This came up in discussion over T420280. Passing an invalid token to a REST API request via Authorization: CentralAuthToken … header returns a response generated with an anonymous session (as if no "Authorization" was provided). Instead, it should return an error.
This would be consistent with CentralAuth's centralauthtoken query parameter for action API requests, and with OAuth's Authorization: Bearer … header for REST API requests, which would make our lives easier in the future.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T422738 Centralize API error handling for bad authorization tokens between OAuth and CentralAuth | |||
| Open | None | T421777 Passing an invalid token via "Authorization: CentralAuthToken …" header should result in an error, not an anonymous session |
Change #1264746 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):
[mediawiki/extensions/CentralAuth@master] CentralAuthTokenSessionProvider: Use core code for exception-throwing sessions
You can use a query like this: https://superset.wikimedia.org/sqllab/?savedQueryId=1347
select element_at(x_analytics_map, 'authorization') as authorization_header, count(1) as c from wmf.webrequest where webrequest_source = 'text' and year = 2026 and month = 3 -- and day = 25 and hour = 12 and uri_host = 'meta.wikimedia.org' group by element_at(x_analytics_map, 'authorization') order by c desc
…to confirm that basically no one uses Authorization: CentralAuthToken …, and they won't be upset if we change how it works.
The query doesn't return results for me on Superset with time periods longer than 1 hour, but I think that's a Superset bug, you should be able to run it on Hive.