use a non-deprecated login method

[maxlath]

Login request get the following warning:

Main-account login via \"action=login\" is deprecated and may stop working without warning. To continue login with \"action=login\", see [[Special:BotPasswords]]. To safely continue using main-account login, see \"action=clientlogin\"."

PR to fix this issue are very welcome!

[alemela]

Maybe the documentation you need is: https://www.mediawiki.org/wiki/API:Login

I think the process is quite similar:

1. get the token using api.php?action=query&meta=tokens
2. login in with api.php?action=clientlogin&username=Example&password=ExamplePassword&loginreturnurl=http://example.org/&logintoken=123ABC

[maxlath]

• a clientlogin implementation can be found WikidataIntegrator wdi_login.py
• owner-only oauth are actually way simpler to setup than I feared, so simply deprecating login by username and password could be an option?

[Edit]: unfortunately, some instances limit the access to owner-only oauth tokens to users with a certain amount of contributions, making this mean of authentication non available to some users

[diegodlh]

owner-only oauth are actually way simpler to setup than I feared, so simply deprecating login by username and password could be an option?

Owner-only OAuth seem to be the preferred way for desktop apps which do not rely on a backend web service. However, registering an owner-only OAuth consumer may not be as simple for some users. This has been discussed in this thread for the Wikimedia Commons Android app.

I am currently developing a plugin for Zotero (using wikibase-edit) and I came across the same issue. Until I can set up a backend web service, the plugin will rely on either main-account or bot-password login. I asked for comments from the WikiCite and WikiData communities here and here.

[maxlath]

@diegodlh this client secret problem could be solved by using OAuth 2, which was designed for this use case (this presentation helped me get how that works), and is now available on Wikimedia mediawikis (via the Extension:OAuth page), but isn't supported by wikibase-edit yet

[diegodlh]

Thanks, @maxlath! So I guess the information in Wikimedia's OAuth app guidelines is outdated, as it says there that:

Apps that are meant to be installed separately for every user (e.g. mobile apps, browser plugins, desktop applications) must be registered individually by each user as owner-only

without mentioning the possibility of using OAuth 2. Well, it does, above, where it says

Make sure that ... The app is likely to protect the secrecy of its secret key (unless OAuth 2 without the 'Client is confidential' option is used)

but it is easy to miss that. I will check the presentation you sent me and update the guidelines accordingly.

I have also updated the thread in my project's talk page.

Hopefully, wikibase-edit will support OAuth 2 soon. If eventually I need to support it in my plugin, I will do so by submitting a pull request to this repo. In the mean time, I will use the old login/password method.

Thank you!!