DevOps:Doc/FlexForm/2.5/API/FlexFormOpen
← Older edit
VisualWikitext
No edit summary
 
(One intermediate revision by the same user not shown)
Line 3: Line 3:


===Type===
===Type===
FlexFormOpen
FlexFormOpen (Available since 2.7.1)


===Synopsis===
===Synopsis===

Latest revision as of 15:37, 23 February 2026

Name

API

Type

FlexFormOpen (Available since 2.7.1)

Synopsis

Open FlexForm API endpoint for lightweight validation actions.

Description

The FlexFormOpen API provides limited, publicly accessible FlexForm functionality intended for frontend validation use cases. It does not require readapi-rights.

Currently, the available actions are:

  • canUserBeCreated – Checks whether a username can be created.

This API is especially useful when implementing CreateUser forms.

When paired with JavaScript, it allows real-time username validation (e.g., checking whether a username already exists or is invalid) before form submission.

For security reasons, this API is disabled by default.

To enable it, set the following configuration option: 

$wgFlexFormConfig['allowFlexFormOpenAPI'] = true;

Parameters

ffAction – The FlexFormOpen action to execute.

  • canUserBeCreated (required)

additionalData – Additional data required for the action.

  • For canUserBeCreated, this must contain the username to validate. (required)

Action: canUserBeCreated

Checks whether a username:

  • Does not already exist
  • Meets MediaWiki username validation requirements
  • Can safely be created

This action does not create the user. It only performs validation.

Example (JavaScript)

Example using MediaWiki's mw.Api(): 

var api = new mw.Api();

api.get({
    action: "FlexFormOpen",
    ffAction: "canUserBeCreated",
    additionalData: correctedUsername,
    formatversion: 2
}).done(function (data) {

    if (data.canUser === true) {
        console.log("Username can be created.");
    } else {
        console.log("Username cannot be created.");
    }

});

If the API is disabled via configuration (or default): 

{
    "error": {
        "message": "FlexFormOpen API is disabled."
    }
}

Security Considerations

Because this API does not require authentication, it is disabled by default.

It is strongly recommended to:

  • Only enable it when necessary
  • Implement frontend throttling or rate limiting if heavy usage is expected
  • Avoid exposing sensitive validation logic

Future Improvements

In future versions, an optional attribute may be introduced on FlexForm input fields that automatically performs username validation without requiring custom JavaScript.

Retrieved from "https://open-csp.org/index.php?title=DevOps:Doc/FlexForm/2.5/API/FlexFormOpen&oldid=3944"