Default the "watchlisttoken" value to a derived HMAC value

* This got created if unset on API or GUI preferences access,
  which leads to writes on GET requests. Try to avoid that
  deriving it from user_token, unless overriden. This also
  means that changing the password always resets the key,
  which is how these things work on most sites anyway.
* The whole getTokenFromOption() method is deprecated, and
  this functionality is already in OAuth.

Bug: T92357
Change-Id: I96c0d6f6e535e67545049f01205430249eea8da0

diff --git a/RELEASE-NOTES-1.26 b/RELEASE-NOTES-1.26
index 6dcf919..9b93740 100644 (file)
--- a/RELEASE-NOTES-1.26
+++ b/RELEASE-NOTES-1.26
@@ -166,6 +166,9 @@ changes to languages because of Phabricator reports.
   a lengthy deprecation period.
 * The ScopedPHPTimeout class was removed.
 * Removed maintenance script fixSlaveDesync.php.
+* Watchlist tokens, SpecialResetTokens, and User::getTokenFromOption()
+  are deprecated. Applications using those can work via the OAuth
+  extension instead. New tokens types should not be added.
 
 == Compatibility ==
 

diff --git a/includes/User.php b/includes/User.php
index 9b958f4..4276a7d 100644 (file)
--- a/includes/User.php
+++ b/includes/User.php
@@ -2438,6 +2438,7 @@ class User implements IDBAccessObject {
         */
        public function setInternalPassword( $str ) {
                $this->setToken();
+               $this->setOption( 'watchlisttoken', false );
 
                $passwordFactory = self::getPasswordFactory();
                $this->mPassword = $passwordFactory->newFromPlaintext( $str );
@@ -2715,20 +2716,24 @@ class User implements IDBAccessObject {
         * @return string|bool User's current value for the option, or false if this option is disabled.
         * @see resetTokenFromOption()
         * @see getOption()
+        * @deprecated 1.26 Applications should use the OAuth extension
         */
        public function getTokenFromOption( $oname ) {
                global $wgHiddenPrefs;
-               if ( in_array( $oname, $wgHiddenPrefs ) ) {
+
+               $id = $this->getId();
+               if ( !$id || in_array( $oname, $wgHiddenPrefs ) ) {
                        return false;
                }
 
                $token = $this->getOption( $oname );
                if ( !$token ) {
-                       $token = $this->resetTokenFromOption( $oname );
-                       if ( !wfReadOnly() ) {
-                               $this->saveSettings();
-                       }
+                       // Default to a value based on the user token to avoid space
+                       // wasted on storing tokens for all users. When this option
+                       // is set manually by the user, only then is it stored.
+                       $token = hash_hmac( 'sha1', "$oname:$id", $this->getToken() );
                }
+
                return $token;
        }
 

diff --git a/includes/specials/SpecialResetTokens.php b/includes/specials/SpecialResetTokens.php
index 27a3a69..cba5a44 100644 (file)
--- a/includes/specials/SpecialResetTokens.php
+++ b/includes/specials/SpecialResetTokens.php
@@ -25,6 +25,7 @@
  * Let users reset tokens like the watchlist token.
  *
  * @ingroup SpecialPage
+ * @deprecated 1.26
  */
 class SpecialResetTokens extends FormSpecialPage {
        private $tokensList;