Page MenuHomePhabricator
Create Task
Maniphest T137805

API action=login is deprecated
Closed, ResolvedPublic
Actions

Description

Login via action=login was deprecated in rMW54d58ef50665: API changes for AuthManager, which landed Jan 11 2016

Password for user xxxxxxx on wiktionary:xxx (no characters will be shown):
Logging in to wiktionary:xxx as xxxxxxx
WARNING: API warning (login): Main-account login via action=login is deprecated
and may stop working without warning. To continue login with action=login, see [[Special:BotPasswords]]. To safely continue using main-account login, see action=clientlogin.

Details

SubjectRepoBranchLines +/-
[bugfix] Resolve action=login deprecation warningpywikibot/coremaster+73 -21
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Restricted Application added subscribers: pywikibot-bugs-list, Zppix, Aklapper. · View Herald TranscriptJun 14 2016, 2:12 PM
Xqt triaged this task as High priority.Jun 14 2016, 2:13 PM
Xqt added subscribers: jayvdb, valhallasw.Jul 6 2016, 8:10 AM
Jogo.obb subscribed.Jul 14 2016, 2:02 PM
Bugreporter merged a task: T140571: Message "action=login is deprecated" when pwb.py login.Jul 23 2016, 6:11 PM
Bugreporter added a subscriber: MarcoAurelio.
Aschroet subscribed.Aug 4 2016, 5:35 PM

I experience the same now on dewikisource now.

jayvdb added a subtask: T142155: Bot can't login. keyError in GetCookie.Aug 6 2016, 5:12 AM
jayvdb updated the task description. (Show Details)Aug 6 2016, 5:50 AM
Xqt closed subtask T142155: Bot can't login. keyError in GetCookie as Resolved.Aug 6 2016, 8:23 PM
Udo_T subscribed.Aug 6 2016, 9:19 PM
DrTrigon subscribed.Aug 9 2016, 3:14 PM
MZMcBride subscribed.Aug 21 2016, 3:16 PM
Xqt merged a task: T149420: login error.Oct 29 2016, 2:11 PM
Xqt added a subscriber: Vladis13.
Xqt added a comment.Oct 29 2016, 2:16 PM

There is another message coming in front of that above:

WARNING: API warning (login): Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead.
Xqt added a project: Pywikibot-login.py.Oct 29 2016, 2:17 PM
Glavkos subscribed.Oct 31 2016, 8:51 PM
Huji awarded a token.Nov 5 2016, 12:42 AM
Huji subscribed.
MBH subscribed.Nov 8 2016, 9:44 AM
MBH added a comment.Nov 8 2016, 10:00 AM

When the old login method will be turned off?

Pintoch reopened subtask T142155: Bot can't login. keyError in GetCookie as Open.Nov 9 2016, 8:21 PM
Huji added a subscriber: Anomie.Nov 9 2016, 11:14 PM

@MaxBioHazard I am not sure. It was marked as "deprecated" in response to T110276 in rMW54d58ef50665 and I think @Anomie might be able to answer your question best.

Anomie added a comment.Nov 10 2016, 4:19 PM
In T137805#2778915, @MaxBioHazard wrote:

When the old login method will be turned off?

There are currently no plans to turn it off. However, if something makes the "main account" login process require anything beyond the submission of a username and password field, action=login will just fail. That's why it's deprecated outside of use with BotPasswords, which themselves were created specifically so there would be a way for action=login to reliably keep working for bots instead of requiring that all bots convert to using OAuth.

For example, if your password needs to be reset, Special:UserLogin will return a second page asking you to change your password before actually logging you in and action=clientlogin will return a response with a similar request, while action=login will just fail.

For another example, if you enable two-factor authentication[1] on the bot's account, Special:UserLogin will return a second page asking for the second factor and action=clientlogin will return a response with a similar request, while action=login will just fail.

For still another example, if failed login attempts from your IP cause a captcha to be displayed on Special:UserLogin, the process for using action=clientlogin will signal that and will indicate how to submit the captcha answer, while action=login will not be able to signal it and attempting to log in will just fail because no captcha answer can be supplied.

[1] 2FA is technically deployed already, but needs a special user right to be able to turn it on. I guess a wider deployment is stuck on T100375 and its subtasks.

In T137805#2754035, @Xqt wrote:

There is another message coming in front of that above:

WARNING: API warning (login): Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead.

That's an unrelated warning.

  • Long ago, you could log in with action=login by just providing a username and password.
  • Then it was realized this was a CSRF vulnerability, so now you have to provide a username, password, and a CSRF token to be able to log in. The only way to get this token was to hit action=login without providing a token, in which case you'd get a NeedToken response with the necessary token.
  • Some time later, all token fetching was consolidated into action=query&meta=tokens and other methods of fetching a token were deprecated.

Again, there are no plans to actually remove the ability to fetch the login token by hitting action=login and getting a NeedToken response any time soon. Someday it might be removed, if the logs behind Special:ApiFeatureUsage indicate that reasonably close to no one is hitting this warning anymore. But it has been hit 85914 times just in the past 24 hours, so that day doesn't seem like it'll be coming any time soon.

Jnanaranjan_sahu subscribed.Nov 16 2016, 4:13 AM
XXN subscribed.Nov 18 2016, 10:09 PM
Masti subscribed.Nov 28 2016, 7:48 PM
Multichill closed subtask T142155: Bot can't login. keyError in GetCookie as Resolved.Jan 2 2017, 5:44 PM
Hasenlaeufer subscribed.Jan 6 2017, 5:18 PM
Huji removed projects: Pywikibot-General, Pywikibot.Jan 8 2017, 12:55 AM
protonotarios subscribed.Feb 5 2017, 10:07 AM
Dvorapa added a project: Pywikibot.Jun 11 2017, 8:38 PM
Dvorapa subscribed.
Dvorapa added a parent task: T178061: Reduce (API) warning clutter in login.py after clean installation.Oct 12 2017, 3:09 PM
Framawiki subscribed.Feb 1 2018, 10:20 PM
Framawiki mentioned this in T186274: Enable 2FA normal login.Feb 1 2018, 10:26 PM
Prod subscribed.Feb 20 2018, 6:15 AM
Pablo-WMDE subscribed.Mar 29 2018, 11:00 AM
Restricted Application added a subscriber: Kizule. · View Herald TranscriptMar 29 2018, 11:00 AM
Paucabot subscribed.Mar 19 2019, 6:24 AM
Xqt added a project: Pywikibot-tests.May 31 2019, 6:06 AM

Now we have a lot of tests failing due to this issue

Dvorapa added a comment.EditedMay 31 2019, 10:23 AM

We can use BotPasswords to make tests pass and avoid warnings, but it would mean we have one password for Beta Cluster wikis, another password for Wikimedia wikis and another password for musicbrainz wiki

Xqt added a comment.May 31 2019, 10:31 AM
In T137805#5225739, @Dvorapa wrote:

We can use BotPasswords to make tests pass and avoid warnings, but it would mean we have one password for Beta Cluster wikis, another password for Wikimedia wikis and another password for musicbrainz wiki

I see two problems there:

  • the botpasswords file does only contain tuples for different users but not for different sites
  • botpasswords are in plain text
Udo_T unsubscribed.May 31 2019, 10:34 AM
Dvorapa added a comment.EditedMay 31 2019, 10:43 AM
In T137805#5225757, @Xqt wrote:
  • the botpasswords file does only contain tuples for different users but not for different sites

We can fix this in several ways:

  • add a possibility to store different wiki farms in botpasswords file
  • create multiple environment variables like PYWIKIBOT_BOTPASSWD_WIKI, PYWIKIBOT_BOTPASSWD_BETA, PYWIKIBOT_BOTPASSWD_MB and update .travis.yml to use the one it needs ...

See also:

In T143905#3223779, @Framawiki wrote:
  • what about same username on different wiki farms ?
In T137805#5225757, @Xqt wrote:
  • botpasswords are in plain text

It has permissions so only the author can view the file, but I'm not sure, how cross-platform this thing is

Dvorapa added subscribers: XZise, zhuyifei1999.May 31 2019, 10:49 AM
valhallasw added a comment.May 31 2019, 5:54 PM
  • Wouldnt ("en", "wikipedia", "my_username", BotPassword("botpassword suffix", "bot password")) work in the password file? See LoginManager.readPassword in login.py.
    • If not, that sounds like something we should support...
  • I believe it is possible to pass the botpassword in the classic login process by using "prefix@password" as password (this is not clearly documented on mw.org but is shown after creating a botpassword).
Anomie added a comment.Jun 10 2019, 7:25 PM
In T137805#5226704, @valhallasw wrote:
  • I believe it is possible to pass the botpassword in the classic login process by using "prefix@password" as password (this is not clearly documented on mw.org but is shown after creating a botpassword).

It is indeed. That option was added specifically with pywikibot in mind, see T142304: Allow using a bot password with base username .

Dvorapa added a comment.Jun 10 2019, 7:49 PM
In T137805#5247968, @Anomie wrote:
In T137805#5226704, @valhallasw wrote:
  • I believe it is possible to pass the botpassword in the classic login process by using "prefix@password" as password (this is not clearly documented on mw.org but is shown after creating a botpassword).

It is indeed. That option was added specifically with pywikibot in mind, see T142304: Allow using a bot password with base username .

Of course, but still we have different Botpassword for Beta Cluster and different for wikis, which is a thing we need to overcome somehow. I suggested to have an environment variable containing Botpassword for each wiki family we use to test (I think there are 3 or 4 of them), which needs some additional code to make it work, but it should work.

Anomie added a comment.Jun 10 2019, 7:54 PM

What do you do now, without BotPasswords? Have your test account have the same password everywhere?

Dvorapa added a comment.Jun 10 2019, 9:29 PM
In T137805#5248026, @Anomie wrote:

What do you do now, without BotPasswords? Have your test account have the same password everywhere?

Ehm, yes. This is what we discussed above. It has been easy to use in tests on Travis CI

valhallasw added a comment.Jun 11 2019, 7:09 PM
In T137805#5248010, @Dvorapa wrote:

Of course, but still we have different Botpassword for Beta Cluster and different for wikis, which is a thing we need to overcome somehow. I suggested to have an environment variable containing Botpassword for each wiki family we use to test (I think there are 3 or 4 of them), which needs some additional code to make it work, but it should work.

As far as I understand, a password file can contain multiple entries to support multiple passwords for multiple usernames/sites/etc.
https://docs.travis-ci.com/user/encrypting-files/ suggests Travis supports encrypting entire files, so it should be possible to skip the environment variables altogether, and just encrypt the passwords file.

Dvorapa added a comment.EditedJun 11 2019, 8:41 PM

I see. I'm not sure I understand correctly, where the file would be located, but anyway, this seems doable.

Xqt added a parent task: T225591: Make Travis and Appveyor pass again.Jun 12 2019, 8:06 AM
Xqt added a subtask: T224712: Attempt to login fails several times.Jun 12 2019, 8:11 AM
Dvorapa mentioned this in T244062: test_create_short_link of page_tests.TestShortLink fails with strange APIError.Feb 12 2020, 6:09 PM
Dvorapa added a comment.EditedFeb 18 2020, 11:31 PM

I think T137805 and T224712 are the same issue. Tests fail randomly on zh.wikisource.org

Dvorapa mentioned this in T248471: login() with retry=True might delete correct password if unknown APIError occurs.Mar 27 2020, 4:31 PM
Dvorapa claimed this task.Mar 27 2020, 4:34 PM
gerritbot added a comment.Mar 27 2020, 9:00 PM

Change 584017 had a related patch set uploaded (by Dvorapa; owner: Dvorapa):
[pywikibot/core@master] [bugfix] Resolve action=login deprecation warning

https://gerrit.wikimedia.org/r/584017

gerritbot added a project: Patch-For-Review.Mar 27 2020, 9:00 PM
gerritbot added a comment.Mar 27 2020, 10:29 PM

Change 584017 merged by jenkins-bot:
[pywikibot/core@master] [bugfix] Resolve action=login deprecation warning

https://gerrit.wikimedia.org/r/584017

Dvorapa mentioned this in rPWBC7b50e1aedc70: [bugfix] Resolve action=login deprecation warning.Mar 27 2020, 10:30 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 27 2020, 11:10 PM
Kizule added a comment.Mar 27 2020, 11:52 PM

I don't see this error :) Finally!!

kizule@kizule-laptop1:~/Desktop/development/pywikibot-core$ python pwb.py login
WARNING: No user is logged in on site wikipedia:sr
Password for user Zoranzoki21 on wikipedia:sr (no characters will be shown): 
Logging in to wikipedia:sr as Zoranzoki21
Logged in on wikipedia:sr as Zoranzoki21.
kizule@kizule-laptop1:~/Desktop/development/pywikibot-core$
Kizule awarded a token.Mar 27 2020, 11:52 PM
Dvorapa added a comment.Mar 28 2020, 12:08 AM

Yep! \o/

Huji closed this task as Resolved.Mar 28 2020, 12:48 AM
Xqt added a comment.Mar 28 2020, 11:31 AM

Great job, @Dvorapa! Thanks!

Xqt mentioned this in T178061: Reduce (API) warning clutter in login.py after clean installation.Mar 28 2020, 11:32 AM
Dvorapa added a subtask: T248768: clientlogin seems to respond with badtoken instead of NeedToken or WrongToken; but site.tokens is empty when login.Mar 29 2020, 12:14 AM
Dvorapa closed subtask T248768: clientlogin seems to respond with badtoken instead of NeedToken or WrongToken; but site.tokens is empty when login as Resolved.Mar 30 2020, 12:35 AM
Dvorapa reopened subtask T248768: clientlogin seems to respond with badtoken instead of NeedToken or WrongToken; but site.tokens is empty when login as Open.
Dvorapa closed subtask T248768: clientlogin seems to respond with badtoken instead of NeedToken or WrongToken; but site.tokens is empty when login as Resolved.Mar 30 2020, 2:40 PM
Dvorapa reopened subtask T248768: clientlogin seems to respond with badtoken instead of NeedToken or WrongToken; but site.tokens is empty when login as Open.Mar 30 2020, 4:47 PM
Dvorapa closed subtask T248768: clientlogin seems to respond with badtoken instead of NeedToken or WrongToken; but site.tokens is empty when login as Resolved.Mar 30 2020, 9:16 PM
Dvorapa changed the status of subtask T224712: Attempt to login fails several times from Open to Stalled.Apr 6 2020, 5:35 PM
valerio.bozzolan mentioned this in T249526: Misleading warning raised by the login API: "Fetching a token via action=login is deprecated".Apr 6 2020, 6:06 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:40 PM
Xqt changed the status of subtask T224712: Attempt to login fails several times from Stalled to Open.Oct 19 2020, 6:20 AM
Xqt mentioned this in T309898: Fix "Fetching a token via "action=login" is deprecated" when authenticating via bot passwords.Jun 4 2022, 11:48 AM
Xqt closed subtask T224712: Attempt to login fails several times as Resolved.Apr 10 2023, 5:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL