Page MenuHomePhabricator

Remove old action api token parameters
Open, Needs TriagePublic


On Nov 18 2014 action API CSRF token management was refactored and all old ways of obtaining the tokens were deprecated. Deprecation warnings were emitted via API responses for more than 6 years now, it's time to drop the old code.

Event Timeline

Some investigation using the api-feature-usage debug log:

Over the 9-hour period there's been 18250 calls to the API. A bit of user-agent breakdown:

14068 - 78% - Peachy MediaWiki Bot API Version 2.0 - Cyberbot_I - filed cc @Cyberpower678
2442 - 13% - wAPI/1.1 - Cyberbot_I - cc @Cyberpower678

The rest, 9% of the requests, have browsers as user agents and seem to be some user scripts. Once the major usages are removed, we can try to contact users running those scripts, or break them.

Change 681393 had a related patch set uploaded (by Ppchelko; author: Ppchelko):

[mediawiki/core@master] Drop action api token methods deprecated in 1.24

@Legoktm has correctly pointed out that action=query&meta=userinfo&uiprop=preferencestoken has to be removed as well.

cat /srv/mw-log/api-feature-usage.log | grep preferencestoken | gawk '{ if (match($0,/"agent":"([^"]*)"/,m)) print m[0] }' | sort | uniq -c

     1 "agent":" Pywikipediabot/1.0 Unknown"
      1 "agent":" Pywikipediabot/1.0 Unknown"
      3 "agent":"Pywikibot (User:Saper) deleted"
      1 "agent":" Pywikipediabot/1.0"
      2 "agent":" Pywikipediabot/1.0 BinBot"
      7 "agent":" Pywikipediabot/1.0 Unknown"
      1 "agent":" Pywikipediabot/1.0 Rezabot"
      1 "agent":" Pywikipediabot/1.0"
      3 "agent":" Pywikipediabot/1.0 Fatranslator"
      2 "agent":" Pywikipediabot/1.0 FawikiPatroller"
      1 "agent":" Pywikipediabot/1.0 Rezabot"
      1 "agent":" Pywikipediabot/1.0 Fatranslator"
      1 "agent":" Pywikipediabot/1.0 Rezabot"
      1 "agent":" Pywikipediabot/1.0 Rezabot"
      2 "agent":" Pywikipediabot/1.0 Rezabot"
     16 "agent":" Pywikipediabot/1.0 Unknown"
      1 "agent":" Pywikipediabot/1.0 Fawikibot"

Coming from wikitech to this task. I once crafted (or at least enhanced) a couple dashboards in Kibana which are linked from the main page.

The first one let you easily pick a deprecated feature and list top usernames/agents as well as the raw events:

The second is more geared toward tracking a specific bot or user:

You can then hunt the deprecated one by querying against feature.keyword for example feature.keyword:*preferencestoken* would match action=query&meta=userinfo&uiprop=preferencestoken