Bug #71501 for MediaWiki-API: MediaWiki::API & Auth

Thu Oct 06 10:05:35 2011 Roberto.Santoro [...] etsi.org - Ticket created

Subject:	MediaWiki::API & Auth_remoteuser (Basic Authentication)
Date:	Thu, 6 Oct 2011 16:05:20 +0200
To:	"bug-MediaWiki-API [...] rt.cpan.org" <bug-MediaWiki-API [...] rt.cpan.org>
From:	Roberto Santoro <Roberto.Santoro [...] etsi.org>

Hello, it seems to me that the MediaWiki::API does not allow to connect to a Wiki when using the Auth_remoteuser module (using Basic Authentication). I tried extending the MediaWiki::API->new() method by adding a $ua->credentials( 'URL:80', 'Domain', 'user' => 'password' ); But I still get a 2: 401 Unauthorized : error occurred when accessing http://test.server.com/wiki/api.php after 1 attempt(s) at D:\website\wiki\extensions\EmailToWiki\EmailToWiki.pl line 166. Do you have any plan to implement this feature? Thanks, Best Regards, Roberto Santoro Web & Database Administration Officer, ETSI Information Technology http://www.etsi.org<http://www.etsi.org/> Telephone: +33 (0)4 92 94 42 23 Mobile: +33 (0)6 84 11 26 10 Fax: +33 (0)4 92 38 52 45 E-Mail: roberto.santoro@etsi.org<mailto:firstname.lastname@etsi.org> High Performance - Customer Focus - Integrity - Teamwork - Mutual Respect - Responsibility P Please consider the environmental impact before printing this e-mail

Thu Oct 06 11:24:43 2011 buzz [...] exotica.org.uk - Correspondence added

Show quoted text

> Do you have any plan to implement this feature?

This module only support what the mediawiki api supports http://www.mediawiki.org/wiki/API:Main_page if some extension adds some functionality to mediawiki but not to the api code, then i guess it won't work, and you should take it up with the extension authors I guess, or the author of the api parts of mediawiki.

Thu Oct 06 11:24:44 2011 The RT System itself - Status changed from 'new' to 'open'

Sat May 19 16:06:08 2012 buzz [...] exotica.org.uk - Correspondence added

I can add that http auth does work with this module. I have used it I can confirm that changing $mw->{ua}->credentials works, or alternatively include the user/pass in the url. If the credentials call isn't working, then you probably have the syntax wrong, or the realm doesnt match. it still may not work with your mediawiki extension though, depending on how it integrates. ie - if once you have http authenticated, the API stuff works as it should. Marking this ticket as rejected, as it isn't a bug of this module, but feel free to post back if you need any more advice.

Sat May 19 16:06:09 2012 buzz [...] exotica.org.uk - Status changed from 'open' to 'rejected'

Tue Sep 11 16:43:17 2012 https://www.google.com/accounts/o8/id?id=AItOawlOt-u_guZ4bmAfqiqqWcWOaOSn_hxz8kw - Correspondence added

From:

Bruce Elrick <bruce.elrick [...] gmail.com>

On Sat May 19 16:06:08 2012, exobuzz wrote: Show quoted text

> Marking this ticket as rejected, as it isn't a bug of this module, but > feel free to post back if you need any more advice.

MediaWiki::API maintainers here say this is a MediaWiki API problem. However at the Wikimedia site they say the opposite: https://bugzilla.wikimedia.org/show_bug.cgi?id=31425 I say both sets of maintainers have not spent and significant time looking at where this problem lies. Could you at least take a look on your side? And if you have definitive evidence that the problem is on the other side, could you update the problem ticket at the Wikimedia support site? Thanks, Bruce

Tue Sep 11 16:43:18 2012 The RT System itself - Status changed from 'rejected' to 'open'

Fri Sep 14 13:29:03 2012 https://www.google.com/accounts/o8/id?id=AItOawlOt-u_guZ4bmAfqiqqWcWOaOSn_hxz8kw - Correspondence added

After some digging I've found the opposite, that indeed the MediaWiki PHP-based API as written does not require action=login and that, with the Auth_remoteuser extension configured, you can hit other action=X URLs with a browser, Apache will properly respond with a 401 Unauthorized, the browser will prompt for a username/password, then Apache and the api.php will deliver a proper API response page as expected. This means that indeed the CPAN MediaWiki::API module must be the location of the incompatibility - it must assume that an action=login request must proceed any other request. I've updated the WikiMedia bug with this info. I'll report any findings here as I dig into the Perl module code. Thanks, Bruce

Fri Sep 14 14:36:51 2012 https://www.google.com/accounts/o8/id?id=AItOawlOt-u_guZ4bmAfqiqqWcWOaOSn_hxz8kw - Correspondence added

From:

Bruce Elrick

Ok, I've found that not only does the MediaWiki API support the Auth_remoteuser extension, so does the CPAN module MediaWiki::API, it just requires knowing how to configure. Assuming you have a MediaWiki web site set up at wiki.example.com, accessible via HTTPS, with the authentication name "Authentication Domain example.com", the following is Perl code to dump the contents of a page. Some things that I learned (that might trip up others as it did me): 1) I had configured my Apache server's LDAP authentication from AD with the "AuthName" option to be "Authentication Domain example.com" instead of "example.com" because I wanted users to know they were authenticating with their AD credentials. What I didn't realize at the time is the underlying mechanism that: a) The web server includes the "Basic realm=\"Authentication Domain example.com\"" in the "www-authenticate" header of the 401 response b) The browser includes that realm string in the base64 encoded string that is returned in basic authentication header of the next request c) I had always pictured in my mind that only the user name and password were passed and had not even considered the realm d) Because of c), I did not think of the text matching between the Apache AuthName option and the realm part of the credentials 2) You have to manually set the authentication using the LWP::UserAgent- Show quoted text

>crendentials method as seen below by accessing the UserAgent sub-object

with $mw->{ua}->credentials() 3) I actually figured out 2) first but it didn't work and that's when I realized my misunderstanding in 1). Hopefully this code below helps other users of the CPAN moduel MediaWiki::API who are using with the Auth_remoteuser extension to MediaWiki. Cheers... Bruce ##### use MediaWiki::API; $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0; # Disable host certificate checking my $mw = MediaWiki::API->new(); $mw->{config}->{api_url} = 'https://wiki.example.com/w/api.php'; $mw->{ua}->credentials( 'wiki.example.com:443', 'Authentication Domain example.com', 'myuser', 'myPa$$' ); my $page = $mw->get_page( { title => 'Test Page' } ); #|| die $mw-> {error}->{code} . ': ' . $mw->{error}->{details}; print $page->{'*'};

Fri Sep 14 14:51:40 2012 https://www.google.com/accounts/o8/id?id=AItOawlOt-u_guZ4bmAfqiqqWcWOaOSn_hxz8kw - Correspondence added

And in response to the original bug reporter, it looks like perhaps a formatting error, using '=>' instead of ',' for separating the username and password? I know => is a synonym of the comma, but perhaps in the context of a method call it doesn't work? I ended up using Data::Dump to dump the MediaWiki::API object after the 401 to diagnose my error of not having the exact matching realm string.

Sat Jan 19 11:32:35 2013 buzz [...] exotica.org.uk - Correspondence added

Show quoted text

> I ended up using Data::Dump to dump the MediaWiki::API object after the > 401 to diagnose my error of not having the exact matching realm string.

could have just used wget -S or something ? Anyway, a simpler way to pass the username/password is in the url, which for some reason no-one tried despite me suggesting it earlier. Closing this ticket now - it is not a bug of the module. The credential passing is also fully documented as part of the LWP:UserAgent module.

Sat Jan 19 11:32:36 2013 buzz [...] exotica.org.uk - Status changed from 'open' to 'rejected'

Bug #71501 for MediaWiki-API: MediaWiki::API & Auth_remoteuser (Basic Authentication)