Topic on Project:Support desk

Token validation API

6 comments • 12:02, 17 August 2020 3 years ago

6

RaindropsSys (talkcontribs)

Hello, I have setup a MediaWiki installation for a private wiki, and now I'd like to create my own website, but make it only available to people who are logged in to my MediaWiki installation.

I didn't found any straight-forward and simple API to validate a token (maybe the mediawiki_session cookie, or another one?) that my server could call to check if the token is valid.

The website I'll create and my MediaWiki instance are on the same domain. I found ?action=checktoken but when I try api.php?action=checktoken&type=login&token=<token> with the mediawiki_session it says it's invalid.

Here's a summary on how I want it to be:

The server should make the request, not the client
Validate the token easily
I know how to do the rest

Regards.

Reply 21:26, 12 August 2020 3 years ago

Bawolff (talkcontribs)

checktoken is for csrf tokens only. You should not use that for access control.

The hacky way to do this is to take all the user's cookies, make a server side request with the user's cookies to api.php?action=query&meta=userinfo and see what user is returned.

For the non hacky way of doing this - im not sure i understand what you are trying to accomplish. I assume you are not doing some sort of single-sign-on since you are using mediawiki's authorization (if you are doing some sort of single-sign-on see AuthManager). At the same time you don't want to use MediaWiki's builtin access control to only allow logged in users? I could probably better advise if i understood why you are trying to do this.

Nonetheless, if you didnt trust mediawiki's access control, and want to use some sort of interstitial access portal instead, probably the most proper approach would be to use a custom SessionManager and have all authorization be in your thing instead of just the access control. See AuthManager

Reply Edited 02:18, 13 August 2020 3 years ago

RaindropsSys (talkcontribs)

Thanks, it's working!

Here's my code if some are interested:

<?php

// We grab all the cookies
$cookies = "";
$keys = array_keys($_COOKIE);
$index = 0;
foreach ($_COOKIE as $cookie) {
    $cookies = $cookies . $keys[$index] . "=" . $cookie . ";";
    $index++;
}

// Make the request to the MediaWiki API
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, "https://{$_SERVER['HTTP_HOST']}/api.php?action=query&meta=userinfo&format=json");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_COOKIE, $cookies);
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
$result = curl_exec($curl);
curl_close($curl);

// Process the data
$data = json_decode($result);
header("Content-Type: application/json");

if (json_last_error() !== JSON_ERROR_NONE) {
    die("false");
}

if (isset($data->batchcomplete) && $data->batchcomplete == "") {
    die("true");
} else {
    die("false");
}

And it's surprisingly fast! I can even improve the speed using localhost instead of the domain name used by the client.

Reply 09:08, 13 August 2020 3 years ago

Bawolff (talkcontribs)

note: this is insecure if using client host header since it can be anything (see SSRF attack). In certain circumstances it may be possible to turn SSRF into code execution.

You may also want to urlencode the value of the cookies.

Batchcomplete is the wrong key to look for as it is present regardless of if the session is valid.

Reply 15:29, 13 August 2020 3 years ago

RaindropsSys (talkcontribs)

For the client host header, changed it to localhost, and for the batchcomplete key I may take a look at it later.

Reply 12:02, 17 August 2020 3 years ago

RaindropsSys (talkcontribs)

What I want to do is just, using client's cookies, make the server check if a MediaWiki session is valid. I'll tell you what api.php?action=query&meta=userinfo gives me.

Reply 08:34, 13 August 2020 3 years ago

Reply to "Token validation API"