I am using the MediaWiki Action API, where I use the OAuth2 authorization flow to obtain a access token.
For uploading a image, a CSRF Token is required. I get the token by making a post request to https://commons.wikimedia.org/w/api.php?action=query&meta=tokens&format=json with the auth code in the header. This works and I get a response containing the CSRF Token:
{
"batchcomplete": "",
"query": {
"tokens": {
"csrftoken": "516091e04d05c9ae2c7bca4727c071fb615ee122+\\"
}
}
}
I then take this token and check for its validity immediately after, making a post request to https://commons.wikimedia.org/w/api.php?action=checktoken&type=csrf&format=json with the obtained token in the body (as required per api documentation). These requests happen in less than a second between each other. However, the response always is 'invalid':
{
"checktoken": {
"result": "invalid",
"generated": "2021-10-07T12:07:20Z"
}
}
I am using Dart/Flutter btw, but I doubt thats the problem.
after a long time I finally figured it out, and the answer could not be more simple:
The checktoken action still requires a oAuth 2 access token in the header. With this included, everything works as it should. I hope this at least helps someone else.