定制 mwstake/mediawiki-component-token-authenticator 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

mwstake/mediawiki-component-token-authenticator

Composer 安装命令:

composer require mwstake/mediawiki-component-token-authenticator

包简介

Real time messaging

README 文档

README

This component provides everything needed to generate random tokens for users that can be later exchanged for user information.

Usage - User token

Generate token

REST API endpoint /mws/v1/user-token/generate can be used to generate a token for the user.

Client-side: mws.tokenAuthenticator.generateToken( withIssuer ). Params: withIssuer - boolean - default: false. If true, will include info about the wiki (url) that issued the token. To be used when verifying token, as a target for verification. If used, salt must be used.

Verify token

Call REST API endpoint /mws/v1/user-token/verify/{token} to verify the token. If valid, you will receive info on the user that the token was issued for, including user ID, username, and other info.

Verification when using salt

If token was salted, you will need to decode it using the salt, and then b64 decode it. Pass only the token from the decoded token object at verification time.

Salt

Configure $GLOBALS['mwsgTokenAuthenticatorSalt'] = '<random string>'; in your LocalSettings.php file, to salt the tokens issued by this service. This is recommended for security reasons. Note that token will only be salted if so required, not by default.

When salted, token structure is changed, instead of just a plain string token, token is a b64-encoded JSON that looks like this

[
    'verifyCallback' => $callbackUrl,
    'token' => $token,
    'sig' => $signature,
]

Where:

  • verifyCallback is the URL to call to verify the token, wiki that generated it.
  • token is the actual token
  • sig is the signature of the token to verify its issuer is trustworthy. Signature is a HMAC value generated by hasing verifyCallback . token with the salt.

Static token for service authentication

For service-to-service authentication, you can use a static token.

Include header Authorization: ApiKey {my_token} when making calls. This authentication only works for REST and Action API calls.

Configure token(s)

$GLOBALS['mwsgTokenAuthenticatorServiceTokens'] = [
    [
        'token' => 'api_test_8f42d1a6e0b34b78a2f1c3de9b123abc',
        'cidr' => '127.0.0.1/32',
        'user-context' => 'MyUser',
        'api-modules' => [
            MyApi::class
        ],
        'rest-paths' => [
            '/mws/v1/some/rest/path',
        ],
    ]
];

Of these values, optional are:

  • cidr - if omitted, $GLOBALS['mwsgTokenAuthenticatorServiceCIDR'] will be used. To disable CIDR checking, set to empty string.
  • user-context - if omitted, $GLOBALS['mwsgTokenAuthenticatorServiceUser'] will be used.

Global settings

You can limit access to specific CIDR ranges by configuring

$GLOBALS['mwsgTokenAuthenticatorServiceCIDR'] = '127.0.0.1/32';

Configuring user that the service token represents:

$GLOBALS['mwsgTokenAuthenticatorServiceUser'] = 'ChatBot service user';

This is the default user and it will be create and configured automatically. If you want to use a different user, create it manually and set this variable to the username. Due to user token limitations, only "actual" (non-system) users can be used here.

Dynamic token for service authentication

As static token limits the amount of APIs you can access, in order to access full range of APIs, use dynamic token. This token is similar to a user token, but instead of being issued for a user, it's issued for a service, and can be used to authenticate the service on the behalf of the "Service user".

This tokens are always encrypted and salted, so you will need to decode it first using the salt value, to get the actual token, and callbackUrl

Generate using /mws/v1/app-token/generate.

When making requests provide header: Authorization AppToken {decoded token}. This will provide you with a full-access session.

Note that this will authenticate as user mwsgTokenAuthenticatorServiceUser. It will give this user sysop group, to ensure it can execute all APIs. If another user is assigned to this, make sure it is ok that this user gets sysop group.

When issuing and granting sessions based on these tokens, $GLOBALS['mwsgTokenAuthenticatorServiceCIDR'] = '127.0.0.1/32'; is respected, to limit access.

When session is created for such token, it will be created on behalf of $GLOBALS['mwsgTokenAuthenticatorServiceUser']

Logging

Component logs into MWStake.TokenAuthenticator channel for token verification and to session for session providing.

统计信息

  • 总下载量: 1.97k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 0
  • 点击次数: 1
  • 依赖项目数: 1
  • 推荐数: 0

GitHub 信息

  • Stars: 0
  • Watchers: 0
  • Forks: 0
  • 开发语言: PHP

其他信息

  • 授权协议: GPL-3.0-only
  • 更新时间: 2025-08-14

承接程序开发

PHP开发

VUE

Vue开发

前端开发

小程序开发

公众号开发

系统定制

数据库设计

云部署

网站建设

安全加固