Hi everyone, I am currently working on adding the Bot Password support to the Wikimedia Commons Android app (Issue https://github.com/commons-app/apps-android-commons/issues/6714 ). The app currently uses the *action=clientlogin* API for standard user authentication.
While implementing the fallback for users with WebAuthn/2FA, i noticed a few API behaviors and wanted to confirm best practices with the architecture team: 1. When passing Bot Password credentials (Username@BotName and the 32-character password) to *action=clientlogin*, the API rejects it with a *wrongpassword* error. however, passing the exact same credentials to the *action=login* endpoint succeeds. Is it intended design that *clientlogin* strictly rejects bot passwords, and is *action=login* the officially supported endpoint for this specific flow?? 2. To dynamically route the login requests in the app's code, rn i am currently checking if the entered username contains an @ symbol. If it does, route to *action=login*; if it doesn't, then route to *action=clientlogin*. Since standard MediaWiki usernames cannot contain the @ symbol <https://www.mediawiki.org/wiki/Manual:$wgInvalidUsernameCharacters> by default , is it 100% safe to assume any login attempt containing an @ is a Bot Password attempt? Thanks so much for your time and insights! Best regards, Jagadeesh Kota <https://github.com/kota-jagadeesh> :)
_______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
