From 23e5cdb5034dca5bbdfc2ac9c111c5fac20ff579 Mon Sep 17 00:00:00 2001
From: Brad Jorsch <bjorsch@wikimedia.org>
Date: Wed, 27 Jul 2016 11:50:33 -0400
Subject: [PATCH] API: Remove deprecated response values from action=login

Bug: T121527
Change-Id: Ie370d6dc5a922ad9c50758ba81b98aa8492f83cb
---
 RELEASE-NOTES-1.28                          |  3 +++
 includes/api/ApiLogin.php                   | 13 -------------
 tests/phpunit/includes/api/ApiLoginTest.php |  1 -
 3 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/RELEASE-NOTES-1.28 b/RELEASE-NOTES-1.28
index 608bc56da4..53fdc83750 100644
--- a/RELEASE-NOTES-1.28
+++ b/RELEASE-NOTES-1.28
@@ -53,6 +53,9 @@ production.
   the value of $wgMaxArticleSize.
 * Property 'modulemessages' from action=parse&prop=modules was removed
   (deprecated since 1.26).
+* The following response properties from action=login, deprecated in 1.27, are
+  now removed: lgtoken, cookieprefix, sessionid. Clients should handle cookies
+  to properly manage session state.
 
 === Action API internal changes in 1.28 ===
 * Added a new hook, 'ApiMakeParserOptions', to allow extensions to better
diff --git a/includes/api/ApiLogin.php b/includes/api/ApiLogin.php
index 0e4c6e0c84..1dadc0721a 100644
--- a/includes/api/ApiLogin.php
+++ b/includes/api/ApiLogin.php
@@ -212,15 +212,6 @@ class ApiLogin extends ApiBase {
 
 				$result['lguserid'] = intval( $user->getId() );
 				$result['lgusername'] = $user->getName();
-
-				// @todo: These are deprecated, and should be removed at some
-				// point (1.28 at the earliest, and see T121527). They were ok
-				// when the core cookie-based login was the only thing, but
-				// CentralAuth broke that a while back and
-				// SessionManager/AuthManager *really* break it.
-				$result['lgtoken'] = $user->getToken();
-				$result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
-				$result['sessionid'] = $session->getId();
 				break;
 
 			case 'NeedToken':
@@ -228,10 +219,6 @@ class ApiLogin extends ApiBase {
 				$this->setWarning( 'Fetching a token via action=login is deprecated. ' .
 				   'Use action=query&meta=tokens&type=login instead.' );
 				$this->logFeatureUsage( 'action=login&!lgtoken' );
-
-				// @todo: See above about deprecation
-				$result['cookieprefix'] = $this->getConfig()->get( 'CookiePrefix' );
-				$result['sessionid'] = $session->getId();
 				break;
 
 			case 'WrongToken':
diff --git a/tests/phpunit/includes/api/ApiLoginTest.php b/tests/phpunit/includes/api/ApiLoginTest.php
index 155a9dd982..917a6adaff 100644
--- a/tests/phpunit/includes/api/ApiLoginTest.php
+++ b/tests/phpunit/includes/api/ApiLoginTest.php
@@ -190,7 +190,6 @@ class ApiLoginTest extends ApiTestCase {
 		$this->assertArrayHasKey( "login", $data[0] );
 		$this->assertArrayHasKey( "result", $data[0]['login'] );
 		$this->assertEquals( "Success", $data[0]['login']['result'] );
-		$this->assertArrayHasKey( 'lgtoken', $data[0]['login'] );
 	}
 
 	public function testBotPassword() {
-- 
2.20.1