Document how to implement tokens in (extension) api modules
Open, NormalPublic


Currently I'm using code like this:

// Before MW 1.20
$wgHooks['ApiTokensGetTokenTypes'][] = 'ApiTranslationReview::injectTokenFunction';
// After MW 1.20
$wgHooks['APIQueryInfoTokens'][] = 'ApiTranslationReview::injectTokenFunction';

	public static function getToken() {
		global $wgUser;
		if ( !$wgUser->isAllowed( self::$right ) ) {
			return false;

		return $wgUser->getEditToken( self::$salt );

	public static function injectTokenFunction( &$list ) {
		$list['translationreview'] = array( __CLASS__, 'getToken' );
		return true; // Hooks must return bool

However, I'd like to get rid of the global wgUser. Please document the best way to implement tokens for version 1.19 and above.

Version: 1.21.x
Severity: normal


bzimport raised the priority of this task from to Normal.
bzimport set Reference to bz41956.

That's probably the best way at the moment. All the core token-getting functions seem to use $wgUser, too.

Since Gerrit change 153110, things have gotten much simpler. Now most API modules will just implement ApiBase::needsToken

public function needsToken() {
    return 'csrf';

Using custom salts is discouraged, but if necessary is accomplished using the 'ApiQueryTokensRegisterTypes' hook:

$wgHooks['ApiQueryTokensRegisterTypes'][] = function ( &$salts ) {
    $salts['mytokentype'] = 'salt';
    return true;

(then needsToken() would return 'mytokentype' instead of 'csrf')

Wonderful. Can someone make sure this ends up in a some wiki page which extension developers can easily find?

Assigning to Brad as patch author and only person knowing about the feature.

Anomie updated the task description. (Show Details)Jan 7 2015, 3:37 PM
Anomie set Security to None.
Anomie moved this task from Unsorted to Non-Code on the MediaWiki-API board.Feb 19 2015, 7:19 PM
Anomie removed Anomie as the assignee of this task.