As a developer of a tool accessing Wikibase data, I want to authenticate as a mediawiki user, so that I can use any permissions granted to the user account
Authentication should happen using HTTP header providing bearer token
Mediawiki REST API is designed to work with Mediawiki's OAuth's extension, and it provides bearer token's on behalf of the authorized user: https://www.mediawiki.org/wiki/OAuth/For_Developers#OAuth_2
BDD
As an API user
GIVEN items are only visible for logged-in users
AND I have authenticated as a mediawiki user
WHEN I make a GET request to /entities/items/{item_id}
AND I provide a valid OAuth bearer token in an Authorization header
THEN I receive 200 HTTP response from the API
AND response contains item data
AND response headers include X-Authenticated-User header with authenticated user's username as a value
As an API user
GIVEN items are only visible for logged-in users
AND I make a request as a anonymous user
WHEN I make a GET request to /entities/items/{item_id}
AND do not provide Authorization header
THEN I receive 403 HTTP response from the API
[likely provided by the Mediawiki REST API framework, might not require work on Wikibase REST API side]
As an API user
WHEN I make a GET request to /entities/items/{item_id}
AND I provide an invalid OAuth bearer token in an Authorization header
THEN I receive 403 HTTP response from the API
Notes
- @Jakob_WMDE reports about the Implementation: we can get the authenticated user in our rest route handler via $this->getAuthority()->getUser()
- Configuring OAuth consumers on Beta Wikidata is NOT in scope of that story
- Storing bearer tokens on disk (in cookies) must be avoided.
- OAuth mediawiki extension becomes a de facto requirement to use Wikibase REST API. Without the extension available, Wikibase REST API will treat all requests as coming from non-logged in users. Wikibase REST API is not going to reveal any private/non-public data which should not be available to not logged-in users as long as Mediawiki REST API framework "basic authorization" is not skipped (see MWBasicRequestAuthorizer class).
References, other remarks
- authorization related remarks in the documentation of Mediawiki REST API: https://www.mediawiki.org/wiki/API:REST_API#Permissions_and_authorization, https://www.mediawiki.org/wiki/API:REST_API/Reference#Create_page
- Overview of OAuth mediawiki extension's OAuth 2 REST endpoints: https://www.mediawiki.org/wiki/Extension:OAuth#OAuth_2.0_REST_endpoints
- authentication related considerations in 2020 proposal: https://github.com/wmde/wikibase-rest-api-proposal/blob/master/SCOPE.md#acknowledged-possible-need-for-follow-ups