CSRF tokens should only be required (and only be allowed) if
the current session isn't already inherently safe against
CSRF due to the way the authentication mechanism works.
This allows (and requires) tokens to be omitted for requests
that use an OAuth Authorization header.
Bug: T230843
Bug: T230842
Bug: T237852
Change-Id: Ib2922d556ff2470d4bf8c386c18986ca9f37d1b5
NOTE: once this is merged, also merge Ie7b47e6868cc on the OAuth repo,
to fix unit tests after a breaking change to Router's constructor
signature.
Bug: T230842
Change-Id: I8f5b92918a58e44a4f2d8c78d234d9f64c2d06bf
New configuration variable $wgRestAPIAdditionalRouteFiles
allows specifying additional Core REST API route files to
include. The initial use is to include development routes
from new file coreDevelopmentRoutes.json only on testing
wikis, but not on production wikis.
Bug: T247997
Change-Id: Iff8a9b7f4cafb29162e9b10f3d32e2a85f6f58df
* Added ConditionalHeaderUtil, a conditional request helper class meant
for composition into Handler. I evaluated the composer package
micheh/psr7-cache for this role but I decided that I prefer DIY
code rather than some rather ugly glue.
* Check conditional request headers prior to entry into
Handler::execute(). Contrary to what was previously documented, use
the results of getLastModified() and getETag() to set headers in the
response. This is convenient and can be overridden in the Handler if
desired by overriding a one-line function.
* Instead of locking up header parsing inside ConditionalHeaderUtil as
was done in micheh/psr7-cache, make a start on a new reusable header
parsing framework, with recursive descent parsers for HTTP-date and
IfNoneMatch.
Change-Id: I260809081cad7701df8620ab03834158670d4230
Add public, protected or private to function missing a visibility
Enable the tests folder for the phpcs sniff
Change-Id: Ibefce76ea9984c47e08c94889ea2eafca7565e2c
Just handle a HEAD request as a GET request, if no specific HEAD handler
exists. This is simple and similar to what the rest of MediaWiki does in
response to a HEAD request.
Bug: T226043
Change-Id: I7b2bd657c20b56844459874131a3d85fabe7db3d
* Add ResponseFactory::createLocalizedHttpError(), which generates a
JSON response body from a MessageValue
* ResponseFactory::__construct() accepts an array of TextFormatter
objects. For ease of testing, the array may be empty. The integrated
ResponseFactory has a TextFormatter for English, and one for
$wgContLang if that is different.
* Use createLocalizedHttpError() to show helpful error messages for
errors generated by Router.
Change-Id: I897a0aee42227916c568333ab384966f1b87f599
Parameter validation is based on parameter definitions like those in the
Action API, using the new ParamValidator library. Handlers should use
the provided Handler methods to access parameters rather than fetching
them directly from the RequestInterface.
Body validation allows the handler to have the (non-form-data) body of a
request parsed and validated. The only validator included in this patch
ignores the body entirely; future patches may implement validation for
JSON bodies based on JSON schemas, or the like.
Bug: T223239
Change-Id: I3c37ea2b432840514b6bff90007c8403989225d5
As in api.php. Among other things, this enables profiling.
Move EntryPoint test out of unit/ so that it passes.
Use ob_start()/ob_end_clean() instead of assuming an output buffer is
open, so that EntryPoint::execute() can be run from CLI mode.
Change-Id: I38162a9eac6fd5acfed2035b87cac4a97ffd50d6
Protect private wikis by providing basic read restrictions,
closely following the example of the action API.
The BasicAccess module provides a narrow interface for this
functionality, without exposing the whole session/user concept to the
router.
Also, add RouterTest and fix a bug in Router::getRelativePath() thus
discovered.
Change-Id: I82319d56f08b2eec4a585ff6dbd348ccdbadc5b5
This changeset resumes work on T89432 and related tickets
by porting an initial set of tests to the new unit test suite
separated out in I69b92db3e70093570e05cc0a64c7780a278b321a.
The tests were only ported if they worked immediately without
requiring any changes other than changing the test case class
to MediaWikiUnitTestCase and moving the test to the new suite.
If a test failed for any reason (even trivial misconfiguration),
it was NOT ported.
With this change, the unit tests suite now consits of a total
of 455 tests. As before, you can run these tests via the following
command:
$ composer phpunit:unit
Bug: T84948
Bug: T89432
Bug: T87781
Change-Id: Ibb8175981092d7f41864e641cc3c118af70a5c76
