Page MenuHomePhabricator

Enabling Flickr upload shares Flickr API key with the world
Closed, InvalidPublic

Description

Right now if Flickr upload is set, the Flickr API key is just sent to the browser every time UploadWizard is loaded. This key allows full read/write access to the Flickr user who owns it and probably can be used to do nasty things.

It is probably possible to send an OAuth token instead [1], which would be limited to whatever operations are actually needed by UploadWizard.

Alternatively, we could just proxy all requests through the server, which is slower but also has privacy advantages.

(Or we could just decide that we do not care, which seems to be the status quo.)

The key is also available through the public configuration [2], so if this gets fixed, that should be changed too.

[1] http://www.flickr.com/services/api/auth.oauth.html
[2] https://github.com/wikimedia/operations-mediawiki-config/blob/master/wmf-config/CommonSettings.php#L1783


Version: unspecified
Severity: normal

Details

Reference
bz59921

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:36 AM
bzimport added a project: UploadWizard.
bzimport set Reference to bz59921.
Tgr created this task.Jan 10 2014, 8:09 PM

The Flickr importing in UploadWizard is a quick and dirty hack that I did a couple years ago. The API key is actually from an account that I created personally, rather than an official WMF account.

This code should definitely be cleaned up by the Multimedia Team. I was originally thinking we would have to proxy all the requests (which is a pain), but I hadn't considered your OAuth idea. That sounds like a promising solution to try out.

Also, we should set this up under some sort of official WMF Flickr account rather than a personal account (for Commons I mean).

Tgr added a comment.Jan 10 2014, 11:11 PM

We could use a non-secret API key for vagrant and for unit tests, though. If you do not object, I might appropriate the old one for that purpose.

Tgr added a comment.Jan 13 2014, 7:41 PM

Note to self: un-skip tests in https://gerrit.wikimedia.org/r/#/c/65109/ once this is solved (and there is a private API key for commons and a public one for the tests).

Tgr added a comment.Jan 16 2014, 9:51 PM

As Gilles pointed out in the gerrit comments, the API key is not really sensitive as Flickr gives us another secret key which is required for operations that need authorization.

(In reply to comment #2)

We could use a non-secret API key for vagrant and for unit tests, though. If
you do not object, I might appropriate the old one for that purpose.

If the code is actually connecting to Flickr's servers, it's an integration test, not a unit test.

A lot of the mileage (if not all) could probably be achieved by mocking the Flickr server's response in order to test the client-side code. After all, it's not supposed to test Flickr's code.

I don't think UploadWizard should include a key. However, at least the current one is not the same one used in production.

Gilles moved this task from Untriaged to Done on the Multimedia board.