Page MenuHomePhabricator
Create Task
Maniphest T159523

PWB cannot handle bot tokens returned from action=login
Closed, ResolvedPublic
Actions

Description

After the latest update on gamepedia.com, bots are no longer allowed to use the regular user login, but have to use a Bot Password

I did setup a new bot called Molldust@bot, did setup everything correctly and tried to use pwb:

python pwb.py login

Logging in to dota2:en as Molldust@bot

WARNING: API warning (login): Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead.

I tried to track down the issue in the code and landed at api.py:

login_request = self.site._request(use_get=False, parameters=dict(action='login',lgname=self.login_name,lgpassword=self.password))

This sets up the "deprecated" action=login request. Note that the MW keeps on supporting this login methods for bots until at least 1.29. GP currently supports it as well:

login_result = login_request.submit()

This line finally throws the actual warning when trying to login.

while True:
   [...]
   elif login_result['login']['result'] == "NeedToken":
      [...]
      continue

Afterwards the login result is parsed. It contains the "NeedToken" string, so the token is tried be received again with another request. Then the loop continues from the start.

Conclusion: There is no actual error, just an infinite warning. The login results shows "NeedToken" despite already containing a token. It keeps on looping and preventing a successful login.

Related Objects

Event Timeline

Mollgear created this task.Mar 3 2017, 11:48 AM
Restricted Application added subscribers: pywikibot-bugs-list, Aklapper. · View Herald TranscriptMar 3 2017, 11:48 AM
Mollgear updated the task description. (Show Details)Mar 3 2017, 11:49 AM
Mollgear added a comment.Mar 3 2017, 11:55 AM

Multiple users are affected by this issue. Not only from PWB, but AWB as well. Both projects might handle the token requests in the same way. I'm not sure whether this is related to the MW-API, because Wikipedia is already on Version 1.29.

If bot login via action=login remains supported, the warning from MW should definitely be revised.

Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-Action-API board.Mar 3 2017, 2:15 PM
Anomie subscribed.Mar 3 2017, 2:39 PM

FYI, the warning you report ("Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead.") doesn't actually have anything to do with BotPasswords.

I note that site is serving a "login_session" cookie with the 'secure' flag set even when accessed via HTTP, which they seem to like redirecting non-API requests to. That's not going to work, and would give the "infinite NeedToken" result you report. You may want to double check that you're accessing the API at that site via HTTPS.

Mollgear added a comment.EditedMar 3 2017, 2:55 PM

Thanks! Adding this snippet to the familiy file fixed it:

def protocol(self, code):                                                         
    return 'HTTPS'

Source

On the other hand, it might make sense to change the default behaviour to HTTPS without this snippet. I'll inform GP about the secure flag.

Mollgear closed this task as Resolved.Mar 3 2017, 2:58 PM
Mollgear claimed this task.
valerio.bozzolan mentioned this in T249526: Misleading warning raised by the login API: "Fetching a token via action=login is deprecated".Apr 6 2020, 6:06 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:39 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL