Client-login attemps unsuccesful

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Client-login attemps unsuccesful

geoffreydebelie
Hi,

I'm not able to login using clientlogin. Any help is appreciated. Below things I've already tried:


Output:
{
  "batchcomplete": "",
  "query": {
    "tokens": {
      "logintoken": "85af2296d03f8ce504123b7733b0a7ad5880c782+\\"
    }
  }
}

POST https://nl.wikipedia.org/w/api.php?action=clientlogin&loginreturnurl=http://nl.wikipedia.org&format=json

Input (text/plain):
logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782+\\&username=Smile4ever&password=*******&rememberMe=1

Output:
{
  "error": {
    "code": "badtoken",
    "info": "Invalid CSRF token.",
    "*": "See https://nl.wikipedia.org/w/api.php for API usage."
  },
  "servedby": "mw1288"
}

Input (application/json):
{
    "logintoken": "85af2296d03f8ce504123b7733b0a7ad5880c782+\\",
    "username": "Smile4ever",
    "password": "*******"
}

Output:
{
  "error": {
    "code": "notoken",
    "info": "The \"token\" parameter must be set.",
    "*": "See https://nl.wikipedia.org/w/api.php for API usage."
  },
  "servedby": "mw1278"
}
<script type="text/javascript">window.onbeforeunload = function() {}</script>

Kind regards,
Geoffrey De Belie


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

Bartosz Dziewoński
On 2017-01-19 15:15, geoffreydebelie wrote:

> Input (text/plain):
> logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782+\\&username=Smile4ever&password=*******&rememberMe=1
>
> Output:
> {
>   "error": {
>     "code": "badtoken",
>     "info": "Invalid CSRF token.",
>     "*": "See https://nl.wikipedia.org/w/api.php for API usage."
>   },
>   "servedby": "mw1288"
> }

You are not URL-encoding the token. Make sure to URL-encode
(percent-encode) all of the parameter values.

--
Bartosz Dziewoński

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

geoffreydebelie
---- On do, 19 jan 2017 15:22:11 +0100 Bartosz Dziewoński <[hidden email]> wrote ----

 > On 2017-01-19 15:15, geoffreydebelie wrote:
 > > Input (text/plain):
 > > logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782+\\&username=Smile4ever&password=*******&rememberMe=1
 > >
 > > Output:
 > > {
 > >   "error": {
 > >     "code": "badtoken",
 > >     "info": "Invalid CSRF token.",
 > >     "*": "See https://nl.wikipedia.org/w/api.php for API usage."
 > >   },
 > >   "servedby": "mw1288"
 > > }
 >
 > You are not URL-encoding the token. Make sure to URL-encode
 > (percent-encode) all of the parameter values.
 >
Hi.

logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782%2b%5c%5c&username=Smile4ever&password=*******&rememberMe=1
has the same result (I even tried with a newly requested login token):

{
  "error": {
    "code": "badtoken",
    "info": "Invalid CSRF token.",
    "*": "See https://nl.wikipedia.org/w/api.php for API usage."
  },
  "servedby": "mw1285"
}

Kind regards,
Geoffrey De Belie


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

Bartosz Dziewoński
On 2017-01-19 15:27, geoffreydebelie wrote:

> Hi.
>
> logintoken=85af2296d03f8ce504123b7733b0a7ad5880c782%2b%5c%5c&username=Smile4ever&password=*******&rememberMe=1
> has the same result (I even tried with a newly requested login token):
>
> {
>   "error": {
>     "code": "badtoken",
>     "info": "Invalid CSRF token.",
>     "*": "See https://nl.wikipedia.org/w/api.php for API usage."
>   },
>   "servedby": "mw1285"
> }

You are sending it with two backslashes at the end, while the token
should only have one.

--
Bartosz Dziewoński

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

geoffreydebelie
 ---- On do, 19 jan 2017 15:40:06 +0100 Bartosz Dziewoński <[hidden email]> wrote ----
 > You are sending it with two backslashes at the end, while the token
 > should only have one.
 >
 
That's right, thanks!

{
  "clientlogin": {
    "status": "PASS",
    "username": "Smile4ever"
  }
}

However, I wonder why
https://nl.wikipedia.org/w/api.php?action=query&meta=tokens&type=login&format=json

returns
      "logintoken": "2c69b789da89c2134de2e6c142523de05880cbf3+\\"

instead of +\ at the end.

Kind regards,
Geoffrey De Belie


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

Brad Jorsch (Anomie)
On Thu, Jan 19, 2017 at 9:43 AM, geoffreydebelie <[hidden email]> wrote:
However, I wonder why
https://nl.wikipedia.org/w/api.php?action=query&meta=tokens&type=login&format=json

returns
      "logintoken": "2c69b789da89c2134de2e6c142523de05880cbf3+\\"

instead of +\ at the end.

Because backslash is the escape character in JSON strings, and so needs to be escaped to represent an actual backslash. If your JSON decoder is not properly transforming that token into a native string ending with a single backslash then your JSON decoder is fundamentally broken and should probably be replaced.

If you're parsing the JSON with custom regular expressions or the like, you should really start using a proper JSON decoder.


--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

Gergo Tisza
On Thu, Jan 19, 2017 at 7:25 AM, Brad Jorsch (Anomie) <[hidden email]> wrote:
Because backslash is the escape character in JSON strings, and so needs to be escaped to represent an actual backslash. If your JSON decoder is not properly transforming that token into a native string ending with a single backslash then your JSON decoder is fundamentally broken and should probably be replaced.

I wonder if it would be worth for the API to issue a more specific warning when a token has been submitted but it does not have the format that tokens normally do. Something like "you submitted the token abc1234 \ but you were expected to submit the token abc1234+\ which in the raw request should look like abc1234%2B%5C" might make it easier for people to figure out on their own what they are doing wrong.

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

Brad Jorsch (Anomie)
On Thu, Jan 19, 2017 at 4:01 PM, Gergo Tisza <[hidden email]> wrote:
On Thu, Jan 19, 2017 at 7:25 AM, Brad Jorsch (Anomie) <[hidden email]> wrote:
Because backslash is the escape character in JSON strings, and so needs to be escaped to represent an actual backslash. If your JSON decoder is not properly transforming that token into a native string ending with a single backslash then your JSON decoder is fundamentally broken and should probably be replaced.

I wonder if it would be worth for the API to issue a more specific warning when a token has been submitted but it does not have the format that tokens normally do. Something like "you submitted the token abc1234 \ but you were expected to submit the token abc1234+\ which in the raw request should look like abc1234%2B%5C" might make it easier for people to figure out on their own what they are doing wrong.

OTOH, every check of this sort we add is more code complexity. And I note if you're using multipart/form-data, it shouldn't look like "abc1234%2B%5C".


--
Brad Jorsch (Anomie)
Senior Software Engineer
Wikimedia Foundation

_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api
Reply | Threaded
Open this post in threaded view
|

Re: Client-login attemps unsuccesful

geoffreydebelie
In reply to this post by Brad Jorsch (Anomie)
 ---- On do, 19 jan 2017 16:25:03 +0100 Brad Jorsch (Anomie) <[hidden email]> wrote ----
 > On Thu, Jan 19, 2017 at 9:43 AM, geoffreydebelie <[hidden email]> wrote:
 >  However, I wonder why
 >  https://nl.wikipedia.org/w/api.php?action=query&meta=tokens&type=login&format=json
 >  
 >  returns
 >        "logintoken": "2c69b789da89c2134de2e6c142523de05880cbf3+\\"
 >  
 >  instead of +\ at the end.
 >
 > Because backslash is the escape character in JSON strings, and so needs to be escaped to represent an actual backslash. If your JSON decoder is not properly transforming that token into a native string ending with a single backslash then your JSON decoder is fundamentally broken and should probably be replaced.
 >
 > If you're parsing the JSON with custom regular expressions or the like, you should really start using a proper JSON decoder.
 >

I was just copy pasting it into Postman :) Thanks for the information.


_______________________________________________
Mediawiki-api mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-api