This morning, attempted edits to Commons via wikibase-cli are met with an "invalid CSRF token" error. This appears similar to T403519: Several mwapi (Python) based tools are failing to edit: badtoken: Invalid CSRF token.;
@Lucas_Werkmeister_WMDE suggests it may be related to today's changes for T402808 and T399631. Thanks!
JWT cookies weren't enabled on Commons today morning (I assume that's EU morning?). The session backend changes are unlikely to result in session loss.
What authentication method does wikibase-cli use? When did you notice the issue? Is it still happening?
I noticed it about 1400 UTC (it must have started before that), and it's still happening. Wikibase-cli can use either OAuth or username/password - I am using the latter with a bot password for Commons. It is not occurring with Wikidata, where I am using OAuth, but the OAuth token does not work for Commons.
There were no session-related changes before 14 UTC. Maybe it broke the previous day, that would indicate the MultiBackendSessionStore group1 deployment (although I still think that's unlikely). Let me see if I can reproduce.
I've been able to use OAuth on Commons, so this is no longer a pressing issue for me, but I was able to use username/password previously, so it may still be worth looking into why that started to fail, for other users. I know it's not a matter of incorrect credentials, because the API gives a different error when I do that.
How were you logging in before? Were you using a bot password or the account’s “normal” password? Using action=login or action=clientlogin?