With the merge of Gerrit change 264309,[1] to be deployed with
1.27.0-wmf.12, note the following changes to the PHP interface around login
and account creation tokens:
- LoginForm::setLoginToken() and LoginForm::setCreateaccountToken() are
deprecated and no longer do anything. The token is automatically created
when fetched.
- LoginForm::getLoginToken() and LoginForm::getCreateaccountToken() now
return a MediaWiki\Session\Token object rather than a string. This object
implements __toString(), so automatic casting to a string is supported and
will likely mask this change for many uses.
- The token strings themselves are now similar to edit tokens: they're
longer, end in "+\", and include an embedded timestamp for expiration.
- Due to the embedded timestamp, tokens must now be compared using the
->match() method on the Token object. String equality comparison will no
longer work.
- It is no longer possible to determine if the token was not already
generated for the session by looking for an empty response from
LoginForm::getLoginToken() and LoginForm::getCreateaccountToken(). If
this is necssary (it shouldn't be), use the ->wasNew() method on the Token
object.
If your PHP code makes use of login or account creation tokens for some
reason, please check to see if your code needs updating for these changes.
For the record, a new method User::getEditTokenObject() has been added to
fetch edit tokens as MediaWiki\Session\Token objects as well, but
User::getEditToken() and User::matchEditToken() have not been changed or
deprecated at this time.
Note that API clients and other non-PHP users of these tokens are unlikely
to be broken by this change. See
https://lists.wikimedia.org/pipermail/mediawiki-api-announce/2016-January/0…
for details on changes to the API related to this change.
[1]:
https://gerrit.wikimedia.org/r/#/c/264309/
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation