Page MenuHomePhabricator

PWB cannot handle bot tokens returned from action=login
Closed, ResolvedPublic


After the latest update on, bots are no longer allowed to use the regular user login, but have to use a Bot Password

I did setup a new bot called Molldust@bot, did setup everything correctly and tried to use pwb:

python login

Logging in to dota2:en as Molldust@bot

WARNING: API warning (login): Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead.

I tried to track down the issue in the code and landed at

login_request =, parameters=dict(action='login',lgname=self.login_name,lgpassword=self.password))

This sets up the "deprecated" action=login request. Note that the MW keeps on supporting this login methods for bots until at least 1.29. GP currently supports it as well:

login_result = login_request.submit()

This line finally throws the actual warning when trying to login.

while True:
   elif login_result['login']['result'] == "NeedToken":

Afterwards the login result is parsed. It contains the "NeedToken" string, so the token is tried be received again with another request. Then the loop continues from the start.

Conclusion: There is no actual error, just an infinite warning. The login results shows "NeedToken" despite already containing a token. It keeps on looping and preventing a successful login.

Event Timeline

Multiple users are affected by this issue. Not only from PWB, but AWB as well. Both projects might handle the token requests in the same way. I'm not sure whether this is related to the MW-API, because Wikipedia is already on Version 1.29.

If bot login via action=login remains supported, the warning from MW should definitely be revised.

FYI, the warning you report ("Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead.") doesn't actually have anything to do with BotPasswords.

I note that site is serving a "login_session" cookie with the 'secure' flag set even when accessed via HTTP, which they seem to like redirecting non-API requests to. That's not going to work, and would give the "infinite NeedToken" result you report. You may want to double check that you're accessing the API at that site via HTTPS.

Thanks! Adding this snippet to the familiy file fixed it:

def protocol(self, code):                                                         
    return 'HTTPS'


On the other hand, it might make sense to change the default behaviour to HTTPS without this snippet. I'll inform GP about the secure flag.

Mollgear claimed this task.