TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1] and ‘token’ parameter in the following API endpoints were used to obtain a token:
‘rctoken’ in action=query&list=recentchanges [2] ‘rvtoken’ in action=query&prop=revisions [3] ‘intoken’ in action=query&prop=info [4] ‘ustoken’ in action=query&list=users[5]
Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation. To obtain CSRF tokens clients now need to use a consolidated ‘action=query&meta=tokens’ endpoint. [6]
Please respond to this email if you have any concerns or questions about this change.
Petr Pchelko Staff Software Engineer Platform Engineering Team at WMF
[1] https://en.wikipedia.org/w/api.php?action=help&modules=tokens https://en.wikipedia.org/w/api.php?action=help&modules=tokens [2] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brecentcha... https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brecentchanges [3] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brevisions https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brevisions [4] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Binfo https://en.wikipedia.org/w/api.php?action=help&modules=query%2Binfo [5] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Busers https://en.wikipedia.org/w/api.php?action=help&modules=query%2Busers [6] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Btokens https://en.wikipedia.org/w/api.php?action=help&modules=query%2Btokens
Hi,
On 6/2/21 9:02 AM, Petr Pchelko wrote:
TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
Can we get a list of those bots/scripts that are still using the parameters that'll be removed?
A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1] and ‘token’ parameter in the following API endpoints were used to obtain a token:
<snip>
Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?
Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation.
When exactly is this going to happen? Is there a Phabricator task to track this?
-- Legoktm
Hi, Kunal.
TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
Can we get a list of those bots/scripts that are still using the parameters that'll be removed?
You can see log analysis on T280806. I’ve tried to reach out to maintainers of libraries and bots that have the highest number of deprecated requests. By far the highest usage is by Peachy MediaWiki Bot API Version 2.0[1]
Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?
This one was forgotten. The same log analysis[2] reveals that there’s a few bots that are still using the deprecated API.
Best regards. Petr.
1. https://github.com/MW-Peachy/Peachy/issues/120 https://github.com/MW-Peachy/Peachy/issues/120 2. https://phabricator.wikimedia.org/T280806#7129884 https://phabricator.wikimedia.org/T280806#7129884
On Jun 2, 2021, at 10:29 AM, Kunal Mehta legoktm@debian.org wrote:
Hi,
On 6/2/21 9:02 AM, Petr Pchelko wrote:
TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API. This will break bots, gadgets and user scripts that are still using these parameters.
Can we get a list of those bots/scripts that are still using the parameters that'll be removed?
A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1] and ‘token’ parameter in the following API endpoints were used to obtain a token:
<snip>
Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?
Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation.
When exactly is this going to happen? Is there a Phabricator task to track this?
-- Legoktm
New page: https://www.mediawiki.org/wiki/MediaWiki_1.37/Deprecation_of_legacy_API_toke...
On Wed, 2 Jun 2021 at 17:03, Petr Pchelko ppchelko@wikimedia.org wrote:
[…] the following API endpoints were used to obtain a token:
- ‘rctoken’ in action=query&list=recentchanges [2]
- ‘rvtoken’ in action=query&prop=revisions [3]
- ‘intoken’ in action=query&prop=info [4]
- ‘ustoken’ in action=query&list=users[5]
[…] clients now need to use a consolidated ‘action=query&meta=tokens’ endpoint.
It took me a little while to figure out the correct replacement in some cases. Especially uiprop=preferencestoken and "type=edit" since "preferences" and "edit" are not accepted by the new API as valid types.
It is not mentioned anywhere on the relevant pages, but I understand these essentially fall in the bucket of general csrf tokens now. I remember that from years ago, but did not connect the dots with the API module change at the same time.
I've captured various bits of information and links together on this wiki page: https://www.mediawiki.org/wiki/MediaWiki_1.37/Deprecation_of_legacy_API_toke...
-- Timo
wikitech-l@lists.wikimedia.org