A partial archive of https://discourse-mediawiki.wmflabs.org as of Saturday May 21, 2022.

Can bot passwords be used just like regular passwords?

LucasWerkmeister

I want to test a tool I’m building in CI, so I set up a bot password for it on test.wikipedia.org. I thought this would mean I could just log in using that bot password in the python mwapi module and then run the bot as usual (against one page), however it doesn’t seem to work.

$ python3
>>> import mwapi
>>> session = mwapi.Session('https://test.wikipedia.org')
Sending requests with default User-Agent.  Set 'user_agent' on mwapi.Session to quiet this message.
>>> session.login(username='Lucas Werkmeister@QuickCategories-Travis-CI', password='REDACTED')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/mwapi/session.py", line 245, in login
    raise LoginError.from_doc(login_doc['clientlogin'])
mwapi.errors.LoginError: FAIL -- Incorrect username or password entered.
Please try again.
>>> session.login(username='Lucas Werkmeister', password='QuickCategories-Travis-CI@REDACTED')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.7/site-packages/mwapi/session.py", line 245, in login
    raise LoginError.from_doc(login_doc['clientlogin'])
mwapi.errors.LoginError: FAIL -- Incorrect username or password entered.
Please try again.

After that, I tried adding a debug header and logging in again; the result is at ~lucaswerkmeister-wmde/bot-password.log on mwlog1001.eqiad.wmnet. There doesn’t seem to be any mention of a bot password in the log (it seems to treat it like a normal password for the fake user name), but there are some lines about a captcha – I thought that wasn’t supposed to matter for bot passwords?

Reedy

Should be able to, yeah.

Depending on the login mode etc used…

For example in AutoWikiBrowser we can use a username Username@BotPasswordNameThing and the generated password… And it just works (we use it as a workaround for 2FA)!

See also https://en.wikipedia.org/wiki/Wikipedia:Using_AWB_with_2FA

LucasWerkmeister

Okay, then I have no idea why it’s not working. I tried different wikis (both for login and for bot password creation), a shorter bot name, a different user name without spaces, logging in from Toolforge instead of my local system in case the IP was blacklisted – nothing.

Tgr

Bot passwords are for action=login, not action=clientlogin. clientlogin is for interactive authentication (and probably should not be used by mwapi).

LucasWerkmeister

Okay, thanks. The following solution works, then:

lgtoken = session.get(action='query',
                      meta='tokens',
                      type='login')['query']['tokens']['logintoken']
session.post(action='login',
             lgname='Lucas Werkmeister@QuickCategories_Travis_CI',
             lgpassword='REDACTED',
             lgtoken=lgtoken)

But doesn’t that mean that the answer to my question is “no”? If I read the documentation correctly, bot passwords can be used with action=login but not action=clientlogin, whereas regular passwords can be used with action=clientlogin but aren’t supposed to be used with action=login (though it still seems to be supported at the moment).

I’ve also filed an mwapi issue to improve this.

Tgr

Well, they are not 100% like normal passwords (using them on the password change page doesn’t work, using them for reauthentication doesn’t work etc). They can be used just like regular passwords for bots, which shouldn’t use clientlogin in the first place, it is for interactive authentication. IIRC mwapi does support interactive authentication, e.g. if you have 2FA set up, it will prompt you for it, which is why it is using this API.