On Tue, Sep 6, 2016 at 1:59 AM, Gergo Tisza gtisza@wikimedia.org wrote:
On Mon, Sep 5, 2016 at 9:57 PM, MZMcBride z@mzmcbride.com wrote:
I think the API documentation should probably be made a bit clearer as I think there are now two deprecated ways of logging in. We should likely make it more explicit which way applies to which versions of MediaWiki. This allows developers to have a quicker and easier understanding when determining how much compatibility code is needed in a specific tool/script/application.
Using action=login is deprecated since 1.27, unless you use bot passwords. Using action=clientlogin is not deprecated. Using OAuth (which means not logging in at all) is also not deprecated. Bot passwords and clientlogin were added in 1.27; OAuth was added a while ago (although owner-only OAuth consumers were added in 1.27, and adding OAuth support to a bot is a lot more complex without those) but requires the OAuth extension to be installed. HTH.
In addition, when using action=login there are multiple ways to fetch the necessary CSRF token. The not-deprecated method is to use action=query&meta=tokens&type=login. The deprecated (since 1.27) method most likely in use by old code is to send an action=login request without an lgtoken parameter to get a NeedToken response. There's also the possibility of using the deprecated (since 1.24) action=tokens instead of action=query&meta=tokens.