Last modified: 2014-08-27 15:44:54 UTC
Playing with the API sandbox, I noticed there are inconsistencies in the API which should be fixed - it seemed logical to me as newbie that via the tokens api I should be able to pass a 'type' parameter that had values emailuser, rollback, upload, userrights, filerevert, login as these are valid values of action and for actions such as edit, watch - I can supply edit or watch to get a token e.g. /w/api.php?action=tokens&format=json&type=watch However this is not the case with these actions. e.g. /w/api.php?action=tokens&format=json&type=rollback returns {"warnings":{"tokens":{"*":"Unrecognized value for parameter 'type': rollback"}},"tokens":[]} I believe this makes it difficult to understand the correct way to request a token as the user must deduce where they get the relevant token.
Also see https://gerrit.wikimedia.org/r/#/c/16191/
Each module has a short hint where you can get the token from, some needs a update to reflect the new module action=tokens Getting all tokens over action=tokens is not possible, because some modules needs extra information to create the token. The rollback token is generated using the user and title of the edit you want to rollback, so this is not unique per session. Token for emailuser exist as type=email userrights needs the username where rights should change upload and filerevert needs a edit token, no special token, maybe adding as alias?
Aliases sound like a great idea. I think for those which require more information it should be possible to provide those. e.g. in the case of rollback why not require the username and title of the article?
I just hit this bug again. I needed to retrieve userrights and tried get token. Sigh.
Marking as WORKSFORME because with the new API token handling you just use one token for nearly everything.
Legoktm can you point me at a patch/wikipage for new API handling? I can't seem to request a userrights, rollback or various other tokens that I listed in #c1 on http://en.wikipedia.beta.wmflabs.org/wiki/Special:ApiSandbox so I'm not sure why you've marked this as it working for you.
You don't need different tokens for different things, just one token for everything (except for login/createaccount/CentralAuth). See <http://en.wikipedia.beta.wmflabs.org/w/api.php?action=query&meta=tokens> and I2793a3f2dd64a4bebb0b4d065e09af1e9f63fb89.
Nice. Will we drop support for the named tokens then? Their existence is kind of confusing now...
They are deprecated, but still supported for backwards-compatability. I'm not sure what anomie's plan/timeline on removing them is.
More specifically, most actions will use the token returned by action=query&meta=tokens (&type=csrf, but that's the default). Some will still use custom types, but the type needed is now clearly indicated by the output of action=help and is also indicated in a machine-readable fashion by action=paraminfo. As for the timeline on removing the now-deprecated methods of fetching tokens, uses of those methods will be logged to api-feature-usage.log on fluorine. Once we start on MediaWiki 1.25 we'll monitor that log and decide on removal based on that. Technically this bug is probably WONTFIX rather than WORKSFORME, but I'll leave it up to you what RESOLVED reason to put on it.
for clarity then.. thanks for summarising :)