[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  We solved the problem by recreating a new account and a new consumer. So this 
seams to be a bug on Wikimedia side. If someone runs into the problem he can 
try to make the same. Thank you for the support!

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Tgr, Gabinguo, Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, 
Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, 
rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  @Tgr: we made a further experiment  if we select "This consumer is for 
use only by DD063520." then we get directly access and verifier tokens. With 
these the code works 
  
  So we can retrieve via
  
  api.php?action=query=userinfo=json
  
  the user information but not make edits beacuse of some permission errors. 
But if we create a "This consumer is for use only by DD063520." than we even 
can make edits.
  
  This starts to look like a bug .
  
  Could you check on your side please

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Tgr, Gabinguo, Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, 
Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, 
rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  @Tgr, could you help us out with this?
  
  We were checking similar applications and we found out that this application
  
  
https://www.wikidata.org/wiki/Special:OAuthListConsumers/view/7db6cf98680180fd33ecb2901733894f
  
  is able to do oAuth edits in wikidata. The strange thing is that the consumer 
is registered on Wikidata, while ours is registered on Mediawiki ...
  
  
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/3e6cda19f25a0563fc940c511f23836b
  
  Is this normal?

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Tgr, Gabinguo, Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, 
Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, 
rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  Hi,
  
  @Tgr could you find time to check?
  
  @Lucas_Werkmeister_WMDE could you try to run the code that I posted?
  
  Sorry, but we are somehow stuck because of this
  
  Merci

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Tgr, Gabinguo, Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, 
Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, 
rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  @Tgr Hi, I just made a request at 08:03 Paris time  could you check  
the consumer is:
  
  
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/3e6cda19f25a0563fc940c511f23836b
  
  the user is
  
  DD063520
  
  Merci

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Tgr, Gabinguo, Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, 
Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, 
rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[Tgr]

Tgr added a comment.


  > api.php?action=query=userinfo=json via OAuth to retrive the 
username of the user
  
  That works but it's not necessarily safe. You should use the OAuth identify 
endpoint 
 
instead (or the equivalent OAuth 2 endpoint).
  
  > Please never post your token on Phabricator or other public forums. I think 
this one isn’t too bad – OAuth sessions seem to get separate tokens from web 
sessions, as far as I can tell – but don’t do it again. (I probably should’ve 
made that more clear in my previous comment.)
  
  You should certainly avoid posting any tokens anywhere, as a best practice. 
CSRF tokens are not that dangerous though (the attacker would have to trick you 
into visiting their website with a browser that has the same session open 
before it is abusable). And OAuth sessions are separate from normal sessions, 
as you say. (OAuth CSRF tokens are kind of pointless, you need the OAuth keys 
to be able to make an OAuth request and if you have them you can get tokens as 
well. CSRF handling was just to deeply embedded in the API to be possible to 
disable for OAuth.)
  
  In T246751#5943349 , 
@Aklapper wrote:
  
  > I'm wondering if @Tgr might have an idea here, as this issue is related to 
OAuth? (Sorry if I am wrong, feel free to share better ideas.) Thanks!
  
  Provide exact timestamps for the attempts, we can look up in the permission 
check logs what exactly failed.

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Tgr
Cc: Tgr, Gabinguo, Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, 
Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, 
rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  Hi,
  
  I published the code here:
  
  https://github.com/D063520/OAuthWikimediaTest
  
  In fact it I just added two API calls after the code that you pulled to the 
scribejava repository.
  
  
https://github.com/scribejava/scribejava/blob/ccf4d52121dc00bb05d6283e2f7c266b01ecf44a/scribejava-apis/src/test/java/com/github/scribejava/apis/examples/MediaWikiExample.java
  
  Could you just put the credentials of one consumer you have in this file
  
  
https://github.com/D063520/OAuthWikimediaTest/blob/master/src/main/java/MediaWikiExample.java
  
  and check if it runs for you?

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  Hi,
  
  yes the user info is correct. The consumer is this one 
  
  
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/3e6cda19f25a0563fc940c511f23836b
  
  maybe I pointed to the wrong one, but it has the same grants. Or?
  
  I will try to share a minimal working example 

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[Lucas_Werkmeister_WMDE]

Lucas_Werkmeister_WMDE added a comment.


  Sharing some code might help, though I’m not sure who could spend much time 
investigating this. But I just noticed that the OAuth callback URL of your 
consumer 

 is `/wiki/Special:OAuth/verified` – that looks odd to me. Are you sure that 
the OAuth part works, and that the `userinfo` API returns the correct user name?

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Lucas_Werkmeister_WMDE
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  Would it help if we share some minimal code for the functionality we want, so 
that someone can debug it with an own consumer? But without seeing what is 
happening on the server side I'm not sure how we will solve the problem .

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  mhmmm, so what to do?

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[Lucas_Werkmeister_WMDE]

Lucas_Werkmeister_WMDE added a comment.


  Please never post your token on Phabricator or other public forums. I 
//think// this one isn’t too bad – OAuth sessions seem to get separate tokens 
from web sessions, as far as I can tell – but don’t do it again. (I probably 
should’ve made that more clear in my previous comment.)
  
  The error looks like a missing grant error to me, similar to one I 
encountered a year ago, see Permissiondenied on rollback API 
.
 I don’t understand why it happens, though – your consumer has the “edit 
existing pages” grant, which according to Special:ListGrants 
 includes the right to 
“change item terms (labels, descriptions, aliases)”. The page you’re trying to 
edit, Q47545479 , isn’t protected 
either.

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Lucas_Werkmeister_WMDE
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  Hi,
  
  I'm not able to fix this .  the token is for example
  
  cd8b9031c5d8b1326b852d34d99192b45e5e5468+\
  
  so it looks of the right form. Also by looking at the .addBodyParameter 
method, I do not see that something bad would happen. I checked again the 
message that I get, it is:
  
  [{"name":"wikibase-api-permissiondenied","parameters":[],"html":{"*":"You do 
not have the permissions needed to carry out this 
action."}},{"name":"**badaccess-groups**","parameters":["*",1],"html":{"*":"The 
action you have requested is limited to users in the group: *."}}]
  
  Does this maybe say something to you? otherwise, are you sure this should 
work and we are not forgetting something?

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[Lucas_Werkmeister_WMDE]

Lucas_Werkmeister_WMDE added a comment.


  My best guess is that the token is mis-encoded at some point – it should end 
in `+\`, maybe either the `.get("csrftoken").toString()` or the 
`.addBodyParameter("token", csrftoken)` mangles it. (You can remove the 
`cookie=` line, that shouldn’t have an effect but might disturb things.

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Lucas_Werkmeister_WMDE
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[DD063520]

DD063520 added a comment.


  Hi,
  
  this is the consumer:
  
  
https://meta.wikimedia.org/w/index.php?title=Special:OAuthListConsumers/view/25909aad6dde148a8fb348fd19f36b62==DD063520=-1
  
  so there should be the necessary grants. I will past here the two relevant 
code snippets. This part is working:
  
OAuthRequest request = new OAuthRequest(Verb.POST, API);
request.addBodyParameter("action","query");
request.addBodyParameter("meta","userinfo");
request.addBodyParameter("format","json");
service.get().signRequest(newAccess, request);
Response response = service.get().execute(request);
JSONParser parser = new JSONParser();
JSONObject jsonObject = (JSONObject) parser.parse(response.getBody());
System.out.println(jsonObject);
user.setUserName(((JSONObject)((JSONObject) 
jsonObject.get("query")).get("userinfo")).get("name").toString());
userRepository.save(user);
  
  i.e. I can retrieve the user information. While this part:
  
OAuthRequest request = new OAuthRequest(Verb.POST, API + 
"?action=query=json=tokens");
OAuth1AccessToken newAccess = new 
OAuth1AccessToken(user.getAccessToken(),user.getAccessTokenSecret());
service.get().signRequest(newAccess, request);
Response response = service.get().execute(request);
System.out.println(response.getBody());
System.out.println(response.getHeaders().get("Set-Cookie"));
JSONParser parser = new JSONParser();
JSONObject jsonObject = (JSONObject) parser.parse(response.getBody());
String csrftoken = ((JSONObject) ((JSONObject) 
jsonObject.get("query")).get("tokens")).get("csrftoken").toString();
System.out.println(csrftoken);

//doesn't work 
System.out.println("Cookie "+user.getWikidataToken());
request = new OAuthRequest(Verb.POST, API);
//this line also doesn't help
request.getHeaders().put("cookie=",user.getWikidataToken());
request.addBodyParameter("action", "wbsetdescription");
request.addBodyParameter("id", "Q47545479");
request.addBodyParameter("language", "it");
request.addBodyParameter("value", "Sistema di Question Answering per dati 
in formato RDF");
request.addBodyParameter("format", "json");
request.addBodyParameter("token", csrftoken);
service.get().signRequest(newAccess, request);
response = service.get().execute(request);
  
  works only the first part, the second gets the above mentioned error. Let me 
know if you need more details 

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: DD063520
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs

[Wikidata-bugs] [Maniphest] [Commented On] T246751: SUPPORT: wikidata/wikibase edits via oauth

[Lucas_Werkmeister_WMDE]

Lucas_Werkmeister_WMDE added a comment.


  Can you share the source code you’re using? Without that, it’s hard to say 
what the issue might be.
  
  If your OAuth consumer happens to be this one 

 or this one 

 (found in Special:Log/mwoauthconsumer 
), then it looks 
like you didn’t request any grants that allow editing when proposing the 
consumer.

TASK DETAIL
  https://phabricator.wikimedia.org/T246751

EMAIL PREFERENCES
  https://phabricator.wikimedia.org/settings/panel/emailpreferences/

To: Lucas_Werkmeister_WMDE
Cc: Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, 
Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, 
Wikidata-bugs, aude, Mbch331
___
Wikidata-bugs mailing list
Wikidata-bugs@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs