Thread:Talk:Requests for comment/API Future/Token reform

Please! The token handling is a mess.

The problem is that some tokens need non-constant salt (e.g. a rollback token needs a page title and a username) and some don't. And while we have, it's not complete and cannot be complete since it lacks the ability to handle tokens that need non-constant salt.

And meanwhile, we have modules saying they need a token, but not specifying what kind of token they need (e.g. action=upload), and others that provide a "gettoken" parameter to get the token (but see bug 35993).

We could use some sanity here.

But I don't understand the comment "remove base::getToken" in the proposal page. There doesn't seem to be any such function.