Currently APISite includes hard-coded lists of tokens. These lists should instead be obtained using the API paraminfo. The API token interface has changed a few times, and therefore depending on the version, the list of tokens for the site is found in the paraminfo of different modules.
http://www.wikia.com/api.php?format=jsonfm&action=paraminfo&querymodules=info
http://en.wikipedia.org/w/api.php?format=jsonfm&action=paraminfo&querymodules=tokens
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Verifies tokens from paraminfo | pywikibot/core | master | +27 -56 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Invalid | None | T72936 Important tasks to be solved (tracking) | |||
| Open | Feature | None | T57880 Functionality existing in compat but missing from core (tracking) | ||
| Resolved | droid | T74206 Port patrol.py to core | |||
| Resolved | Mpaa | T85727 Fetching the patrol token for earlier versions | |||
| Resolved | jayvdb | T75513 Tests fail on Wikia | |||
| Resolved | Omegat | T85353 Skip tests when the user does not have necessary tokens on the wiki being tested | |||
| Open | None | T78390 Load volatile information at run-time from the API (tracking) | |||
| Open | None | T229364 CSRF token issues (tracking) | |||
| Open | None | T78393 Load token types needed for each API module from the API | |||
| Resolved | akashagarwal | T72965 Requests global account tokens on all wikis | |||
| Resolved | jayvdb | T85725 token methods should use the list of tokens in paraminfo |
One main problem here is how to determine if a token name like edit is actually a csrf token. We could do it similar to the current implementation that we have a static set which contains all tokens which are mapped to the csrf token. As this is about past tokens, this set won't change (unless other tokens at a later point are mapped to a csrf token). One problem there is that it doesn't detect if tokens by extensions are mapped now to the csrf token.
Another suggestion was to look in the paraminfo for prop=info and compare that list (which does contain all token names except the csrf token, but those mapped to csrf) to the new meta=tokens paraminfo. Problem there is, that intoken is deprecated so at some point this will break.
Change 196450 had a related patch set uploaded (by Akashagarwal):
Verifies tokens from paraminfo
@XZise, re your Jan 3 comment about csrf, do we need to do any more here? Is a new task needed to flesh out the problem? Or please re-open if the recently merged code has regressed some aspect of handling tokens.
Well @akashagarwal has implemented in such a way that it behaves like before. The only problem there is when action=tokens or prop=info&intoken=… are removed because then the code can't compare it to anything.
Fyi: With T78393: Load token types needed for each API module from the API we could lessen that impact by avoiding statically using ”edit” and such. But scripts themselves might not be fixed by that.