Client-login attemps unsuccesful

List overview All Threads
Download

newer

older

Developer Wishlist Survey: propose...

Re: [Mediawiki-api] Disabling the...

geoffreydebelie

19 Jan 2017 19 Jan '17

3:15 p.m.

Hi, I'm not able to login using clientlogin. Any help is appreciated. Below things I've already tried: POST https://nl.wikipedia.org/w/api.php?action=query&meta=tokens&amp… Output: { "batchcomplete": "", "query": { "tokens": { "logintoken": "85af2296d03f8ce504123b7733b0a7ad5880c782+\\" } } } POST https://nl.wikipedia.org/w/api.php?action=clientlogin&loginreturnur… Input (text/plain): logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782+\\&username=Smile4ever&password=*******&rememberMe=1 Output: { "error": { "code": "badtoken", "info": "Invalid CSRF token.", "*": "See https://nl.wikipedia.org/w/api.php for API usage." }, "servedby": "mw1288" } Input (application/json): { "logintoken": "85af2296d03f8ce504123b7733b0a7ad5880c782+\\", "username": "Smile4ever", "password": "*******" } Output: { "error": { "code": "notoken", "info": "The \"token\" parameter must be set.", "*": "See https://nl.wikipedia.org/w/api.php for API usage." }, "servedby": "mw1278" } window.onbeforeunload = function() {} Kind regards, Geoffrey De Belie

Attachments:

attachment.htm (text/html — 2.5 KB)

Show replies by date

Bartosz Dziewoński

19 Jan 19 Jan

3:22 p.m.

On 2017-01-19 15:15, geoffreydebelie wrote:

...

Input (text/plain): logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782+\\&username=Smile4ever&password=*******&rememberMe=1 Output: { "error": { "code": "badtoken", "info": "Invalid CSRF token.", "*": "See https://nl.wikipedia.org/w/api.php for API usage." }, "servedby": "mw1288" }

You are not URL-encoding the token. Make sure to URL-encode (percent-encode) all of the parameter values. -- Bartosz Dziewoński

geoffreydebelie

3:27 p.m.

---- On do, 19 jan 2017 15:22:11 +0100 Bartosz Dziewoński <matma.rex(a)gmail.com> wrote ----

...

On 2017-01-19 15:15, geoffreydebelie wrote:

You are not URL-encoding the token. Make sure to URL-encode (percent-encode) all of the parameter values.

Hi. logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782%2b%5c%5c&username=Smile4ever&password=*******&rememberMe=1 has the same result (I even tried with a newly requested login token): { "error": { "code": "badtoken", "info": "Invalid CSRF token.", "*": "See https://nl.wikipedia.org/w/api.php for API usage." }, "servedby": "mw1285" } Kind regards, Geoffrey De Belie

Bartosz Dziewoński

3:40 p.m.

On 2017-01-19 15:27, geoffreydebelie wrote:

...

You are sending it with two backslashes at the end, while the token should only have one. -- Bartosz Dziewoński

geoffreydebelie

3:43 p.m.

---- On do, 19 jan 2017 15:40:06 +0100 Bartosz Dziewoński <matma.rex(a)gmail.com> wrote ----

...

You are sending it with two backslashes at the end, while the token should only have one.

That's right, thanks! { "clientlogin": { "status": "PASS", "username": "Smile4ever" } } However, I wonder why https://nl.wikipedia.org/w/api.php?action=query&meta=tokens&type=lo… returns "logintoken": "2c69b789da89c2134de2e6c142523de05880cbf3+\\" instead of +\ at the end. Kind regards, Geoffrey De Belie

Brad Jorsch (Anomie)

4:25 p.m.

On Thu, Jan 19, 2017 at 9:43 AM, geoffreydebelie <geoffreydebelie(a)zoho.com> wrote:

...

However, I wonder why https://nl.wikipedia.org/w/api.php?action=query&meta= tokens&type=login&format=json returns "logintoken": "2c69b789da89c2134de2e6c142523de05880cbf3+\\" instead of +\ at the end.

Because backslash is the escape character in JSON strings, and so needs to be escaped to represent an actual backslash. If your JSON decoder is not properly transforming that token into a native string ending with a single backslash then your JSON decoder is fundamentally broken and should probably be replaced. If you're parsing the JSON with custom regular expressions or the like, you should really start using a proper JSON decoder. -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation

Gergo Tisza

10:01 p.m.

On Thu, Jan 19, 2017 at 7:25 AM, Brad Jorsch (Anomie) <bjorsch(a)wikimedia.org

...

wrote:

...

I wonder if it would be worth for the API to issue a more specific warning when a token has been submitted but it does not have the format that tokens normally do. Something like "you submitted the token abc1234 \ but you were expected to submit the token abc1234+\ which in the raw request should look like abc1234%2B%5C" might make it easier for people to figure out on their own what they are doing wrong.

Brad Jorsch (Anomie)

10:41 p.m.

On Thu, Jan 19, 2017 at 4:01 PM, Gergo Tisza <gtisza(a)wikimedia.org> wrote:

...

On Thu, Jan 19, 2017 at 7:25 AM, Brad Jorsch (Anomie) < bjorsch(a)wikimedia.org> wrote:

OTOH, every check of this sort we add is more code complexity. And I note if you're using multipart/form-data, it shouldn't look like "abc1234%2B%5C". -- Brad Jorsch (Anomie) Senior Software Engineer Wikimedia Foundation

geoffreydebelie

20 Jan 20 Jan

7:12 a.m.

---- On do, 19 jan 2017 16:25:03 +0100 Brad Jorsch (Anomie) <bjorsch(a)wikimedia.org> wrote ----

...

On Thu, Jan 19, 2017 at 9:43 AM, geoffreydebelie <geoffreydebelie(a)zoho.com> wrote: However, I wonder why https://nl.wikipedia.org/w/api.php?action=query&meta=tokens&type=lo… returns "logintoken": "2c69b789da89c2134de2e6c142523de05880cbf3+\\" instead of +\ at the end. Because backslash is the escape character in JSON strings, and so needs to be escaped to represent an actual backslash. If your JSON decoder is not properly transforming that token into a native string ending with a single backslash then your JSON decoder is fundamentally broken and should probably be replaced. If you're parsing the JSON with custom regular expressions or the like, you should really start using a proper JSON decoder.

I was just copy pasting it into Postman :) Thanks for the information.

2651

days inactive

2652

days old

mediawiki-api@lists.wikimedia.org

Manage subscription

8 comments

4 participants

tags (0)

participants (4)

Bartosz Dziewoński
Brad Jorsch (Anomie)
geoffreydebelie
Gergo Tisza