Extension:CentralAuthAPI

Code

 * core tweak: https://gerrit.wikimedia.org/r/#/c/52708/
 * extension: https://github.com/brion/CentralAuthAPI

Why
With cross-domain session cookies set via Extension:CentralAuth's enhanced login, and CORS enabled for the API for relevant domains, it's possible to make authenticated HTTP requests through JavaScript on one MediaWiki site (eg en.wikipedia.org) to another linked site (commons.wikimedia.org).

This can be used for anything from making queries to uploading photos. Pretty rad!

Unfortunately, many browsers have restrictions on setting "third-party cookies" through the technique that CentralAuth's enhanced login page uses. (Special image icons are loaded with a token parameter which trigger setting of cookies.) This has lead to a surprisingly high upload failure rate for mobile uploads, which use the cross-site HTTP requests.

Same-origin proxying
(provisional ideas)

Make a regular API request to your local site, but pass the parameter "apitarget= ", eg "apitarget=commonswiki". If you have a working CentralAuth session on the local site, the backend will pass the request through over HTTP internally and give you back results.

How to do it
These cookies need to be forwarded in the request:

centralauth_User=XXXX centralauth_Session=XXXXXXXXXXXXXXXX

Something early in API processing should detect the 'apitarget' parameter and replace standard API processing with the proxy.


 * detect 'apitarget' param and divert processing
 * get centralauth_* cookies
 * if none, error out
 * look up the URL for the 'apitarget' wiki via CentralAuth internals
 * send cookies, parameters, and POST data body on to that site (on local network)
 * proxy back the output data

Alternatives

 * pick a name for 'apitarget'
 * pick an alternate entry point
 * name something with 'Central' in it. CentralAPI? :)
 * make it part of CentralAuth

Todo

 * add X-Forwarded-For headers
 * whitelist which wikis can be proxied to?
 * test on POSTs