Warnings: Deprecated MediaWiki API calls (login, token)

[Hasenlaeufer]

LrMediaWiki Version 0.5, MediaWiki versions 1.27.1 and 1.29/wmf.3. If logging is enabled (see configuration: "Enable logging"), the log file states deprecated MediaWiki API calls:

1. Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead.
2. action=tokens has been deprecated. Please use action=query&meta=tokens instead.
3. Main-account login via action=login is deprecated and may stop working without warning. To continue login with action=login, see [[Special:BotPasswords]]. To safely continue using main-account login, see action=clientlogin.

Should be labeled as an enhancement.

[Hasenlaeufer]

Remarks/proposals for solutions:

1. Prior of a login a login token has to be retrieved.
2. Instead of using "action login" the "action clientlogin" should be used ("To safely continue using main-account login, see action=clientlogin.") to ensure login still works with main-account login.

For details see https://www.mediawiki.org/wiki/API:Login

[Hasenlaeufer]

Regarding "Main-account login via action=login is deprecated and may stop working without warning." a question might be "When the old login method will be turned off?"
An answer can be found here.
It states: "There are currently no plans to turn it off."

[Hasenlaeufer]

This enhancement has been published with version 0.5.1.

[loretoparisi]

@Hasenlaeufer Hello,
I was trying this client login flow, but something happens:

1. I correctly get a token raised with the HTTP GET https://en.wikipedia.org/w/api.php?action=query&meta=tokens&type=login&format=json

and I get a valid logintoken string.

2.1) I then try the clientlogin like:

HTTP POST /w/api.php?action=clientlogin&format=json&lgname=xxxx&lgtoken=xxxx%2B%5C

and the POST BODY was

{
                  "lgpassword" : "xxxxx",
                  "lgtoken" : "xxxxx"
                }

But I get an error:

{
  "error": {
    "code": "notoken",
    "info": "The \"token\" parameter must be set."
 },
  "servedby": "mw1228"
}

If I try to change lgtoken to token I get the same result.

2.2) I have then tried the old method i.e. action=login and passing the body, but it does not work, since it gives me back another login token: HTTP POST https://en.wikipedia.org/w/api.php?action=login&format=json&lgname=xxxx

and the same POST BODY

I then get

{
  "warnings": {}
  },
  "login": {
    "result": "NeedToken",
    "token": "xxxxx+\\"
  }

where the docs here states that

NeedToken if the lgtoken parameter was not provided or no session was active (e.g. your cookie handling is broken).

but I have passed the lgtoken in the json body as showed.
What's wrong? Cookies or the login flow? I'm using a node.js client, and I handle cookies in the normal ways, so all the cookies are passed.

[nuno-andre]

but I have passed the lgtoken in the json body as showed

It's not a JSON body (i.e, a Content-Type: application/json), but a regular POST body. It has to be encoded as

param1=value2&param2=value

not as

"{\"param1\":\"value\",\"param2\":\"value\"}"

PS: I know i's an old post, but it's on the first page in a Google search for the error message.