Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Wikipedia>
  3. Wikitech
Action API: Removal of deprecated CSRF token parameters
ppchelko at wikimedia
Jun 2, 2021, 9:02 AM
Post #1 of 4 (458 views)
Permalink
TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API.
This will break bots, gadgets and user scripts that are still using these parameters.

A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain
a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1]
and ‘token’ parameter in the following API endpoints were used to obtain a token:

‘rctoken’ in action=query&list=recentchanges [2]
‘rvtoken’ in action=query&prop=revisions [3]
‘intoken’ in action=query&prop=info [4]
‘ustoken’ in action=query&list=users[5]

Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to
API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation.
To obtain CSRF tokens clients now need to use a consolidated ‘action=query&meta=tokens’ endpoint. [6]

Please respond to this email if you have any concerns or questions about this change.

Petr Pchelko
Staff Software Engineer
Platform Engineering Team at WMF

[1] https://en.wikipedia.org/w/api.php?action=help&modules=tokens <https://en.wikipedia.org/w/api.php?action=help&modules=tokens>
[2] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brecentchanges <https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brecentchanges>
[3] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brevisions <https://en.wikipedia.org/w/api.php?action=help&modules=query%2Brevisions>
[4] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Binfo <https://en.wikipedia.org/w/api.php?action=help&modules=query%2Binfo>
[5] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Busers <https://en.wikipedia.org/w/api.php?action=help&modules=query%2Busers>
[6] https://en.wikipedia.org/w/api.php?action=help&modules=query%2Btokens <https://en.wikipedia.org/w/api.php?action=help&modules=query%2Btokens>
Re: [Mediawiki-api] [Mediawiki-api-announce] Action API: Removal of deprecated CSRF token parameters [ In reply to ]
legoktm at debian
Jun 2, 2021, 10:29 AM
Post #2 of 4 (458 views)
Permalink
Hi,

On 6/2/21 9:02 AM, Petr Pchelko wrote:
> TLDR: We will soon remove some parameters that were used to obtain CSRF
> tokens in the MediaWiki API.
> This will break bots, gadgets and user scripts that are still using
> these parameters.

Can we get a list of those bots/scripts that are still using the
parameters that'll be removed?

> A significant and long delayed change to Action API is coming. API
> clients (user scripts, tools, etc) need to obtain
> a token before making write requests to MediaWiki over Action API. Up to
> MediaWiki 1.24 the action=tokens[1]
> and ‘token’ parameter in the following API endpoints were used to obtain
> a token:
> <snip>

Is there a reason action=query&meta=userinfo&uiprop=preferencestoken
isn't also being removed at the same time?

> Since MediaWiki 1.24 these module and parameters were deprecated and
> were emitting deprecation warnings to
> API clients. These parameters and endpoint will now be removed from
> MediaWiki 1.37 and from Wikimedia installation.

When exactly is this going to happen? Is there a Phabricator task to
track this?

-- Legoktm
_______________________________________________
Wikitech-l mailing list -- wikitech-l@lists.wikimedia.org
To unsubscribe send an email to wikitech-l-leave@lists.wikimedia.org
https://lists.wikimedia.org/postorius/lists/wikitech-l.lists.wikimedia.org/
Re: [Mediawiki-api] [Mediawiki-api-announce] Action API: Removal of deprecated CSRF token parameters [ In reply to ]
ppchelko at wikimedia
Jun 2, 2021, 11:17 AM
Post #3 of 4 (458 views)
Permalink
Hi, Kunal.

>> TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API.
>> This will break bots, gadgets and user scripts that are still using these parameters.
>
> Can we get a list of those bots/scripts that are still using the parameters that'll be removed?

You can see log analysis on T280806. I’ve tried to reach out to maintainers of libraries and bots that have
the highest number of deprecated requests. By far the highest usage is by Peachy MediaWiki Bot API Version 2.0[1]

> Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?

This one was forgotten. The same log analysis[2] reveals that there’s a few bots that are still using the deprecated API.

Best regards. Petr.

1. https://github.com/MW-Peachy/Peachy/issues/120 <https://github.com/MW-Peachy/Peachy/issues/120>
2. https://phabricator.wikimedia.org/T280806#7129884 <https://phabricator.wikimedia.org/T280806#7129884>


> On Jun 2, 2021, at 10:29 AM, Kunal Mehta <legoktm@debian.org> wrote:
>
> Hi,
>
> On 6/2/21 9:02 AM, Petr Pchelko wrote:
>> TLDR: We will soon remove some parameters that were used to obtain CSRF tokens in the MediaWiki API.
>> This will break bots, gadgets and user scripts that are still using these parameters.
>
> Can we get a list of those bots/scripts that are still using the parameters that'll be removed?
>
>> A significant and long delayed change to Action API is coming. API clients (user scripts, tools, etc) need to obtain
>> a token before making write requests to MediaWiki over Action API. Up to MediaWiki 1.24 the action=tokens[1]
>> and ‘token’ parameter in the following API endpoints were used to obtain a token:
>> <snip>
>
> Is there a reason action=query&meta=userinfo&uiprop=preferencestoken isn't also being removed at the same time?
>
>> Since MediaWiki 1.24 these module and parameters were deprecated and were emitting deprecation warnings to
>> API clients. These parameters and endpoint will now be removed from MediaWiki 1.37 and from Wikimedia installation.
>
> When exactly is this going to happen? Is there a Phabricator task to track this?
>
> -- Legoktm
Re: Action API: Removal of deprecated CSRF token parameters [ In reply to ]
krinklemail at gmail
Aug 26, 2021, 8:16 AM
Post #4 of 4 (439 views)
Permalink
New page:
https://www.mediawiki.org/wiki/MediaWiki_1.37/Deprecation_of_legacy_API_token_parameters

On Wed, 2 Jun 2021 at 17:03, Petr Pchelko <ppchelko@wikimedia.org> wrote:

> […]
> the following API endpoints were used to obtain a token:
>
>
> - ‘rctoken’ in action=query&list=recentchanges [2]
> - ‘rvtoken’ in action=query&prop=revisions [3]
> - ‘intoken’ in action=query&prop=info [4]
> - ‘ustoken’ in action=query&list=users[5]
>
>
> […] clients now need to use a consolidated ‘action=query&meta=tokens’
> endpoint.
>

It took me a little while to figure out the correct replacement in some
cases. Especially uiprop=preferencestoken and "type=edit" since
"preferences" and "edit" are not accepted by the new API as valid types.

It is not mentioned anywhere on the relevant pages, but I understand these
essentially fall in the bucket of general csrf tokens now. I remember that
from years ago, but did not connect the dots with the API module change at
the same time.

I've captured various bits of information and links together on this wiki
page:
https://www.mediawiki.org/wiki/MediaWiki_1.37/Deprecation_of_legacy_API_token_parameters

-- Timo

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal