git.heureux-cyclage.org - lhc/web/wiklou.git/commit

author	Gergő Tisza <gtisza@wikimedia.org>
	Tue, 23 Aug 2016 03:02:23 +0000 (03:02 +0000)
committer	Gergő Tisza <gtisza@wikimedia.org>
	Wed, 7 Sep 2016 21:01:55 +0000 (21:01 +0000)
commit	4f29c961970ae2cac6925d8574efd1b91c60639b
tree	fd3a70371913285b253cb3122e598299ce35e88c	tree \| snapshot
parent	6b6154c30eca9a6f6b451119fb800db170393336	commit \| diff

Allow putting the app ID in the password for bot passwords

Bot passwords allow backwards-compatible login (with grants, for API
usage only) with "<real username>@<botname>" for username plus a
random-generated password.
This doesn't work well with some bot frameworks (including Pywikibot,
the most popular one) which assume that the text that goes into the
username field of the login API is the username that they will be
logged in with afterwards (and so the @-postfix causes all kinds of
errors).

Since the goal of bot passwords is compatibility with old unmaintained
API clients, this patch adds an alternative format which does not
cause problems with old bots: use the username normally, and use
"<botname>@<random-generated password>" as password. Since this is
technically a valid normal password, there is some ambiguity, but
bot passwords have a distintive format so it's easy to check and it is
extremely unlikely that someone would use the exact same format for
their normal password; and if the bot password login fails we can
simply retry it as a normal password, just in case.

Bug: T142304
Change-Id: Ib59a6fbe0e65d80d5e7d19ff37cec5e011c00539

includes/api/ApiLogin.php		diff \| blob \| history
includes/specials/SpecialBotPasswords.php		diff \| blob \| history
includes/user/BotPassword.php		diff \| blob \| history
languages/i18n/en.json		diff \| blob \| history
languages/i18n/qqq.json		diff \| blob \| history
tests/phpunit/includes/user/BotPasswordTest.php		diff \| blob \| history