From 89fb4f57b114c4d0dc346abaf2358bf2816f2600 Mon Sep 17 00:00:00 2001 From: Pablo Grass Date: Mon, 21 Sep 2020 14:51:27 +0200 Subject: [PATCH] SCOPE: document possible need to iterate on auth --- SCOPE.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SCOPE.md b/SCOPE.md index cfa1163..20014dc 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -67,3 +67,13 @@ Any additional development though would be done within the extension itself. Suc If not already explicitly included above, any existing action API modules that are intended for use with other action API modules, such as those provided by MediaWiki core, are excluded from the scope of this specification. For example the `entityterms` module which can be combined with other MediaWiki page lookups to retrieve terms of a connected entity from something like pageid or category list. + +## Acknowledged (possible) need for follow-ups + +### Authentication + +This proposal envisages authentication through the use of HTTP headers. Clients must be crafted in a way that they are in possession of a token and actively send it as part of the requests they perform. + +Authentication through cookies is not supported in this proposal and client software can not passively rely on a user agent to maintain login state across requests. This renders [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks impossible and eliminates the need for "CSRF tokens" to be embedded into request bodies. + +This proposal does not elaborate how clients can reach possession of such a token and a decision if an exclusive binding to [OAuth](https://www.mediawiki.org/wiki/OAuth/For_Developers) is desired or feasible in the current state has not been reached.