ApiLogin: Deprecate certain response values

It's been a while since clients could reliably construct the cookie
values from these parameters, and it's only going to get worse. So let's
just kill them; the first step is to mark them as deprecated.

Bug: T121527
Change-Id: I6a1a0c7e253e4c651bc0149e956f8767ee6e8b80

diff --git a/RELEASE-NOTES-1.27 b/RELEASE-NOTES-1.27
index 1d6d404..ef14ada 100644 (file)
--- a/RELEASE-NOTES-1.27
+++ b/RELEASE-NOTES-1.27
@@ -130,6 +130,9 @@ production.
   the text before diffing it.
 * Deprecated formats dbg, txt, and yaml have been removed.
 * (T47988) The protect log event details now use new-style formatting.
+* The following response properties from action=login are deprecated, and may
+  be removed in the future: lgtoken, cookieprefix, sessionid. Clients should
+  handle cookies to properly manage session state.
 
 === Action API internal changes in 1.27 ===
 * ApiQueryORM removed.

diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index c66e215..eb376d3 100644 (file)
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -99,6 +99,12 @@ class ApiLogin extends ApiBase {
                                $result['result'] = 'Success';
                                $result['lguserid'] = intval( $user->getId() );
                                $result['lgusername'] = $user->getName();
+
+                               // @todo: These are deprecated, and should be removed at some
+                               // point (1.28 at the earliest, and see T121527). They were ok
+                               // when the core cookie-based login was the only thing, but
+                               // CentralAuth broke that a while back and
+                               // SessionManager/AuthManager are *really* going to break it.
                                $result['lgtoken'] = $user->getToken();
                                $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
                                $result['sessionid'] = session_id();
@@ -107,6 +113,8 @@ class ApiLogin extends ApiBase {
                        case LoginForm::NEED_TOKEN:
                                $result['result'] = 'NeedToken';
                                $result['token'] = $loginForm->getLoginToken();
+
+                               // @todo: See above about deprecation
                                $result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
                                $result['sessionid'] = session_id();
                                break;