API talk:Tokens

From MediaWiki.org
Jump to navigation Jump to search

I only get '+\' as an csrf-token[edit]

Please, can somebody help me?--Mischa004 (talk) 18:14, 16 February 2015 (UTC)

My PHP-code:

$parameters = array('action' => 'query', 'meta' => 'tokens', 'format' => 'json');
$options = array(
   'http' => array(
      'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
      'method'  => 'POST',
      'content' => http_build_query($parameters),
    ),
);
$context  = stream_context_create($options);
$result = file_get_contents($wiki, false, $context);
echo "$result";
That's how the token currently looks what you're not logged in (although there are plans to use real token for anonymous users too). Nothing to worry about. Matma Rex (talk) 20:19, 16 February 2015 (UTC)
Thank you! In fact, I really want to have a token to edit as a registered user. Before obtaining the token as shown above I login with this PHP-code:
$parameters = array('action' => 'login', 'lgname' => 'mischa', 'lgpassword' => 'PASSWORD', 'format' => 'json');
$options = array(
   'http' => array(
      'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
      'method'  => 'POST',
      'content' => http_build_query($parameters),
    ),
);
$context  = stream_context_create($options);
$result = file_get_contents($wiki, false, $context);
Note: $wiki can be for example http://en.wikipedia.org/w/api.php --Mischa004 (talk) 20:29, 16 February 2015 (UTC)
Looks like you're not passing the cookies from the first request to the second one? I'm afraid I have no idea how that's done in PHP, though. Matma Rex (talk) 20:51, 16 February 2015 (UTC)
Thank you! I have to check this the day after tomorrow,--Mischa004 (talk) 20:56, 16 February 2015 (UTC)

@Mischa004, Matma Rex: Hi! I'm having the same problem. I always get {"query":{"tokens":{"csrftoken":"+\\"}}} as result and I'm definitely passing the received cookies to the query. Did you solve the problem, Mischa004? --jobu0101 (talk) 17:03, 1 May 2015 (UTC)

I assume you're logging in successfully? (Return value should include result=Success either on the first try for old wikis or after sending the login token for anything newer.) Assuming that part's okay, can you post the relevant part of your code, or at least the command that it's generating, so we can have a look at it? Robin Hood  (talk) 22:00, 1 May 2015 (UTC)
@RobinHood70: Thank you very much. It was my fault. I didn't login properly. I missed the second request which you need when you get {"login":{"result":"NeedToken","token":"...","cookieprefix":"enwiki","sessionid":"..."}} back from the first request. By the way: When I log out, is it true that I then end all sessions and not only the current one? Or isn't it possible to be logged in using the API in more then one session? --jobu0101 (talk) 11:47, 2 May 2015 (UTC)
I don't know the details of how logging in and out works, so I'm not sure if the cookies you get are session-specific or not. If you experiment with it, though, let me know or just add it to the page, because that would be useful info. Also, keep in mind that the MediaWiki sites use CentralAuth, which changes the whole login/logout process significantly. For those, if you log out of an account by either the UI or the API, you're logged out of all sessions on all sites for that user. Robin Hood  (talk) 18:13, 2 May 2015 (UTC)

Unregistered editing[edit]

Unregistered users can't get tokens, per above. Does this mean that API:Edit is only for registered users? That sounds like a bug, but is it a bug of the token generation or of the edit API? --Nemo 15:34, 17 August 2015 (UTC)

@Nemo_bis: How does the above mean that unregistered users can't get tokens? Matma Rex (talk) 16:05, 17 August 2015 (UTC)
AFAICS above it was said that unregistered users can only get +\\, which AFAICS is inservible as token. If that string can be used as token, it would be useful to document how at API:Edit. --Nemo 16:37, 17 August 2015 (UTC)
+\ is a perfectly serviceable token for anonymous users that you can use exactly like any other token string. Matma Rex (talk) 16:58, 17 August 2015 (UTC)
If you need proof, I just ran my bot on a test wiki without logging in using the following POST command: api.php?action=edit&title=Main Page&text=Some text&summary=Test edit&bot=&md5=9db5682a4d778ca2cb79580bdb67083f&token=+\&format=json&formatversion=2. (The display is prettified slightly, which is why you don't see the second \.) Everything went smoothly and the IP shows up in the history, just as you would expect. Robin Hood  (talk) 17:03, 17 August 2015 (UTC)
Ok, thanks; I added API:Edit#Unregistered users. My error was very silly, I'm still used to the XML format so in quick manual testing I forgot to remove the escaping slash of the JSON format. --Nemo 09:02, 20 August 2015 (UTC)
Is that an XML-only thing? Good to know. It's been so long since I played with it, I'd forgotten. I assumed it was the fact that I was using human-readable text in the URL (e.g., it doesn't show %20, it shows an actual space). Robin Hood  (talk) 16:19, 20 August 2015 (UTC)

Token Lifespan[edit]

How long does it take before a token expires? 1 action? or some specific time? Bluedeck 01:13, 11 October 2015 (UTC)

I believe all the tokens provided by this module are good for the entire length of time you're logged in. Some of the older tokens provided by other modules were specific to the action you were taking, but I don't think any of those are required on modern versions (>= 1.24) of MediaWiki. Robin Hood  (talk) 06:59, 11 October 2015 (UTC)