| Anomie added a comment. |
In T137805#2778915, @MaxBioHazard wrote:When the old login method will be turned off?
There are currently no plans to turn it off. However, if something makes the "main account" login process require anything beyond the submission of a username and password field, action="" will just fail. That's why it's deprecated outside of use with BotPasswords, which themselves were created specifically so there would be a way for action="" to reliably keep working for bots instead of requiring that all bots convert to using OAuth.
For example, if your password needs to be reset, Special:UserLogin will return a second page asking you to change your password before actually logging you in and action="" will return a response with a similar request, while action="" will just fail.
For another example, if you enable two-factor authentication[1] on the bot's account, Special:UserLogin will return a second page asking for the second factor and action="" will return a response with a similar request, while action="" will just fail.
For still another example, if failed login attempts from your IP cause a captcha to be displayed on Special:UserLogin, the process for using action="" will signal that and will indicate how to submit the captcha answer, while action="" will not be able to signal it and attempting to log in will just fail because no captcha answer can be supplied.
[1] 2FA is technically deployed already, but needs a special user right to be able to turn it on. I guess a wider deployment is stuck on T100375 and its subtasks.
In T137805#2754035, @Xqt wrote:There is another message coming in front of that above:
WARNING: API warning (login): Fetching a token via action="" is deprecated. Use action="" instead.
That's an unrelated warning.
- Long ago, you could log in with action="" by just providing a username and password.
- Then it was realized this was a CSRF vulnerability, so now you have to provide a username, password, and a CSRF token to be able to log in. The only way to get this token was to hit action="" without providing a token, in which case you'd get a NeedToken response with the necessary token.
- Some time later, all token fetching was consolidated into action="" and other methods of fetching a token were deprecated.
Again, there are no plans to actually remove the ability to fetch the login token by hitting action="" and getting a NeedToken response any time soon. Someday it might be removed, if the logs behind Special:ApiFeatureUsage indicate that reasonably close to no one is hitting this warning anymore. But it has been hit 85914 times just in the past 24 hours, so that day doesn't seem like it'll be coming any time soon.
Cc: Anomie, MaxBioHazard, Huji, Glavkos, Vladis13, MZMcBride, DrTrigon, Udo_T, Aschroet, MarcoAurelio, Jogo.obb, valhallasw, jayvdb, Aklapper, Zppix, Xqt, pywikibot-bugs-list, MayS, Mdupont, JJMC89, Alchimista, Rxy
_______________________________________________ pywikibot-bugs mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/pywikibot-bugs
