rest gateway: use IP for "compliant bots" rate limits
 OpenBUG REPORTNoneT419034 Custom OAuth 2 error from Wikimedia infrastructure breaks automatic retry of requests
 OpendanielT419130 Exempt some routes from rate limiting and JWT validity checks in the API gateway

Event Timeline

Tgr created this task.Mar 5 2026, 2:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 5 2026, 2:16 PM
Tgr added a parent task: T418957: Add client-side logging for non-MediaWiki action API errors (HTTP 429).Mar 5 2026, 2:49 PM
gerritbot added a comment.Mar 5 2026, 6:30 PM

Change #1248477 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest-gateway: exempt certain paths from jwt checks

https://gerrit.wikimedia.org/r/1248477

gerritbot added a project: Patch-For-Review.Mar 5 2026, 6:30 PM
Tgr added a parent task: T419034: Custom OAuth 2 error from Wikimedia infrastructure breaks automatic retry of requests.Mar 5 2026, 8:05 PM
matmarex updated the task description. (Show Details)Mar 6 2026, 12:50 AM
daniel added a comment.Mar 9 2026, 11:19 AM

How about we excempt everything under /oauth2/? Makes the config easier.

Novem_Linguae subscribed.Sat, Mar 14, 8:44 PM
Tacsipacsi subscribed.Sun, Mar 15, 9:51 AM

Could the Action API login endpoints (action=clientlogin and action=login) also be exempted? They suffer from the same issues as OAuth login – one cannot be logged in while logging in.

Tgr added a comment.Sun, Mar 15, 11:49 AM
In T419130#11687204, @daniel wrote:

How about we excempt everything under /oauth2/? Makes the config easier.

We talked about this in person, but just for the record, the routes in question are:

  • /oauth2/access_token - needs to be exempt per task description
  • /oauth2/authorize - probably should be exempt per task description (at the very least, won't hurt)
  • /oauth2/resource/profile - OIDC endpoint. Should only get authenticated requests so doesn't need to be exempt, but I don't see any harm in it either.
  • /oauth2/resource/scopes - TBH not sure what this is (it provides a subset of the OIDC data), but it doesn't seem important so does not matter whether it's exempt.
  • /oauth2/client - used by API Portal for proxying OAuth client management actions, in theory this is just a normal API that's not part of the OAuth protocol and should be rate limited, but it's not interesting for scrapers and there is no abuse potential, so no harm in ignoring it

So yes, should be fine to exempt the whole oauth2 component.

Novem_Linguae added a comment.Sun, Mar 15, 11:53 AM

Exempting /oauth2/authorize will probably fix https://github.com/wikimedia-gadgets/gadget-deploy/issues/7, so I'm glad that's being included.

Tgr added a comment.Sun, Mar 15, 1:04 PM
In T419130#11711216, @Tacsipacsi wrote:

Could the Action API login endpoints (action=clientlogin and action=login) also be exempted? They suffer from the same issues as OAuth login – one cannot be logged in while logging in.

Yeah, we were planning to do that. Might not have said so in any public place though, so let's add it to the task description.

Tgr updated the task description. (Show Details)Sun, Mar 15, 1:07 PM
Tacsipacsi added a comment.Sun, Mar 15, 1:24 PM

Thanks!

In T419130#11711406, @Tgr wrote:

action=query&meta=tokens, maybe action=query&meta=authmanagerinfo

I didn’t realize these ones are also necessary. They are tricky, since action=query allows bundling multiple requests (e.g. https://meta.wikimedia.org/w/api.php?action=query&prop=revisions&meta=siteinfo|tokens&titles=Main%20Page&rvprop=user|comment); it even allows including the innocent meta=tokens part in the URL and the expensive prop=revisions in a POST body. So probably to be on the safe side, action=query should be exempted from rate limits only if

  • the request is GET and has no body (this is not absolutely necessary, but I guess it makes much easier to ensure no other parameters are present),
  • and the query parameters are (only) action=query plus meta=tokens, meta=authmanagerinfo, meta=tokens|authmanagerinfo or meta=authmanagerinfo|tokens plus the generic parameters documented on https://meta.wikimedia.org/w/api.php?action=help&modules=main.
daniel added a subscriber: Clement_Goubert.Sun, Mar 15, 1:47 PM
In T419130#11711419, @Tacsipacsi wrote:
  • the request is GET and has no body (this is not absolutely necessary, but I guess it makes much easier to ensure no other parameters are present),
  • and the query parameters are (only) action=query plus meta=tokens, meta=authmanagerinfo, meta=tokens|authmanagerinfo or meta=authmanagerinfo|tokens plus the generic parameters documented on https://meta.wikimedia.org/w/api.php?action=help&modules=main.

I'm not sure that's possible with Envoy's matching rules. @Clement_Goubert what do you think?

Tgr added a comment.Sun, Mar 15, 2:02 PM

Yeah dealing with action API URLs will be a huge pain. You'd need to disallow all other meta/prop/list/generator parameter values, plus the export parameter at least.

Alternatively, we could just generate the common URL combinations for using tokens - I think a typical request will include action=query, meta=tokens, type=login, format=json, maybe formatversion=1 or formatversion=2, maybe errorformat=html or errorformat=plain. Given the order is unspecified, that's something like 200 possible combinations, maybe we should just generate those and use as an explicit match list. (Sad trombone music for CORS users since they have to include their origin as a parameter.)

Tgr added a comment.Sun, Mar 15, 2:05 PM

Or maybe it could be worked into cost-based rate limiting somehow? Envoy could let requests with meta=tokens in them through, and then MediaWiki would somehow indicate whether it was a "pure" token request, and Envoy could block it on the way back if not.

daniel added a comment.Sun, Mar 15, 2:55 PM

Honestly, making tokens a query modules seems like a mistake. Queries should be stateless data access. If we went back to using action=token the problem would be solved.

Clement_Goubert added a comment.Mon, Mar 16, 11:11 AM
In T419130#11711548, @Tgr wrote:

Or maybe it could be worked into cost-based rate limiting somehow? Envoy could let requests with meta=tokens in them through, and then MediaWiki would somehow indicate whether it was a "pure" token request, and Envoy could block it on the way back if not.

Envoy can't do that afaik, it can only add that cost to the tally and block subsequent requests.

In T419130#11711481, @daniel wrote:
In T419130#11711419, @Tacsipacsi wrote:
  • the request is GET and has no body (this is not absolutely necessary, but I guess it makes much easier to ensure no other parameters are present),

GET-only matching can be done with a match on the :method headers. Body would require custom lua logic to check for body presence and either set a temporary header or dynamic metadata.

That may be possible to express using pure QueryParameterMatcher logic but would probably turn into a very complex envoy configuration.

I'm not sure that's possible with Envoy's matching rules. @Clement_Goubert what do you think?

I think the only real solution is to implement this logic as part of the envoy_on_request function of the lua filter, since matching on body presence is required anyways. It's still going to be fairly complex logic if we want to be comprehensive.

daniel added a comment.Mon, Mar 16, 11:53 AM

I think the only real solution is to implement this logic as part of the envoy_on_request function of the lua filter, since matching on body presence is required anyways. It's still going to be fairly complex logic if we want to be comprehensive.

Hm... I was just pivoting my in exactly the opposite way... all this just because tokens are implemented as a query module?...

OWresch-WMF assigned this task to daniel.Mon, Mar 16, 3:23 PM
OWresch-WMF triaged this task as High priority.
OWresch-WMF moved this task from Inbox, needs triage to Q3 Kanban Board on the MediaWiki-Platform-Team board.
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.
OWresch-WMF moved this task from Essential Work to Next on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
OWresch-WMF moved this task from Next to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Mon, Mar 16, 3:26 PM
daniel added a comment.Tue, Mar 17, 10:10 AM

I suppose action=query&meta=tokens only needs to be exempt with type=login, right? not for type=csrf?

matmarex subscribed.Tue, Mar 17, 12:13 PM
gerritbot added a comment.Wed, Mar 18, 12:18 PM

Change #1248477 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: per-route jwt overrides

https://gerrit.wikimedia.org/r/1248477

Tgr added a comment.Wed, Mar 18, 12:32 PM

That and maybe type=createaccount.

Maintenance_bot removed a project: Patch-For-Review.Wed, Mar 18, 12:32 PM
Tacsipacsi added a comment.Wed, Mar 18, 2:06 PM
In T419130#11711548, @Tgr wrote:

Or maybe it could be worked into cost-based rate limiting somehow? Envoy could let requests with meta=tokens in them through, and then MediaWiki would somehow indicate whether it was a "pure" token request, and Envoy could block it on the way back if not.

I don’t think it’s a good idea. This would mean that if someone sends a thousand expensive action=query requests per second, MediaWiki performs all the thousand expensive operations, it just doesn’t return the result. It means basically the same load as if there was no rate-limiting at all.

In T419130#11711623, @daniel wrote:

Honestly, making tokens a query modules seems like a mistake. Queries should be stateless data access. If we went back to using action=token the problem would be solved.

It does have upsides as well, though: unless one is trying to log in, the ability to batch requests means that one has to issue less requests, so it’s less likely to hit the rate limit (whether the logged-in or the logged-out one).

Also, what do you call “stateless”? Several query modules take the user session into account in one way or the other (meta=userinfo mentioned below obviously, since it returns data on the current user; others use the user’s UI language preference or apihighlimits right). Not to mention data being hidden based on user rights.

In T419130#11713014, @Clement_Goubert wrote:

GET-only matching can be done with a match on the :method headers. Body would require custom lua logic to check for body presence and either set a temporary header or dynamic metadata.

If we have luck, MediaWiki (or PHP) ignores the body on GET requests anyway, someone should check that. I wrote both conditions because from the API consumer’s perspective, that should happen, but if MediaWiki solves a part of the filtering, it’s enough to do the other part in Envoy.

In T419130#11717620, @daniel wrote:

I suppose action=query&meta=tokens only needs to be exempt with type=login, right? not for type=csrf?

I tested a slightly outdated (early November 2025) version of Pywikibot, and it sends a request to action=query&meta=tokens&type=createaccount|csrf|login|patrol|rollback|userrights|watch (a POST request with parameters in the body, so it needs to be updated if we conclude to exempt only GET). Would it be risky or more complicated to allow any type(s)? I’d assume it’s very low-risk and actually simpler to not check this parameter than to check it.

Pywikibot also sends a request to action=query&meta=userinfo&uiprop=blockinfo|groups|hasmsg|ratelimits|rights. I was thinking about adding an assert=user or assertuser=<username> parameter (it’s a bit tricky, as Pywikibot can do read-only operations without logging in, and we shouldn’t make that impossible on third-party wikis or if the user accepts the risk of being rate-limited, but I hope it can be solved somehow), would it be possible to exempt requests with assert=user, assert=bot or assertuser=<user> where <user> is a named user? Those requests fail fast for IP/temp users anyway, and it would help not eating up the rate limit if the session expires.

matmarex mentioned this in T420280: Authenticated cross-origin requests are being throttled as if unauthenticated (centralauth).Wed, Mar 18, 9:30 PM
daniel mentioned this in T421288: Action API: prefer the action parameter to be given as a query parameter, even for POST requests.Wed, Mar 25, 8:01 PM
gerritbot added a comment.Thu, Apr 9, 10:54 AM

Change #1255731 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest gateway: prevent abuse of exempt api modules

https://gerrit.wikimedia.org/r/1255731

gerritbot added a project: Patch-For-Review.Thu, Apr 9, 10:54 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits