Change Details

**Steps to replicate the issue** (include links if applicable): * make a wiki private by using `$wgGroupPermissions['*']['read'] = false`. By private I mean visitors can not view or edit any page, but logged in user can, so will need to make sure `$wgGroupPermissions['user']['read'] = true` * create an OAuth1 or OAuth2 consumer registration record as the administrator, check the checkbox "This consumer is for use only by XXX", record down the * try make a GET call to end point "https://<wiki domain>/api.php?action=query&format=json&titles=TestPage" using either OAuth1 or OAuth2 method. **What happens?**: both OAuth1 and OAuth2 are getting following error: ```lang=json { "error": { "code": "readapidenied", "info": "You need read permission to use this module.", "*": "See https://www.xxxx.live//api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/&gt; for notice of API deprecations and breaking changes." } } ``` **What should have happened instead?**: expecting something like this: ```lang=json { "batchcomplete": "", "query": { "pages": { "245": { "pageid": 245, "ns": 0, "title": "TestPage" } } } } ``` **Software version** (skip for WMF-hosted wikis like Wikipedia): Product Version MediaWiki 1.39.1 PHP 7.4.33 (cgi-fcgi) MySQL 5.7.41 ICU 69.1 Lua 5.1.5 **Other information** (browser name/version, screenshots, etc.):

**Steps to replicate the issue** (include links if applicable): * make a wiki private by using `$wgGroupPermissions['*']['read'] = false`. By private I mean visitors can not view or edit any page, but logged in user can, so will need to make sure `$wgGroupPermissions['user']['read'] = true` * create an OAuth1 or OAuth2 consumer registration record as the administrator, check the checkbox "This consumer is for use only by XXX", record down the * try make a GET call to end point "https://<wiki domain>/api.php?action=query&format=json&titles=TestPage" using either OAuth1 or OAuth2 method. **What happens?**: both OAuth1 and OAuth2 are getting following error: ```lang=json { "error": { "code": "readapidenied", "info": "You need read permission to use this module.", "*": "See https://www.xxxx.live//api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/&gt; for notice of API deprecations and breaking changes." } } ``` **What should have happened instead?**: expecting something like this: ```lang=json { "batchcomplete": "", "query": { "pages": { "245": { "pageid": 245, "ns": 0, "title": "TestPage" } } } } ``` I did some basic troubleshooting based on the suggestions from the IRC channel, I turned on detailed logging using `$wgDebugLogFile`, it looks like the `Authorization` header value is always empty, but I am expecting the token to be passed in the header lie this: "Authorization: Bearer eyJ0eXAiOiJKV1QiLC....", for e.g. I tried postman, python, curl, but no matter what I try, it seems the wiki refuse to recognize the "Authorization" header value for some reason... below is the wiki logs when using curl to make a GET call to `/api.php?action=query&format=json&titles=TestPage` ``` Start request GET /api.php?action=query&format=json&titles=TestPage IP: 71.249.xx.xx HTTP HEADERS: ACCEPT: */* HOST: www.xxxxx.com USER-AGENT: curl/7.64.1 (end headers) ``` The log looks like this when using Postman: ``` Start request GET /api.php?action=query&format=json&titles=TestPage IP: 71.249.xx.xx HTTP HEADERS: ACCEPT: */* ACCEPT-ENCODING: gzip, deflate, br CONNECTION: keep-alive HOST: www.xxxxx.com POSTMAN-TOKEN: e04f0555-c36e-4ec2-b40c-b78d927c4a63 USER-AGENT: PostmanRuntime/7.29.2 (end headers) ``` **Software version** (skip for WMF-hosted wikis like Wikipedia): Product Version MediaWiki 1.39.1 PHP 7.4.33 (cgi-fcgi) MySQL 5.7.41 ICU 69.1 Lua 5.1.5 **Other information** (browser name/version, screenshots, etc.):

**Steps to replicate the issue** (include links if applicable): * make a wiki private by using `$wgGroupPermissions['*']['read'] = false`. By private I mean visitors can not view or edit any page, but logged in user can, so will need to make sure `$wgGroupPermissions['user']['read'] = true` * create an OAuth1 or OAuth2 consumer registration record as the administrator, check the checkbox "This consumer is for use only by XXX", record down the * try make a GET call to end point "https://<wiki domain>/api.php?action=query&format=json&titles=TestPage" using either OAuth1 or OAuth2 method. **What happens?**: both OAuth1 and OAuth2 are getting following error: ```lang=json { "error": { "code": "readapidenied", "info": "You need read permission to use this module.", "*": "See https://www.xxxx.live//api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/&gt; for notice of API deprecations and breaking changes." } } ``` **What should have happened instead?**: expecting something like this: ```lang=json { "batchcomplete": "", "query": { "pages": { "245": { "pageid": 245, "ns": 0, "title": "TestPage" } } } } ``` I did some basic troubleshooting based on the suggestions from the IRC channel, I turned on detailed logging using `$wgDebugLogFile`, it looks like the `Authorization` header value is always empty, but I am expecting the token to be passed in the header lie this: "Authorization: Bearer eyJ0eXAiOiJKV1QiLC....", for e.g. I tried postman, python, curl, but no matter what I try, it seems the wiki refuse to recognize the "Authorization" header value for some reason... below is the wiki logs when using curl to make a GET call to `/api.php?action=query&format=json&titles=TestPage` ``` Start request GET /api.php?action=query&format=json&titles=TestPage IP: 71.249.xx.xx HTTP HEADERS: ACCEPT: */* HOST: www.xxxxx.com USER-AGENT: curl/7.64.1 (end headers) ``` The log looks like this when using Postman: ``` Start request GET /api.php?action=query&format=json&titles=TestPage IP: 71.249.xx.xx HTTP HEADERS: ACCEPT: */* ACCEPT-ENCODING: gzip, deflate, br CONNECTION: keep-alive HOST: www.xxxxx.com POSTMAN-TOKEN: e04f0555-c36e-4ec2-b40c-b78d927c4a63 USER-AGENT: PostmanRuntime/7.29.2 (end headers) ``` **Software version** (skip for WMF-hosted wikis like Wikipedia): Product Version MediaWiki 1.39.1 PHP 7.4.33 (cgi-fcgi) MySQL 5.7.41 ICU 69.1 Lua 5.1.5 **Other information** (browser name/version, screenshots, etc.):