Page MenuHomePhabricator

[dev] Move password and retype fields to POST body
Closed, ResolvedPublic


The Android app's LoginTask currently issues requests with the password and retype fields as parameters instead of body fields. This task encompasses the work to move these fields to the body of the request and also check the app for any other offenders described in Brad's email.

[Mediawiki-api-announce] DEPRECATION: Passwords and other sensitive fields for authentication must be in the POST body

For improved safety, passwords and other sensitive fields for authentication should not be included in the request URI during a POST. Instead, they should be in the POST body where they are less likely to be included in log files. With the merge of Gerrit change 305545,[1] the API will now produce a warning if such fields are detected in the URI. This should be deployed to WMF wikis with 1.28.0-wmf.16, see for the schedule.

This affects the following modules and fields:

  • action=login: 'lgpassword'
  • action=clientlogin, action=createaccount, action=linkaccount, and action=changeauthenticationdata: Any fields reported as "sensitive" by action=query&meta=authmanagerinfo or by UI or REDIRECT responses. Currently, this affects the 'password' and 'retype' fields.

The 'lgtoken' field for action=login will now also issue a warning if placed in the request URI. The error code for other tokens being in the request URI has changed from 'mustposttoken' to 'mustpostparams'.

To check if your client's user agent is detected making such submissions, you can also use ApiFeatureUsage[2] and look for '<action>-params-in-query-string' once 1.28.0-wmf.16 is rolled out to wikis your client is logging in to.

It is planned that these warnings will be changed to errors during 1.29. Let's avoid having a repeat of T142155,[3] update your code ASAP instead of waiting until it breaks. Thanks.


Event Timeline

Mholloway triaged this task as Medium priority.

I believe Retrofit forces us to handle this correctly but let's remember to check for it before merging @bearND's Retrofit login patch.

@Mholloway, I believe this was indeed fixed by our new LoginClient. @bearND, can you confirm and add to the current sprint if so?

They are now sent in the POST body.