jenkins-bot has submitted this change and it was merged.
Change subject: Update token handling for core API change
......................................................................
Update token handling for core API change
Core change I2793a3f2 changes API handling in a way that needs updates
to extensions for proper operation:
* needsToken() now returns a string
* Most custom token types are being replaced with a 'csrf' token (the
former 'edit' token); any others need a new hook.
* All tokens must use a static salt. Compat with web UI using non-static
tokens is supported and also serves to handle the now-deprecated token
fetching.
* Documentation in getParamDescription() should return a string (not
array) for 'token', as the signal to core that it should be replaced
with a standardized message.
When compatibility with earlier versions of MediaWiki is no longer
maintained, the entry for 'token' from getAllowedParams() and
getParamDescription() may be removed, as may getTokenSalt(). This patch
leaves them in place.
Since the new token mechanism requires static tokens, a new
action=centralauthtoken module is added for fetching the
centralauthtoken. action=tokens&type=centralauthtoken does still work,
but action=tokens is now deprecated in core.
Note this is intended to be compatible with earlier versions of
MediaWiki, and so should be safe to merge before the core change.
Change-Id: I683fc46b137be7800e1bd1cdedb75efdd2c20008
---
M CentralAuth.php
M CentralAuthHooks.php
A api/ApiCentralAuthToken.php
M api/ApiDeleteGlobalAccount.php
M api/ApiSetGlobalAccountStatus.php
5 files changed, 105 insertions(+), 3 deletions(-)
Approvals:
CSteipp: Looks good to me, but someone else must approve
Legoktm: Looks good to me, approved
jenkins-bot: Verified
diff --git a/CentralAuth.php b/CentralAuth.php
index 0674d26..05665aa 100644
--- a/CentralAuth.php
+++ b/CentralAuth.php
@@ -246,6 +246,7 @@
$wgAutoloadClasses['ApiQueryGlobalGroups'] =
"$caBase/api/ApiQueryGlobalGroups.php";
$wgAutoloadClasses['ApiQueryWikiSets'] = "$caBase/api/ApiQueryWikiSets.php";
$wgAutoloadClasses['ApiQueryGlobalAllUsers'] =
"$caBase/api/ApiQueryGlobalAllUsers.php";
+$wgAutoloadClasses['ApiCentralAuthToken'] =
"$caBase/api/ApiCentralAuthToken.php";
$wgAutoloadClasses['CentralAuthReadOnlyError'] =
"$caBase/CentralAuthReadOnlyError.php";
$wgAutoloadClasses['CARCFeedFormatter'] =
"$caBase/rcfeed/CARCFeedFormatter.php";
$wgAutoloadClasses['IRCColourfulCARCFeedFormatter'] =
"$caBase/rcfeed/IRCColourfulCARCFeedFormatter.php";
@@ -307,6 +308,7 @@
$wgHooks['ApiTokensGetTokenTypes'][] =
'ApiDeleteGlobalAccount::injectTokenFunction';
$wgHooks['ApiTokensGetTokenTypes'][] =
'ApiSetGlobalAccountStatus::injectTokenFunction';
$wgHooks['ApiTokensGetTokenTypes'][] =
'CentralAuthHooks::onApiTokensGetTokenTypes';
+$wgHooks['ApiQueryTokensRegisterTypes'][] =
'CentralAuthHooks::onApiQueryTokensRegisterTypes';
$wgHooks['APIGetAllowedParams'][] = 'CentralAuthHooks::onAPIGetAllowedParams';
$wgHooks['APIGetParamDescription'][] =
'CentralAuthHooks::onAPIGetParamDescription';
$wgHooks['ApiCheckCanExecute'][] = 'CentralAuthHooks::onApiCheckCanExecute';
@@ -373,6 +375,7 @@
$wgAPIModules['deleteglobalaccount'] = 'ApiDeleteGlobalAccount';
$wgAPIModules['setglobalaccountstatus'] = 'ApiSetGlobalAccountStatus';
+$wgAPIModules['centralauthtoken'] = 'ApiCentralAuthToken';
// API Query-Modules
$wgAPIMetaModules['globaluserinfo'] = 'ApiQueryGlobalUserInfo';
diff --git a/CentralAuthHooks.php b/CentralAuthHooks.php
index 6cad1c1..88058be 100644
--- a/CentralAuthHooks.php
+++ b/CentralAuthHooks.php
@@ -1518,7 +1518,7 @@
if ( $module instanceof ApiMain ) {
$desc['centralauthtoken'] = array(
'When accessing the API using a cross-domain
AJAX request (CORS), use this to authenticate as the current SUL user.',
- 'Use action=tokens&type=centralauth on this
wiki to retrieve the token, before making the CORS request. Each token may only
be used once, and expires after 10 seconds.',
+ 'Use action=centralauthtoken on this wiki to
retrieve the token, before making the CORS request. Each token may only be used
once, and expires after 10 seconds.',
'This should be included in any pre-flight
request, and therefore should be included in the request URI (not the POST
body).',
);
}
@@ -1787,4 +1787,12 @@
}
return true;
}
+
+ public static function onApiQueryTokensRegisterTypes( &$salts ) {
+ $salts += array(
+ 'setglobalaccountstatus' => 'setglobalaccountstatus',
+ 'deleteglobalaccount' => 'deleteglobalaccount',
+ );
+ return true;
+ }
}
diff --git a/api/ApiCentralAuthToken.php b/api/ApiCentralAuthToken.php
new file mode 100644
index 0000000..b24cd20
--- /dev/null
+++ b/api/ApiCentralAuthToken.php
@@ -0,0 +1,91 @@
+<?php
+/**
+ * Created on Aug 09, 2014
+ *
+ * CentralAuth extension
+ *
+ * Copyright (C) 2014 Brad Jorsch [email protected]
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ * http://www.gnu.org/copyleft/gpl.html
+ */
+
+/**
+ * Module to fetch the centralauthtoken for cross-wiki queries.
+ *
+ * @ingroup API
+ * @ingroup Extensions
+ */
+class ApiCentralAuthToken extends ApiBase {
+ public function __construct( ApiMain $main, $moduleName ) {
+ parent::__construct( $main, $moduleName );
+ }
+
+ public function execute() {
+ $user = $this->getUser();
+ $params = $this->extractRequestParams();
+
+ // If we're in JSON callback mode, no tokens can be obtained
+ if ( !is_null( $this->getMain()->getRequest()->getVal(
'callback' ) ) ) {
+ $this->dieUsage( 'Cannot obtain a centralauthtoken when
using a callback', 'hascallback' );
+ }
+
+ if ( $user->isAnon() ) {
+ $this->dieUsage( 'Anonymous users cannot obtain a
centralauthtoken', 'notloggedin' );
+ }
+
+ if ( CentralAuthHooks::hasApiToken() ) {
+ $this->dieUsage( 'Cannot obtain a centralauthtoken when
using centralauthtoken', 'norecursion' );
+ }
+
+ $centralUser = CentralAuthUser::getInstance( $user );
+ if ( !$centralUser->exists() || !$centralUser->isAttached() ) {
+ $this->dieUsage( 'Cannot obtain a centralauthtoken
without an attached global account', 'notattached' );
+ }
+
+ $data = array(
+ 'userName' => $user->getName(),
+ 'token' => $centralUser->getAuthToken(),
+ );
+ global $wgMemc;
+ $loginToken = MWCryptRand::generateHex( 32 ) . dechex(
$centralUser->getId() );
+ $key = CentralAuthUser::memcKey( 'api-token', $loginToken );
+ $wgMemc->add( $key, $data, 60 );
+
+ $this->getResult()->addValue( null, $this->getModuleName(),
array(
+ 'centralauthtoken' => $loginToken
+ ) );
+ }
+
+ public function getAllowedParams() {
+ return array(
+ );
+ }
+
+ public function getParamDescription() {
+ return array(
+ );
+ }
+
+ public function getDescription() {
+ return 'Fetch a centralauthtoken for making an authenticated
request to an attached wiki.';
+ }
+
+ public function getExamples() {
+ return array(
+ 'api.php?action=centralauthtoken',
+ );
+ }
+}
diff --git a/api/ApiDeleteGlobalAccount.php b/api/ApiDeleteGlobalAccount.php
index 2cec567..1a0a677 100644
--- a/api/ApiDeleteGlobalAccount.php
+++ b/api/ApiDeleteGlobalAccount.php
@@ -120,7 +120,7 @@
}
public function needsToken() {
- return true;
+ return 'deleteglobalaccount';
}
public function getTokenSalt() {
diff --git a/api/ApiSetGlobalAccountStatus.php
b/api/ApiSetGlobalAccountStatus.php
index bdd93d6..c03e7fb 100644
--- a/api/ApiSetGlobalAccountStatus.php
+++ b/api/ApiSetGlobalAccountStatus.php
@@ -185,7 +185,7 @@
}
public function needsToken() {
- return true;
+ return 'setglobalaccountstatus';
}
public function getTokenSalt() {
--
To view, visit https://gerrit.wikimedia.org/r/153085
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I683fc46b137be7800e1bd1cdedb75efdd2c20008
Gerrit-PatchSet: 2
Gerrit-Project: mediawiki/extensions/CentralAuth
Gerrit-Branch: master
Gerrit-Owner: Anomie <[email protected]>
Gerrit-Reviewer: Aaron Schulz <[email protected]>
Gerrit-Reviewer: CSteipp <[email protected]>
Gerrit-Reviewer: Legoktm <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
