Annoyed by the first concern:Security

Posted on by

First time in my life I am annoyed with my first preference and concern which has always been “Security”. After completing parse and query aspects of the api in codecademy I took a step towards the modifying aspect of mediawiki api.

Modification includes:

  • Creation of a user account.
  • Editing pages.
  • Adding pages to their watchlist.
  • But not deleting as most of the users are not admins.

To modify or edit a Wikipedia page, we need to issue the two following requests:

  1.  To get the action token.
  2.  To use the above token to change some page say Wikipedia:Sandbox .

I started with getting an edit token through api call by passing following json request variable                                                                                                                                 var req = {
format: ‘json’,
action: ‘query’,
prop:’info’,
intoken:’edit’,
titles:’Wikipedia:Sandbox’
};                                                                                                                                            using ajax , But I got the same warning repetitively saying,

"warnings": {
    "info": {
      "*": "Unrecognized value for parameter 'intoken': edit"
    }

I couldn’t understand the problem so i had a talk with my mentor Yuri Astrakhan and he told me its because of “callback” parameter that we use to get the data.He said it was most likely added to prevent what i am trying to do i.e  to prevent calling mediawiki api from non wiki website(in my case codecademy) as an anonymous user to edit/modify Wikipedia pages. As the above warning was unclear I filed a bug on Bugzilla.

As suggested by Yuri, the best way to solve this issue was to join the mediawiki api mailing list and send them a mail stating the current situation, so I did the same. And I got the reply from Chris Steipp suggesting “to use OAuth but if we are using WMF wiki like mediawiki.org instead of mediawiki instance then the cross-origin issues are going to make it very difficult in general, and the only way will likely be to have your javascript talk to codeacademy, and have codecademy use OAuth to access the wiki on behalf of the user. If it’s the former, then you can setup CORS between the domains, and use the api to login, and all calls with be authenticated due to the user’s session.” . It was doubtful whether we could do CORS for codecademy as there is a probability of a huge security hole.

Ahhhhhhh…. I was so ANNOYED :@ by the whole security issue and started exploring OAuth which I could understand conceptually but not its implementations.

Finally we came to one conclusion to quickly setup a simple instance on mediawiki and setup CORS on that which I am going to work on this week  with my mentor. 😀

Leave a comment