Trying to log in using a BotPassword from the wrong IP gives incorrect password error
Open, Needs TriagePublic

Description

"<?xml version="1.0"?><api><login result="Failed" reason="Incorrect password entered.&#10;Please try again." /></api>"

This is on action=login using format=xml (sorry, I found this via Huggle :()

Krenair created this task.Jan 9 2017, 10:15 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 9 2017, 10:15 PM

The result for such a reason should always be WrongPass anyway

Anomie added a subscriber: Anomie.Jan 9 2017, 10:21 PM

This comes from the backwards compatibility to allow people to try to still log in with the main account via action=login: if the BotPassword login fails, it tries it as a main-account login instead and returns the error from that.

The result for such a reason should always be WrongPass anyway

ApiLogin doesn't return WrongPass since 1.27. Only NeedToken, WrongToken, Success, Failed, or Aborted.

Tgr added a subscriber: Tgr.Jan 10 2017, 6:06 AM

The bot login error could just be displayed as a warning. That's unlikely to break any legacy bots (and if the bot login failed, there is not much left to break anyway).

Just as a historical note, when we added deprecation warnings to ApiLogin for the deprecation of NeedToken it broke several bots. ;)

Another thing we could potentially do is to use the BotPassword response if the AuthManager login failed and the username specified doesn't exist. There's potential for false positives there too (e.g. a central account with no local account), but I'm not inclined to spend a whole lot of effort on this.