Change Details

MediaWiki REST API supports multiple security mechanisms, but they're not documented in the OpenAPI description and aren't available in the sandbox. Current tokens allowed or expected on MediaWiki REST APIs include: CSRF, OAuth 1.0, OAuth 2.0, owner-only JWTs, and MediaWIki Session cookies to name a few. While these tokens do tend to be universally supported, there are some cases where they are required, such as CSRF tokens being required for edit endpoints, while also supporting anonymous editor requests. Clarifying these cases will make it easier for developers to engage with our APIs, by making it clear what is expected and required across our suite of endpoints. The aim of this task is to add MediaWiki REST API security information to the OAD. In an OpenAPI description, security information is collected in the following objects: - Security schemes object (a map with security scheme objects), inside the components object at the top level of the description - contains information about all security schemes supported by the API. - Security requirement object, inside the operation object or at the top level of the description - contains information about the subset of security schemes that can be used for a specific operation or for the entire API. ## Conditions of acceptance [] Describe at least two of the most commonly used or required security mechanisms in the security schemes object of the OpenAPI description. * Suggestion: CSRF, OAuth 2.0, MW Session [] Assign the security schemes to API operations or globally using the `security` field (per operation or at the top level). [] Verify that the requests from the REST Sandbox contain the correct security information and receive correct responses from the API. ## Extra resources - OpenAPI Specification 3.0.0: [[ https://spec.openapis.org/oas/v3.0.0.html#security-scheme-object | security scheme ]] and [[ https://spec.openapis.org/oas/v3.0.0.html#security-requirement-object | security requirement ]] - OpenAPI description example: [[ https://gitlab.wikimedia.org/repos/technical-documentation/openapi-description-example/-/blob/main/oad-expanded.yaml?ref_type=heads#L870 | security schemes ]] and [[ https://gitlab.wikimedia.org/repos/technical-documentation/openapi-description-example/-/blob/main/oad-expanded.yaml?ref_type=heads#L333 | security requirement ]]

MediaWiki REST API supports multiple security mechanisms, but they're not documented in the OpenAPI description and aren't available in the sandbox. Current tokens allowed or expected on MediaWiki REST APIs include: CSRF, OAuth 1.0, OAuth 2.0, owner-only JWTs, and MediaWIki Session cookies to name a few. While these tokens do tend to be universally supported, there are some cases where they are required, such as CSRF tokens being required for edit endpoints, while also supporting anonymous editor requests. Clarifying these cases will make it easier for developers to engage with our APIs, by making it clear what is expected and required across our suite of endpoints. The aim of this task is to add MediaWiki REST API security information to the OAD. In an OpenAPI description, security information is collected in the following objects: - Security schemes object (a map with security scheme objects), inside the components object at the top level of the description - contains information about all security schemes supported by the API. - Security requirement object, inside the operation object or at the top level of the description - contains information about the subset of security schemes that can be used for a specific operation or for the entire API. ## Scope [] {T423552} [] {T423553} ## Extra resources - OpenAPI Specification 3.0.0: [[ https://spec.openapis.org/oas/v3.0.0.html#security-scheme-object | security scheme ]] and [[ https://spec.openapis.org/oas/v3.0.0.html#security-requirement-object | security requirement ]] - OpenAPI description example: [[ https://gitlab.wikimedia.org/repos/technical-documentation/openapi-description-example/-/blob/main/oad-expanded.yaml?ref_type=heads#L870 | security schemes ]] and [[ https://gitlab.wikimedia.org/repos/technical-documentation/openapi-description-example/-/blob/main/oad-expanded.yaml?ref_type=heads#L333 | security requirement ]]

MediaWiki REST API supports multiple security mechanisms, but they're not documented in the OpenAPI description and aren't available in the sandbox. Current tokens allowed or expected on MediaWiki REST APIs include: CSRF, OAuth 1.0, OAuth 2.0, owner-only JWTs, and MediaWIki Session cookies to name a few. While these tokens do tend to be universally supported, there are some cases where they are required, such as CSRF tokens being required for edit endpoints, while also supporting anonymous editor requests. Clarifying these cases will make it easier for developers to engage with our APIs, by making it clear what is expected and required across our suite of endpoints. The aim of this task is to add MediaWiki REST API security information to the OAD. In an OpenAPI description, security information is collected in the following objects: - Security schemes object (a map with security scheme objects), inside the components object at the top level of the description - contains information about all security schemes supported by the API. - Security requirement object, inside the operation object or at the top level of the description - contains information about the subset of security schemes that can be used for a specific operation or for the entire API. ## Conditions of acceptance## Scope [] Describe at least two of the most commonly used or required security mechanisms in the security schemes object of the OpenAPI description.{T423552} * Suggestion: CSRF, OAuth 2.0, MW Session [] Assign the security schemes to API operations or globally using the `security` field (per operation or at the top level). [] Verify that the requests from the REST Sandbox contain the correct security information and receive correct responses from the API.[] {T423553} ## Extra resources - OpenAPI Specification 3.0.0: [[ https://spec.openapis.org/oas/v3.0.0.html#security-scheme-object | security scheme ]] and [[ https://spec.openapis.org/oas/v3.0.0.html#security-requirement-object | security requirement ]] - OpenAPI description example: [[ https://gitlab.wikimedia.org/repos/technical-documentation/openapi-description-example/-/blob/main/oad-expanded.yaml?ref_type=heads#L870 | security schemes ]] and [[ https://gitlab.wikimedia.org/repos/technical-documentation/openapi-description-example/-/blob/main/oad-expanded.yaml?ref_type=heads#L333 | security requirement ]]