Tgr added a comment.
> api.php?action=query&meta=userinfo&format=json via OAuth to retrive the username of the user That works but it's not necessarily safe. You should use the OAuth identify endpoint <https://www.mediawiki.org/wiki/OAuth/For_Developers#Identifying_the_user> instead (or the equivalent OAuth 2 endpoint). > Please never post your token on Phabricator or other public forums. I think this one isn’t too bad – OAuth sessions seem to get separate tokens from web sessions, as far as I can tell – but don’t do it again. (I probably should’ve made that more clear in my previous comment.) You should certainly avoid posting any tokens anywhere, as a best practice. CSRF tokens are not that dangerous though (the attacker would have to trick you into visiting their website with a browser that has the same session open before it is abusable). And OAuth sessions are separate from normal sessions, as you say. (OAuth CSRF tokens are kind of pointless, you need the OAuth keys to be able to make an OAuth request and if you have them you can get tokens as well. CSRF handling was just to deeply embedded in the API to be possible to disable for OAuth.) In T246751#5943349 <https://phabricator.wikimedia.org/T246751#5943349>, @Aklapper wrote: > I'm wondering if @Tgr might have an idea here, as this issue is related to OAuth? (Sorry if I am wrong, feel free to share better ideas.) Thanks! Provide exact timestamps for the attempts, we can look up in the permission check logs what exactly failed. TASK DETAIL https://phabricator.wikimedia.org/T246751 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Tgr Cc: Tgr, Gabinguo, Lucas_Werkmeister_WMDE, DD063520, Aklapper, darthmon_wmde, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Wikidata-bugs, aude, Mbch331
_______________________________________________ Wikidata-bugs mailing list Wikidata-bugs@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikidata-bugs
