subject:"\[Wikidata\-bugs\] \[Maniphest\] T308389\: mw.ForeignApi always gets a CSRF token, even if it can't use it"

[Wikidata-bugs] [Maniphest] T308389: mw.ForeignApi always gets a CSRF token, even if it can't use it

2022-05-14 Thread Legoktm

Legoktm closed this task as "Invalid".
Legoktm edited projects, added MediaWiki-extensions-CentralAuth; removed 
Wikidata, Wikibase-JavaScript-Api.
Legoktm added a comment.


  That request isn't solely to fetch CSRF tokens, it serves another purpose:
  
 * Query the foreign wiki to see if we're already logged in there in 
the user's browser, which
 * means that there's no need to query for and use 'centralauthtoken' 
parameter.
 *
 * To avoid wasted requests, get a CSRF token at the same time.
  
  (from 
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/CentralAuth/+/refs/heads/master/modules/ext.centralauth.ForeignApi.js#81)
  
  The request scheme is described at 
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/CentralAuth/+/refs/heads/master/modules/ext.centralauth.ForeignApi.js#9
 - basically if you are not logged in remotely, you need to get a short-lived 
centralauthtoken for each foreign request. But if you're logged in remotely, 
which is what the meta=userinfo is for, then we don't need centralauthtokens. 
And since we're making a request anyways, it makes sense to fetch the CSRF 
token at that time, if possible.

TASK DETAIL
  https://phabricator.wikimedia.org/T308389

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Legoktm
Cc: Legoktm, Aklapper, AlexisJazz, Trngsh15, Mengs21, Zabe, EgbeRef, 
Vaibhav0199, Tinzawoo533, CptViraj, WDoranWMF, Majavah, Onmir, DannyS712, 
wildly_boy, Mh-3110, Yahya, Amorymeltzer, Jayprakash12345, enigmaeth, rohitt, 
Sethakill, dg711, Dixtosa, Wong128hk, Snowolf, Dinoguy1000, jayvdb, Jay8g, 
Astuthiodit_1, karapayneWMDE, Invadibot, maantietaja, ItamarWMDE, Akuckartz, 
Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, 
rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org

[Wikidata-bugs] [Maniphest] T308389: mw.ForeignApi always gets a CSRF token, even if it can't use it

2022-05-14 Thread Maintenance_bot

Maintenance_bot added a project: Wikidata.

TASK DETAIL
  https://phabricator.wikimedia.org/T308389

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Maintenance_bot
Cc: Aklapper, AlexisJazz, Astuthiodit_1, Trngsh15, karapayneWMDE, Invadibot, 
Mengs21, maantietaja, EgbeRef, ItamarWMDE, Vaibhav0199, Akuckartz, Tinzawoo533, 
WDoranWMF, Onmir, DannyS712, Nandana, Mh-3110, Yahya, Amorymeltzer, Lahi, Gq86, 
GoranSMilovanovic, Jayprakash12345, QZanden, enigmaeth, rohitt, LawExplorer, 
Sethakill, dg711, _jensen, rosalieper, Scott_WUaS, Dixtosa, Wikidata-bugs, 
aude, Dinoguy1000, jayvdb, Mbch331
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org

[Wikidata-bugs] [Maniphest] T308389: mw.ForeignApi always gets a CSRF token, even if it can't use it

2022-05-14 Thread AlexisJazz

AlexisJazz created this task.
AlexisJazz added projects: MediaWiki-Action-API, Wikibase-JavaScript-Api, 
JavaScript.
Restricted Application added a subscriber: Aklapper.

TASK DESCRIPTION
  **List of steps to reproduce** (step by step, including full links if 
applicable):
  
var api = new mw.ForeignApi('https://wikidata.beta.wmflabs.org/w/api.php');

api.get({format:'json',action:'wbgetentities',props:'sitelinks',ids:'Q1'}).done(function(data){});
  
  **What happens?**:
  Get:
  
  - 
https://wikidata.beta.wmflabs.org/w/api.php?action=query=json=https%3A%2F%2Fcommons.wikimedia.beta.wmflabs.org=userinfo%7Ctokens
  - 
https://wikidata.beta.wmflabs.org/w/api.php?action=wbgetentities=json=https%3A%2F%2Fcommons.wikimedia.beta.wmflabs.org=sitelinks=Q1
  
  Links without origin to open in browser:
  
  - 
https://wikidata.beta.wmflabs.org/w/api.php?action=query=json=userinfo%7Ctokens
  - 
https://wikidata.beta.wmflabs.org/w/api.php?action=wbgetentities=json=sitelinks=Q1
  
  **What should have happened instead?**:
  Just get the second link. You didn't need nor use that CSRF token.

TASK DETAIL
  https://phabricator.wikimedia.org/T308389

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: AlexisJazz
Cc: Aklapper, AlexisJazz, Trngsh15, Mengs21, EgbeRef, Vaibhav0199, Tinzawoo533, 
WDoranWMF, Onmir, DannyS712, Mh-3110, Yahya, Amorymeltzer, Jayprakash12345, 
enigmaeth, rohitt, Sethakill, dg711, Dixtosa, Wikidata-bugs, Dinoguy1000, jayvdb
___
Wikidata-bugs mailing list -- wikidata-bugs@lists.wikimedia.org
To unsubscribe send an email to wikidata-bugs-le...@lists.wikimedia.org

[Wikidata-bugs] [Maniphest] T308389: mw.ForeignApi always gets a CSRF token, even if it can't use it

[Wikidata-bugs] [Maniphest] T308389: mw.ForeignApi always gets a CSRF token, even if it can't use it

[Wikidata-bugs] [Maniphest] T308389: mw.ForeignApi always gets a CSRF token, even if it can't use it

3 matches

Site Navigation

Mail list logo

Footer information