I've just submitted Gerrit change 153110[1] which will overhaul the token
handling in the API, as described on the API Roadmap RFC.[2] The patch is
not merged yet, feel free to join in the code review or reply with
comments. Follow the Gerrit change for any changes to the information
below. A followup to this announcement with deployment dates will be sent
once the change is merged.

For clients, all the old methods of fetching tokens will continue to work
with deprecation warnings. Usage levels of the deprecated methods on
queries to WMF wikis will be evaluated once the MediaWiki 1.25 development
cycle begins.

Changes visible to clients include:
* All tokens are available from the new meta=tokens query submodule.
** The "centralauth" token, which was provided by action=tokens but wasn't
really a token in the sense of the rest, is now available from
** Note that it is possible to use meta=tokens along with other query prop,
list, and meta modules.
* The help for all token parameters clearly indicates which type of token
is needed.
* The output from action=paraminfo includes the token type as a property on
the subobject describing the token parameter.
* All tokens may be cached as long as the session is valid; none are
dependent on factors such as the page being edited or the user being
* Most token types have been replaced with a single 'csrf' token. This has
long been the case in practice (e.g. see [3]), this just makes it official.
* The tokens returned for action=rollback and action=userrights (and
certain extension modules) are no longer the same tokens used in the
corresponding features in the web UI. The web UI tokens are accepted by the
API for compatibility, but not vice versa.
* Any API query (with a few exceptions, mainly queries to the 'feed'
modules) will return the current timestamp when passed the 'curtimestamp'
parameter. This may be used to fetch the starttimestamp necessary for

For extension authors, if your extension uses the core token handling it
*will* need updating. I've already submitted patches for the 26 extensions
hosted in WMF's Gerrit repository. The necessary changes are:
* needsToken() must return a string or false; true will result in an error.
Unless there are special security issues that require a custom salt, 'csrf'
should be returned.
** Since any truthy string is equivalent to the old behavior of returning
boolean true, this will continue to work with older versions of MediaWiki.
* If a custom salt is needed, the new 'ApiQueryTokensRegisterTypes' hook
must be used to register it.
* If web UI will be using a different salt (e.g. because it's included in
links rather than posted form fields), a method getWebUITokenSalt() may be
overridden to supply this salt for compatibility.
* It is no longer necessary to return data for 'token' from
getAllowedParams() or getParamDescription(). Any return from
getAllowedParams() will be overridden; a string from getParamDescription()
will also be overridden with a standard message, while an array will have
the standard message prepended.
** Compatibility with older versions of MediaWiki may be maintained by
continuing to return data for 'token' from getAllowedParams() and a string
for 'token' from getParamDescription().
* getTokenSalt() is no longer called or defined in ApiBase, and may be
removed once compatibility with older versions of MediaWiki is no longer

 [1]: https://gerrit.wikimedia.org/r/#/c/153110/

Brad Jorsch (Anomie)
Software Engineer
Wikimedia Foundation
Mediawiki-api-announce mailing list
Mediawiki-api mailing list

Reply via email to