Hi Jagadeesh! On Thu, Mar 12, 2026 at 9:31 AM Jagadeesh Kota via Wikitech-l < [email protected]> wrote:
> When passing Bot Password credentials (Username@BotName and the > 32-character password) to *action=clientlogin*, the API rejects it with a > *wrongpassword* error. however, passing the exact same credentials to the > *action=login* endpoint succeeds. Is it intended design that *clientlogin* > strictly rejects bot passwords, and is *action=login* the officially > supported endpoint for this specific flow?? > Yes, bot passwords were originally meant as a backwards compatibility mechanism for old bots using the action=login endpoint. (Modern bots are encouraged to use OAuth instead, but for mobile apps the support for that is not so great, so bot passwords are probably still the least bad option. We hope to improve that soon.) > To dynamically route the login requests in the app's code, rn i am > currently checking if the entered username contains an @ symbol. If it > does, route to *action=login*; if it doesn't, then route to > *action=clientlogin*. Since standard MediaWiki usernames cannot contain > the @ symbol > <https://www.mediawiki.org/wiki/Manual:$wgInvalidUsernameCharacters> by > default , is it 100% safe to assume any login attempt containing an @ is > a Bot Password attempt? > For Wikimedia wikis, yes. In general, it is configurable, so I guess it's theoretically possible some wiki out there would still have it enabled.
_______________________________________________ Wikitech-l mailing list -- [email protected] To unsubscribe send an email to [email protected] https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
