Topic on Talk:Core Platform Team/Initiatives/Core REST API in MediaWiki

For the record, here are some of the open questions about the editing endpoints that have com up today. They all boil down to the question of what functionality of API:Edit will be supported, and how, and when. Most importantly:

• How to we detect edit conflicts?
• Do we need CSRF tokens, or is requiring OAuth Authorization headers sufficient?
  • Do we need review from the security team?
• Will the implementation be cased on EditPage?
  • if yes, is there anything we need to change about it (like CSRF checks)?
  • if yes, do we plan to address the debt associated with that?
  • if no, is it clear what permission checks and rate limits need to be applied?

For the first one, I think including a previous revision ID in the PUT request would help with automated merges, correct? If the automated merge doesn't work, we can provide a specific error code.

I've started asking for review from Security on CSRF tokens. I don't think OAuth is what helps, but not supporting session cookies for auth.

> For the first one, I think including a previous revision ID in the PUT request would help with automated merges, correct?

Yes, the previous revision ID should be supplied for updates. I think it should be required, even - overwriting concurrent edits is not acceptable. But how will it be submitted? As a URL parameter? I request body is JSON, right?

Btw, it should be clarified whether auto-merge is a hard requirement, or just nice to have. I think *detecting* conflicts is a requirement, but just failing without attempting a merge would be acceptable, at least initially. Auto-merges is best-effort anyway.

I think we resolved this one on the appropriate ticket.