TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1] and ‘token’ parameter in the following API endpoints were used to obtain a token:
‘rctoken’ in action=query&list=recentchanges [2] ‘rvtoken’ in action=query&prop=revisions [3] ‘intoken’ in action=query&prop=info [4] ‘ustoken’ in action=query&list=users[5]
Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation. To obtain CSRF tokens clients now need to use a consolidated ‘action=query&meta=tokens’ endpoint. [6]
Please respond to this email if you have any concerns or questions about this change.
Petr Pchelko Staff Software Engineer Platform Engineering Team at WMF
[1] https://en.wikipedia.org/w/api.php?action=help&modules=tokens https://en.wikipedia.org/w/api.php?action=help&modules=tokens [2] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brecentcha... https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brecentchanges [3] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brevisions https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brevisions [4] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Binfo https://en.wikipedia.org/w/api.php?action=help&modules=query%2Binfo [5] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Busers https://en.wikipedia.org/w/api.php?action=help&modules=query%2Busers [6] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Btokens https://en.wikipedia.org/w/api.php?action=help&modules=query%2Btokens
_______________________________________________ Mediawiki-api-announce mailing list -- mediawiki-api-announce@lists.wikimedia.org To unsubscribe send an email to mediawiki-api-announce-leave@lists.wikimedia.org
Hi,
On 6/2/21 9:02 AM, Petr Pchelko wrote:
TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
Can we get a list of those bots/scripts that are still using the parameters that'll be removed?
A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1] and ‘token’ parameter in the following API endpoints were used to obtain a token:
<snip>
Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?
Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation.
When exactly is this going to happen? Is there a Phabricator task to track this?
-- Legoktm
Hi, Kunal.
TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
Can we get a list of those bots/scripts that are still using the parameters that'll be removed?
You can see log analysis on T280806. I’ve tried to reach out to maintainers of libraries and bots that have the highest number of deprecated requests. By far the highest usage is by Peachy MediaWiki Bot API Version 2.0[1]
Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?
This one was forgotten. The same log analysis[2] reveals that there’s a few bots that are still using the deprecated API.
Best regards. Petr.
1. https://github.com/MW-Peachy/Peachy/issues/120 https://github.com/MW-Peachy/Peachy/issues/120 2. https://phabricator.wikimedia.org/T280806#7129884 https://phabricator.wikimedia.org/T280806#7129884
On Jun 2, 2021, at 10:29 AM, Kunal Mehta legoktm@debian.org wrote:
Hi,
On 6/2/21 9:02 AM, Petr Pchelko wrote:
TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
Can we get a list of those bots/scripts that are still using the parameters that'll be removed?
A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1] and ‘token’ parameter in the following API endpoints were used to obtain a token:
<snip>
Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?
Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation.
When exactly is this going to happen? Is there a Phabricator task to track this?
-- Legoktm
mediawiki-api@lists.wikimedia.org