With the merge of Gerrit change 264309,[1] there are two changes to the handling of login and createaccount tokens. The changes should be deployed to WMF wikis with 1.27.0-wmf.12, see https://www.mediawiki.org/wiki/MediaWiki_1.27/Roadmap for the schedule.

Neither of these changes should break existing API clients, unless the client is treating API warnings as errors or is doing something unusual with these tokens.

The first change is that login and createaccount tokens now use the same token generation mechanism as other CSRF tokens, but not the special case that results in other CSRF tokens always being "+\" when not logged in. This means that login and createaccount tokens will be longer, will end in "+\", and include an embedded timestamp so a potential future change could have them expire after a defined time period rather than lasting for the duration of the session.

The second change is that login and createaccount tokens will now be able to be fetched via action=query&meta=tokens, in the same manner as other CSRF tokens. Fetching them by submitting an action=login or action=createaccount request without a token (to receive a NeedToken response) is now deprecated, and a warning will be returned along with the NeedToken response indicating this deprecation. There is no plan to actually remove the NeedToken response from action=login at this time, and any future plan for its removal will be announced separately with appropriate lead time. The NeedToken response will remain in action=createaccount until the previously-announced breaking change to that module,[2] and will be removed from action=createaccount along with that breaking change.

[1]: https://gerrit.wikimedia.org/r/#/c/264309/
[2]: https://lists.wikimedia.org/pipermail/mediawiki-api-announce/2016-January/000101.html

Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation