Skip to content

Latest commit

 

History

History
52 lines (37 loc) · 4.44 KB

oauth.md

File metadata and controls

52 lines (37 loc) · 4.44 KB

Back to README

OAuth Setup

If you have not already completed the dashboard setup portion of the documentation, please head over there first.

In order to use and develop the authenticated features of the application (course creation, the assignment design wizard, user management, etc) you will need to create a MediaWiki OAuth consumer. You can skip this setup process and use the consumer provided in config/application.example.yml to get started; this consumer cannot be used to make edits or update preferences on Wikipedia, but can be used to log in.

If you haven't already set an email address for your Wikimedia project account, log in to a Wikimedia site with your username and password. Once you're logged in, click on "Preferences" in the upper right-hand corner. In the "User profile" tab under "Preferences" (selected by default), set your email address. You'll need this to confirm your account and get your token and secret key in the next step.

To register an OAuth consumer, your account must be "confirmed". This happens automatically after a certain number of edits, but if your account is new and you're impatient, you can request your account to be manually confirmed here.

You'll now propose an OAuth consumer. Fill out the form with the following values:

  • Application name: <YOUR_NAME>_at_<YOUR_COMPANY>
  • Application description: <YOUR_NAME>'s local machine
  • OAuth "callback" URL: http://localhost:3000/users/auth/mediawiki/callback
  • Contact email address: <YOUR_EMAIL> (this must match your Wikimedia account email)
  • Permissions: select Edit existing pages and Create, edit, and move pages
  • Public RSA Key: Leave this blank, so that you receive a secret key in the next step.

Clicking on the 'Propose consumer' button should return a token and secret, which you should store in your application.yml file.

Production and other consumers

A development consumer, used only by the proposer, will work immediately. For production or shared testing environments, consumers must be approved before anyone but the proposer can authorize the application. You can post a request for approval here (see example).

Updating the production consumer

When you request a new consumer, add the tokens to the production server's application.yml, commented out, so they are ready for the switchover.

  1. Ideally, schedule the consumer update for a time when few users will be active.
  2. Add a site notice informing users that they will be logged out, 30 minutes or more before the consumer is updated.
  3. Initiate a snapshot of the Linode server and wait for it to finish (just in case).
  4. Update application.yml, commenting out the old tokens and uncommenting the new, and removing the sitenotice.
  5. In a rails console on production, remove all oauth tokens from users: User.update_all(wiki_token: nil, wiki_secret: nil).
  6. Restart both the main server process (touch tmp/restart.txt) and the sidekiq processes (cap production deploy:sidekiq:restart).
  7. Find the CID of that consumer via Special:Tags on Wikipedia, and add it to the list of CIDs in application.yml.
    1. You can also find CID by logging in to the Dashboard with the new consumer, then visiting https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants . The CID is part of the 'Your edits by this application' link.
  8. Restart the server and sidekiq processes again.

Admin permissions

Give users admin privileges in the app, e.g. to approve submitted courses, by setting the users.permissions field to "1". For example, if your wiki username is "RageSock",

rails runner "User.find_by(wiki_id: 'RageSock').update(permissions: User::Permissions::ADMIN)"

or via mysql,

mysql -e "update users set permissions = 1 where wiki_id='RageSock'" dashboard