Add edwardspec/mediawiki-aws-s3 and jeffw16/JWTAuth

[madjacckkkk]

Hello,

I am from Platform One container hardening team and I have a consumer wants to add mediawiki-aws-s3 and JWTAuth extension. Is it possible to request to add these to the list of canasta-extensions?

[jeffw16]

Hi @madjacckkkk,

I support adding these two extensions. As I am biased on the latter, I'll wait for the opinion of others in the community.

@yaronkoren @hexmode @cicalese @freephile @tosfos Any thoughts? :)

[yaronkoren]

Are these the two extensions in question?

https://www.mediawiki.org/wiki/Extension:AWS https://www.mediawiki.org/wiki/Extension:JWTAuth

If so, are both of these known to work with MediaWiki 1.39?

[madjacckkkk]

@jeffw16 @yaronkoren Thank you for your quick response. Yes, those are the two extensions I wanted to request to add. I can have the consumer confirm it tomorrow since he is using the container in an air gapped environment. I was able to add those extensions initially but I lost access/permissions to installing the extensions through composer in our environment. I will get in touch with with consumer tomorrow and hopefully provide more information.

[olsonjaredm]

I second adding these. I've tested AWS successfully on 1.39.1 with no issues. I haven't been able to test JWTAuth (more than enabling it without errors), since it uses POST rather than the Auth Header JWT our system uses. If I can get it patched or otherwise test I'll post here.

[yaronkoren]

@olsonjaredm - is it safe to say that there's no specific need to add JWTAuth to Canasta until it gets modified so it can work with your system?

[olsonjaredm]

Yes, that's fair, and I don't know of any other users that are specifically looking for it yet.

[jeffw16]

I am working with Jared to get JWTAuth working for this specific use case. Assuming it works, @yaronkoren would you think it's a good idea to include JWTAuth in Canasta?

[yaronkoren]

I don't know - the general approach with Canasta is to go with extensions that are already seeing significant usage, rather than relatively new extensions. That said, I know very little about authentication, so other people may have more informed views on this.

Also, I should note that the case for including the other extension, AWS, seems a lot stronger! It certainly seems like a useful extension.

[jeffw16]

@yaronkoren I agree with your assessment of AWS. We have used it extensively at MyWikis for over 2 years now without any issues.

Perhaps it would be easier for the USSF to harden and use JWTAuth if it were included in Canasta. If that's the case, would it be alright to include the extension in Canasta? It's already being used by WikiTeq.

[yaronkoren]

It would definitely be interesting to hear from someone at USSF whether inclusion in Canasta makes a difference. It's also interesting to hear that WikiTeq is using it! Of course, we're talking about a version of JWTAuth that doesn't exist yet, which further complicates the issue.

I don't know - and again, I'm not the expert on any of this stuff; it would be good to know what other people think.

[olsonjaredm]

It's true, it is easier for USSF to use an extension if included in Canasta. Theoretically I can configure Composer to pull in git repos or from Packagist within the CI/CD pipeline but I have to manually update and commit json and lock files each time. We should have an updated JWTAuth soon.

[jeffw16]

Per discussion at today's Canasta meeting, we can add the AWS extension immediately and once JWTAuth has its latest PR by @olsonjaredm merged in, it can also be added to Canasta.

[olsonjaredm]

JWTAuth is ready to be added. Jeffrey merged in my pull request, and I am using the version from his repo successfully on USSF Space-Wiki.

[yaronkoren]

These have both now been added in!