Manual:Huggle/Bot passwords/es

Dado que MediaWiki implementó contraseñas de aplicaciones (llamadas contraseñas de bot) y desaprobó el inicio de sesión API estándar, esta función también se implementó en Huggle y ahora es un método de autenticación recomendado.

Para usar las contraseñas de Bot en Huggle, primero debe generar una. Puede hacerlo visitando Special:BotPasswords.

Se recomienda otorgar a Huggle los siguientes permisos si desea usarlo al máximo:


 * Edición de alto volumen
 * Editar páginas existentes
 * Edite su CSS/JSON/JavaScript de usuario (necesario para almacenar sus opciones)
 * Create, edit, and move pages (required to warn users who don't have talk page yet)
 * Patrol changes to pages
 * Rollback changes to pages
 * Block and unblock users
 * Delete pages, revisions, and log entries
 * Protect and unprotect pages
 * View your watchlist
 * Edit your watchlist

Restringir a Huggle de cualquiera de estos permisos puede resultar en fallas aleatorias de varias funciones.

¿Por qué son más seguros?
Iniciar sesión con una contraseña que tenga acceso completo a su cuenta es probablemente el método menos seguro que debe evitarse en todas partes, no solo en Huggle. La contraseña tal como se escribe podría ser registrada por el virus keylogger o registrada de alguna otra manera. Someone could also in theory compile some malware-version of Huggle from its source code and offer this binary to naive users who would run it and enter their password into it.

If someone steals your bot password, they can't do so much with it. Editing is possible only via API and they are far more restricted than if they were using your real password.

Why Huggle doesn't just use OAuth
Because OAuth is a technology that was never designed with desktop applications in mind. OAuth was designed to allow web-based applications to login over another web server that hosts the credential database (in this case, over Wikimedia's central auth).

Each web based application therefore has its own secret that is located on a web server run by the provider of the application and uses this secret to verify the authenticity of the application. Then, using web callbacks the authentication server communicates the results of a login back to the website you want to login to.

Now, Huggle is not a web server, it's an application running on your system, so there is no way to securely store a secret used to validate its authenticity, and there is no easy way to handle callbacks from an OAuth server, and the process is overly complex for something that could be done much more simply. The security features of OAuth don't have any benefit for an application that is running directly on your PC and that is fully under your control. Therefore OAuth is a huge overkill that only adds complexity and no security, unlike "bot passwords" (actual Application Passwords).