Skip to content

Recover from lost sessions instead of failing writes#999

Merged
LeMyst merged 4 commits into
masterfrom
fix-902-session-reauth
Jul 4, 2026
Merged

Recover from lost sessions instead of failing writes#999
LeMyst merged 4 commits into
masterfrom
fix-902-session-reauth

Conversation

@LeMyst

@LeMyst LeMyst commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Summary

  • Fixes You are no longer logged in, so the action could not be completed. #902 ("You are no longer logged in, so the action could not be completed.")
  • Root cause: token renewal (generate_edit_credentials()) only re-reads a CSRF token off the current session cookies. If the server has already invalidated the underlying session (server-side session store eviction/expiry), no amount of token renewal can recover it — the next write fails with assertuserfailed/assertbotfailed, with no retry and no re-login attempt anywhere in the call chain.
  • Login and Clientlogin now retain their credentials and can redo a full login (reauthenticate()), and mediawiki_api_call() automatically calls it and retries once when the API reports assertuserfailed / assertbotfailed / notloggedin, instead of raising immediately.
  • OAuth2.reauthenticate() (inherited default) already re-fetches its access token via generate_edit_credentials(), so it's covered too. OAuth1 is per-request-signed rather than session/cookie based, so it isn't affected by this failure mode.

Test plan

  • New unit tests in test/test_wbi_login.py (TestBotPasswordLogin/TestClientLogin): reauthenticate() redoes the full login flow; a simulated session loss during edit_entity() recovers transparently.
  • New unit tests in test/test_wbi_helpers.py (TestSessionRecovery): assertuserfailed/assertbotfailed/notloggedin trigger re-authentication + retry when a login object is available, and still raise MWApiError when it isn't.
  • Full offline suite: python -m pytest test/ -m "not integration" → 203 passed.
  • mypy clean on the modified modules.

🤖 Generated with Claude Code

LeMyst and others added 4 commits July 4, 2026 10:11
Uses the target instance's own wbcheckconstraints API action (from the
WikibaseQualityConstraints extension) instead of a hardcoded, Wikidata-specific
rule set, so it works against any Wikibase instance with the extension installed.

Closes #154

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
The 3-legged OAuth1 handshake (Special:OAuth/initiate, authenticate,
token) is reimplemented with requests_oauthlib.OAuth1 and requests,
mirroring what mwoauth did internally, removing the extra dependency.
Also fixes continue_oauth(), which previously crashed with an
AttributeError because mediawiki_api_url/instantiation_time were never
initialized after completing the handshake.

Fixes #318

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Renewing the CSRF token only re-reads it off the current session
cookies, so it cannot resurrect a session the server has already
invalidated: writes then fail with assertuserfailed/assertbotfailed
("You are no longer logged in..."), no matter how often the token is
refreshed. Login and Clientlogin now keep their credentials so they
can redo a full login, and mediawiki_api_call transparently
re-authenticates and retries once when the API reports the session is
gone.
@LeMyst LeMyst merged commit 22060f6 into master Jul 4, 2026
15 checks passed
@LeMyst LeMyst deleted the fix-902-session-reauth branch July 4, 2026 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

You are no longer logged in, so the action could not be completed.

1 participant