Action API requests with centralauthtoken=… or OAuth bearer token should produce CORS headers if the token is invalid
Closed, ResolvedPublic
Actions

Description

Action API requests with centralauthtoken=… do not produce CORS headers if the token is invalid. Much like in T420280, this prevents client-side JavaScript code from handling the error.

The fact that no one complained about it in 12 years probably means that such errors almost never happen in practice, and we can freely change the response format.

To reproduce, visit e.g. https://www.mediawiki.org/ and run this in browser console:

CoreForeignApi = mw.ForeignApi.parent;
await new CoreForeignApi( 'https://test.wikipedia.org/w/api.php', { anonymous: true } ).get( {} ); // succeeds
await new CoreForeignApi( 'https://test.wikipedia.org/w/api.php', { anonymous: true } ).get( { centralauthtoken: 'asdf' } ); // fails with console errors about CORS; should fail with 'badtoken' or something like that

Details

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	CentralAuthApiSessionProvider: Output CORS headers when throwing action API exception	mediawiki/extensions/CentralAuth	master	+10 -4
	SessionProvider: Output CORS headers when throwing action API exception	mediawiki/core	master	+5 -2

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T396400 [Epic] Improvements to Authentication workflows
Open	ArielGlenn	T395459 Use OAuth rather than password-based login for Wikimedia mobile apps
Resolved	matmarex	T323867 Clarify use of non-confidential OAuth 2.0 clients
Resolved	matmarex	T323855 OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret
Open	None	T422738 Centralize API error handling for bad authorization tokens between OAuth and CentralAuth
Resolved	matmarex	T421778 Action API requests with centralauthtoken=… or OAuth bearer token should produce CORS headers if the token is invalid

Event Timeline

matmarex created this task.Mar 30 2026, 8:48 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 30 2026, 8:48 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

I think this also affects non-confidential OAuth 2 clients (running entirely in the browser) – related to T419034.

await new CoreForeignApi( 'https://mediawiki2.localhost/w/api.php', { anonymous: true } ).get( {}, { headers: { Authorization: 'Bearer asdf' } } ); // fails with console errors about CORS; should fail with 'mwoauth-invalid-authorization'

(this can't be reproduced on Wikimedia wikis due to the new gateway producing its own errors in this case, but I can reproduce locally)

Change #1264742 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/core@master] SessionProvider: Output CORS headers when throwing action API exception

https://gerrit.wikimedia.org/r/1264742

Change #1264743 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] SessionProvider: Output CORS headers when throwing action API exception

https://gerrit.wikimedia.org/r/1264743

Change #1264746 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] CentralAuthTokenSessionProvider: Use core code for exception-throwing sessions

https://gerrit.wikimedia.org/r/1264746

matmarex mentioned this in T419034: Custom OAuth 2 error from Wikimedia infrastructure breaks automatic retry of requests.Mar 30 2026, 9:18 PM

Change https://gerrit.wikimedia.org/r/1264742 fixes the bug for OAuth.

Either change https://gerrit.wikimedia.org/r/1264743 or https://gerrit.wikimedia.org/r/1264746 fixes the bug for CentralAuth (they depend on 1264742). The first is very simple, but inelegant, since it calls internal core methods. The second is a bigger rewrite to use the stable core methods.

daniel renamed this task from Action API requests with centralauthtoken=… do not produce CORS headers if the token is invalid to Action API requests with centralauthtoken=… should produce CORS headers if the token is invalid.Mar 31 2026, 10:48 AM

I'll move the bigger refactoring patch to T422738, so that we can put it off for later.

matmarex moved this task from Inbox, needs triage to Q3 Kanban Board on the MediaWiki-Platform-Team board.Apr 8 2026, 8:35 PM

matmarex edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.

matmarex moved this task from Essential Work to OKR Work on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Apr 8 2026, 8:37 PM

matmarex claimed this task.Apr 8 2026, 8:48 PM

matmarex added projects: MediaWiki-extensions-OAuth, MediaWiki-Core-AuthManager.

Change #1264742 merged by jenkins-bot:

[mediawiki/core@master] SessionProvider: Output CORS headers when throwing action API exception

https://gerrit.wikimedia.org/r/1264742

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.26; 2026-04-28).Thu, Apr 16, 2:00 AM

matmarex renamed this task from Action API requests with centralauthtoken=… should produce CORS headers if the token is invalid to Action API requests with centralauthtoken=… or OAuth bearer token should produce CORS headers if the token is invalid.Thu, Apr 16, 8:57 PM

matmarex mentioned this in T323855: OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret.

matmarex added a parent task: T323855: OAuth 2.0 non-confidential clients cannot use refresh tokens without client secret.

matmarex moved this task from OKR Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.

Change #1264743 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] CentralAuthApiSessionProvider: Output CORS headers when throwing action API exception

https://gerrit.wikimedia.org/r/1264743

matmarex closed this task as Resolved.Tue, Apr 21, 7:45 PM