Page MenuHomePhabricator

token methods should use the list of tokens in paraminfo
Closed, ResolvedPublic


Currently APISite includes hard-coded lists of tokens. These lists should instead be obtained using the API paraminfo. The API token interface has changed a few times, and therefore depending on the version, the list of tokens for the site is found in the paraminfo of different modules.

Event Timeline

jayvdb raised the priority of this task from to Needs Triage.
jayvdb updated the task description. (Show Details)
jayvdb added a project: Pywikibot.
jayvdb subscribed.

One main problem here is how to determine if a token name like edit is actually a csrf token. We could do it similar to the current implementation that we have a static set which contains all tokens which are mapped to the csrf token. As this is about past tokens, this set won't change (unless other tokens at a later point are mapped to a csrf token). One problem there is that it doesn't detect if tokens by extensions are mapped now to the csrf token.

Another suggestion was to look in the paraminfo for prop=info and compare that list (which does contain all token names except the csrf token, but those mapped to csrf) to the new meta=tokens paraminfo. Problem there is, that intoken is deprecated so at some point this will break.

Change 196450 had a related patch set uploaded (by Akashagarwal):
Verifies tokens from paraminfo

Change 196450 merged by jenkins-bot:
Verifies tokens from paraminfo

jayvdb claimed this task.

@XZise, re your Jan 3 comment about csrf, do we need to do any more here? Is a new task needed to flesh out the problem? Or please re-open if the recently merged code has regressed some aspect of handling tokens.

Well @akashagarwal has implemented in such a way that it behaves like before. The only problem there is when action=tokens or prop=info&intoken=… are removed because then the code can't compare it to anything.

Fyi: With T78393: Load token types needed for each API module from the API we could lessen that impact by avoiding statically using ”edit” and such. But scripts themselves might not be fixed by that.