Extension:Third party session verification
 Release status: stableCategory:Stable extensions |
|
|---|---|
| Implementation | APICategory:API extensions |
| Author(s) | Egill (Ataaseqtalk) |
| Latest version | 1.0 (2020-06-28) |
| MediaWiki | Category:Extensions without MediaWiki version |
| Database changes | No |
| License | GNU General Public License 2.0 or later |
| Download | GitHub: Note: |
The third party session verification extension allows other backend services to verify that a user is logged in.
Installation
- Download and place the file(s) in a directory called
ThirdPartySessionVerificationin yourextensions/folder. - Add the following code at the bottom of your LocalSettings.php file:
wfLoadExtension( 'ThirdPartySessionVerification' );
Done – Navigate to Special:Version on your wiki to verify that the extension is successfully installed.
Use
Getting a token
Your user receives a token by making a request to /w/api.php?action=session_verification.
Or, using the MediaWiki JavaScript API:
var api = new mw.Api();
api.get({
action: 'session_verification',
format: 'json'
}).done(function (data) {
console.log(data.session_verification.token);
});
The response is on the form:
{
"session_verification": {
"token": "93b2b4a53724f0-91ef87-1593373844-1"
}
}
Tokens are only given to logged in users. The token encodes the user ID and the timestamp.
Verifying the token
Any service can now use the token to verify that a user is logged in. This extension does not prevent the same token from being verified multiple times, but you could keep track of used ones in your backend.
There is no time limit for tokens, but the parameter token_age_in_seconds is returned, so your service can opt to refuse old tokens.
To verify a token, send it to /w/api.php?action=session_verification&token=93b2b4a53724f0-91ef87-1593373844-392. The response is on the form:
{
"session_verification": {
"success": 1,
"userID": "392",
"token_age_in_seconds": 45
}
}
You can now be certain that the user with the ID 392 was logged in when they said they were. You can now use API:Users to find information about the user with this user ID, such as their username and user rights.