Document how to implement tokens in (extension) api modules
Open, NormalPublic

Description

Currently I'm using code like this:

// Before MW 1.20
$wgHooks['ApiTokensGetTokenTypes'][] = 'ApiTranslationReview::injectTokenFunction';
// After MW 1.20
$wgHooks['APIQueryInfoTokens'][] = 'ApiTranslationReview::injectTokenFunction';

	public static function getToken() {
		global $wgUser;
		if ( !$wgUser->isAllowed( self::$right ) ) {
			return false;
		}

		return $wgUser->getEditToken( self::$salt );
	}

	public static function injectTokenFunction( &$list ) {
		$list['translationreview'] = array( __CLASS__, 'getToken' );
		return true; // Hooks must return bool
	}

However, I'd like to get rid of the global wgUser. Please document the best way to implement tokens for version 1.19 and above.


Version: 1.21.x
Severity: normal

Details

Reference
bz41956
bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz41956.

That's probably the best way at the moment. All the core token-getting functions seem to use $wgUser, too.

Since Gerrit change 153110, things have gotten much simpler. Now most API modules will just implement ApiBase::needsToken

public function needsToken() {
    return 'csrf';
}

Using custom salts is discouraged, but if necessary is accomplished using the 'ApiQueryTokensRegisterTypes' hook:

$wgHooks['ApiQueryTokensRegisterTypes'][] = function ( &$salts ) {
    $salts['mytokentype'] = 'salt';
    return true;
};

(then needsToken() would return 'mytokentype' instead of 'csrf')

Wonderful. Can someone make sure this ends up in a some wiki page which extension developers can easily find?

Assigning to Brad as patch author and only person knowing about the feature.

Anomie updated the task description. (Show Details)Jan 7 2015, 3:37 PM
Anomie set Security to None.
Anomie moved this task from Unsorted to Non-Code on the MediaWiki-API board.Feb 19 2015, 7:19 PM
Anomie removed Anomie as the assignee of this task.