Skip to content

Commit

Permalink
SCOPE: document possible need to iterate on auth (#68)
Browse files Browse the repository at this point in the history
  • Loading branch information
wiese authored Sep 21, 2020
1 parent b041d8f commit d77f4ef
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions SCOPE.md
Original file line number Diff line number Diff line change
Expand Up @@ -67,3 +67,13 @@ Any additional development though would be done within the extension itself. Suc
If not already explicitly included above, any existing action API modules that are intended for use with other action API modules, such as those provided by MediaWiki core, are excluded from the scope of this specification.

For example the `entityterms` module which can be combined with other MediaWiki page lookups to retrieve terms of a connected entity from something like pageid or category list.

## Acknowledged (possible) need for follow-ups

### Authentication

This proposal envisages authentication through the use of HTTP headers. Clients must be crafted in a way that they are in possession of a token and actively send it as part of the requests they perform.

Authentication through cookies is not supported in this proposal and client software can not passively rely on a user agent to maintain login state across requests. This renders [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks impossible and eliminates the need for "CSRF tokens" to be embedded into request bodies.

This proposal does not elaborate how clients can reach possession of such a token and a decision if an exclusive binding to [OAuth](https://www.mediawiki.org/wiki/OAuth/For_Developers) is desired or feasible in the current state has not been reached.

0 comments on commit d77f4ef

Please sign in to comment.