Revert "Don’t use mwoauth.identify() to get user name"

lucaswerkmeister · lucaswerkmeister · commit c245ccdde49c · 2025-09-08T21:13:47.000+01:00
This was poorly advised, as index.php told users to use a “user identification only“ consumer if they didn’t need any grants, but the authorization area would be broken in that case: such consumers aren’t allowed to use the API (error: readapidenied). I think the best solution is to switch back to mwoauth.identify(): yes, it’s not a great interface, but it’s better than only supporting “regular” OAuth consumers in the tool, or than introducing another prompt in cookiecutter.json asking which type of OAuth consumer users are intending to use, or than including the code for both versions and falling back from action='userinfo' to mwoauth.identify() if the former yields an error. This reverts commit a4b9d93. Bug: T403932
diff --git a/{{cookiecutter.tool_identifier}}/app.py b/{{cookiecutter.tool_identifier}}/app.py
@@ -88,10 +88,14 @@ def authentication_area(){% if cookiecutter.set_up_mypy == "True" %} -> Markup{%
                 Markup.escape(flask.url_for('login')) +
                 Markup(r'">Log in</a></span>'))
 
-    userinfo = session.get(action='query',
-                           meta='userinfo')['query']['userinfo']
+    access_token = mwoauth.AccessToken(
+        **flask.session['oauth_access_token'])
+    identity = mwoauth.identify(index_php,
+                                consumer_token,
+                                access_token)
+
     return (Markup(r'<span class="nav-item navbar-text">Logged in as ') +
-            user_link(userinfo['name']) +
+            user_link(identity['username']) +
             Markup(r'</span>'))
 
 
diff --git a/{{cookiecutter.tool_identifier}}/templates/index.html b/{{cookiecutter.tool_identifier}}/templates/index.html
@@ -230,7 +230,9 @@ <h3>Register an OAuth consumer</h3>
 </p>
 <p>
   Select which rights you want access to, if any
-  (otherwise select one of the “user identification only” options).
+  (otherwise leave just the “basic rights” checked –
+  or use a “user identity verification only” consumer and make sure to only use <code>mwoauth.identify()</code>,
+  as seen in <code>authentication_area()</code>, and not <code>action='userinfo'</code>, as seen in <code>praise()</code>).
   This will highly depend on your tool,
   but “edit existing pages”, “create, edit and move pages” and “high-volume editing” are probably the most generally useful ones.
 </p>
