Page MenuHomePhabricator

Flow does not use the standard edit token
Closed, ResolvedPublic

Description

From Flow.php:

// Salt used to generate edit tokens for authenticating Flow actions
$wgFlowTokenSalt = 'flow';

From includes/api/ApiFlow.php:

public function getTokenSalt() {
        global $wgFlowTokenSalt;
        return $wgFlowTokenSalt;
}

Why is Flow using a non-standard token? What's the advantage to doing so?

It's a disadvantage to anyone using the API since they need to fetch another token, and in many cases they already have an edit token.


Version: unspecified
Severity: normal

Details

Reference
bz55846

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 2:13 AM
bzimport set Reference to bz55846.

The WMF core features team tracks this bug on Mingle card https://mingle.corp.wikimedia.org/projects/flow/cards/334, but people from the community are welcome to contribute here and in Gerrit.

In testing various stuff, I've observed that because Flow has to fetch the token, it's causing the overhead of at least one extra GET request for any action the user wishes to take.

I plan on fixing this bug once the API rewrite is done if there are no objections.

i havn't heard any greatly compelling reason to have an independant token, greps through other extensions seem to indicate its not a widely used option. Go for it.

Change 126179 had a related patch set uploaded by Legoktm:
API: Use a standard edit token

https://gerrit.wikimedia.org/r/126179

Change 126179 merged by jenkins-bot:
API: Use a standard edit token

https://gerrit.wikimedia.org/r/126179