On Tue, Sep 6, 2016 at 1:59 AM, Gergo Tisza <gtisza(a)wikimedia.org> wrote:
On Mon, Sep 5, 2016 at 9:57 PM, MZMcBride
<z(a)mzmcbride.com> wrote:
I think the API documentation should probably be
made a bit clearer as I
think there are now two deprecated ways of logging in. We should likely
make it more explicit which way applies to which versions of MediaWiki.
This allows developers to have a quicker and easier understanding when
determining how much compatibility code is needed in a specific
tool/script/application.
Using action=login is deprecated since 1.27, unless you use bot passwords.
Using action=clientlogin is not deprecated. Using OAuth (which means not
logging in at all) is also not deprecated. Bot passwords and clientlogin
were added in 1.27; OAuth was added a while ago (although owner-only OAuth
consumers were added in 1.27, and adding OAuth support to a bot is a lot
more complex without those) but requires the OAuth extension to be
installed. HTH.
In addition, when using action=login there are multiple ways to fetch the
necessary CSRF token. The not-deprecated method is to use
action=query&meta=tokens&type=login. The deprecated (since 1.27) method
most likely in use by old code is to send an action=login request without
an lgtoken parameter to get a NeedToken response. There's also the
possibility of using the deprecated (since 1.24) action=tokens instead of
action=query&meta=tokens.
--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation