Page MenuHomePhabricator
Create Task
Maniphest T150645

BotPasswords login fails in Pywikibot core
Closed, InvalidPublic
Actions

Description

After applying two-factor authentication (2FA) to my account, I wanted to keep on using my collection of handy Pywikibot command line scripts without the hassle of OAuth. Following the manual guidelines at https://www.mediawiki.org/wiki/Manual:Pywikibot/BotPasswords works, so long as a passwords file is created locally, in that a terminal session logs in, however pywikibot core fails to pick up the login credentials. Note that login.py would break at the stage of getting cookies if manual login was tried rather than a passwords file. I ran a git pull yesterday for Pywikibot core, so my local version is the latest.

With the pressure to move admin accounts to using the more secure 2FA option, and the likelihood of this later rolling out for all accounts, this bug runs counter to the advice being given to volunteers for continued API access for script users.

As an example I have set up a bot password for Fæ@uploader with extensive rights including uploading files and editing pages. Pywikibot's login.py correctly applies it, however pywikibot modules then fail to apply it:

Example at login

core fae$ python pwb.py login
Logging in to commons:commons as Fæ@uploader
Logged in on commons:commons as Fæ.

core fae$ python
Python 2.7.10 (default, Jul 14 2015, 19:46:27) 
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.39)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import pywikibot
>>> site = pywikibot.getSite('commons', 'commons')
>>> print site.userinfo['name']
> < here my IP address gets displayed rather than the expected account name >
>>>

Example failure when running an upload script after appearing to correctly log in

User 'None' does not have upload rights on site commons:commons.

Further investigation shows that using login.py with a BotPasswords account, creates a faulty cookie in pywikibot.lwp. This lacks commonswikiUserName, centralauth_Token etc. It is likely that this is the source of the problem.

Related Objects

Event Timeline

Fae created this task.Nov 14 2016, 10:18 AM
Restricted Application added subscribers: pywikibot-bugs-list, Aklapper. · View Herald TranscriptNov 14 2016, 10:18 AM
Fae awarded a token.Nov 14 2016, 10:22 AM
Fae updated the task description. (Show Details)Nov 14 2016, 7:20 PM
Revent subscribed.Nov 14 2016, 8:43 PM
Fae added a comment.Nov 15 2016, 12:07 PM

After digging into login.py, I'm wondering if we should be recommending that BotPasswords is avoided. Authorizing OAuth for user accounts wanting to simply run scripts for themselves, rather than making apps for others, happens automatically without needing any human approvals. For Pywikibot, once the user has their credentials, they simply add paste them into their local user-config.py, no other steps needed to get them to work.

If Pywikibot's login.py is not going to accept BotPasswords, I suspect the same should happen for AWB and other tools, so that security is at least as good as relying on OAuth. Rather than letting this float on without resolution, it may actually be more positive and ask if any tools really need to rely on a BotPasswords solution.

Lokal_Profil subscribed.Nov 15 2016, 7:05 PM

If you add site.login() to your script it should log you in with the right credentials (it does for me).

zhuyifei1999 subscribed.Feb 3 2017, 11:29 AM

FWIW, in your case, using as the username and uploader@<whatever your BotPassword is> will work. This is what my bots use.

Lokal_Profil added a comment.Mar 7 2017, 8:03 AM

@fæ Is this still an issue or did the .login() fix it for you?

Framawiki subscribed.Apr 25 2017, 11:25 PM

@Fae good ping :)

Framawiki triaged this task as Low priority.Apr 25 2017, 11:33 PM

I can reproduce the "bug" if I deliberately use a bad secretPassword, like putting (u'Valhallasw', BotPassword(u'replace-on-tools', u'mysupersecretbotpassword')) in passwordfile and follow https://www.mediawiki.org/wiki/Manual:Pywikibot/BotPasswords.

So @Fae it's look like you can solve your problem by using (u'Fæ', BotPassword(u'uploader', u'<whatever your BotPassword is>')) as explained by @zhuyifei1999. Is it ok ?

MarcoAurelio mentioned this in T168789: delete.py asking for credentials before each deletion every time.Jun 25 2017, 12:28 PM
Dvorapa added a project: TestMe.Oct 12 2017, 3:04 PM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptOct 12 2017, 3:04 PM
binbot subscribed.Oct 12 2017, 9:01 PM
Framawiki closed this task as Invalid.Dec 12 2017, 6:31 PM

Closing as invalid per Fae comment. Will re-open it if it reappears.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL