With the merge of Gerrit change 264309, there are two changes to the
handling of login and createaccount tokens. The changes should be deployed
to WMF wikis with 1.27.0-wmf.12, see
for the schedule.
Neither of these changes should break existing API clients, unless the
client is treating API warnings as errors or is doing something unusual
with these tokens.
The first change is that login and createaccount tokens now use the same
token generation mechanism as other CSRF tokens, but not the special case
that results in other CSRF tokens always being "+\" when not logged in.
This means that login and createaccount tokens will be longer, will end in
"+\", and include an embedded timestamp so a potential future change could
have them expire after a defined time period rather than lasting for the
duration of the session.
The second change is that login and createaccount tokens will now be able
to be fetched via action=query&meta=tokens, in the same manner as other
CSRF tokens. Fetching them by submitting an action=login or
action=createaccount request without a token (to receive a NeedToken
response) is now deprecated, and a warning will be returned along with the
NeedToken response indicating this deprecation. There is no plan to
actually remove the NeedToken response from action=login at this time, and
any future plan for its removal will be announced separately with
appropriate lead time. The NeedToken response will remain in
action=createaccount until the previously-announced breaking change to that
module, and will be removed from action=createaccount along with that
Brad Jorsch (Anomie)
Senior Software Engineer