Page MenuHomePhabricator

token methods should use the list of tokens in paraminfo
Closed, ResolvedPublic

Description

Currently APISite includes hard-coded lists of tokens. These lists should instead be obtained using the API paraminfo. The API token interface has changed a few times, and therefore depending on the version, the list of tokens for the site is found in the paraminfo of different modules.

http://www.wikia.com/api.php?format=jsonfm&action=paraminfo&querymodules=info
http://en.wikipedia.org/w/api.php?format=jsonfm&action=paraminfo&querymodules=tokens

Event Timeline

jayvdb created this task.Jan 3 2015, 12:15 PM
jayvdb raised the priority of this task from to Needs Triage.
jayvdb updated the task description. (Show Details)
jayvdb added a project: Pywikibot.
jayvdb added a subscriber: jayvdb.
Omegat added a subscriber: Omegat.Jan 3 2015, 12:55 PM
XZise added a subscriber: XZise.Jan 3 2015, 2:34 PM

One main problem here is how to determine if a token name like edit is actually a csrf token. We could do it similar to the current implementation that we have a static set which contains all tokens which are mapped to the csrf token. As this is about past tokens, this set won't change (unless other tokens at a later point are mapped to a csrf token). One problem there is that it doesn't detect if tokens by extensions are mapped now to the csrf token.

Another suggestion was to look in the paraminfo for prop=info and compare that list (which does contain all token names except the csrf token, but those mapped to csrf) to the new meta=tokens paraminfo. Problem there is, that intoken is deprecated so at some point this will break.

Change 196450 had a related patch set uploaded (by Akashagarwal):
Verifies tokens from paraminfo

https://gerrit.wikimedia.org/r/196450

Change 196450 merged by jenkins-bot:
Verifies tokens from paraminfo

https://gerrit.wikimedia.org/r/196450

jayvdb closed this task as Resolved.Apr 1 2015, 12:40 AM
jayvdb claimed this task.

@XZise, re your Jan 3 comment about csrf, do we need to do any more here? Is a new task needed to flesh out the problem? Or please re-open if the recently merged code has regressed some aspect of handling tokens.

XZise added a comment.Apr 1 2015, 9:05 AM

Well @akashagarwal has implemented in such a way that it behaves like before. The only problem there is when action=tokens or prop=info&intoken=… are removed because then the code can't compare it to anything.

XZise added a comment.Apr 1 2015, 9:13 AM

Fyi: With T78393: Load token types needed for each API module from the API we could lessen that impact by avoiding statically using ”edit” and such. But scripts themselves might not be fixed by that.