feat(oauth): when requested, include ConsumerAcceptance in oauth data #446
Conversation
| 'agent' => $c->getName(), | ||
| 'consumerKey' => $c->getConsumerKey(), | ||
| 'consumerSecret' => \MediaWiki\Extension\OAuth\Backend\Utils::hmacDBSecret( $c->getSecretKey() ), | ||
| ]; | ||
|
|
||
| if ( $includeAccess ) { |
There was a problem hiding this comment.
My hacky way of testing this locally would be to short circuit this if statement and always execute the branch, then see if Magnustools Oauth consumers stil work and also receive the additional data.
There was a problem hiding this comment.
And you'd be happiest if Magnustools does not get this additional data?
My understanding is that we wouldn't want Magnus tools to get these credentials since they would allow editing as the platform reserved user
There was a problem hiding this comment.
And you'd be happiest if Magnustools does not get this additional data?
Hence the additional parameter, yes
| @@ -107,7 +107,7 @@ public static function createOauthConsumer($consumerName, $version, $grants, $ca | |||
| return true; | |||
| } | |||
|
|
|||
| public static function getOAuthConsumer($consumerName, $version) { | |||
| public static function getOAuthConsumer($consumerName, $version, $includeAccess = false) { | |||
There was a problem hiding this comment.
I was thinking that it could maybe sense to refactor the name of this method to try and make it clear to future callers what the purpose is:
usecase 1 with $includeAccess = false is: I want an OAuth consumer that each individual user can authorise to edit on their behalf with their account
usecase 2 with $includeAccess = true is: I want credentials to edit the wiki as the PlatformReservedUser
I almost wonder if this would be better as a totally separate function. Really the common logic is more "incidental" than "conceptual"; it just happens to be that to get the credentials for usecase 2 you have to get a consumer but really you aren't asking for a consumer but instead editing credentials.
There was a problem hiding this comment.
it just happens to be that to get the credentials for usecase 2 you have to get a consumer but really you aren't asking for a consumer but instead editing credentials.
So the way mw cli works is it expects all 4 tokens, not only the ConsumerAcceptance ones.
What we could do though is: always create the consumer with acceptance tokens, and then have a dedicated function that turns the consumer into a response based on the parameter given.
Ticket: https://phabricator.wikimedia.org/T368024
The
transferbotimage relies onmw-cliwhich needs "access" style OAuth credentials in addition to "consumer" ones (as used by magnustools). This PR adds a parameter to theplatformOauthGetaction that includes access credentials on request.Further down the line this will be called by the Platform API, which will then pass the values to a K8s job running
transferbot