Tshiú-tsheh/Bot pit-bé
Since MediaWiki implemented application passwords (called bot passwords) and deprecated standard API login, this feature was also implemented into Huggle and is now a recommended authentication method.
This page in a nutshell: Bot passwords make access to your account through Huggle more secure, because you never expose your real password and you can define access level it will have. |
In order to use Bot passwords in Huggle you first need to generate one. Lí ē-tàng thong-kuè hóng-mn̄g Special:BotPasswords lâi si̍t-hiān.
It is recommended to give Huggle the following permissions if you want to use it to its fullest extent:
grant-highvolume | 大量操作(機器人)取用權 | |
grant-editpage | 編輯現有的頁面 | |
grant-editmycssjs | 編輯您的使用者 CSS/JSON/JavaScript | required to store your options |
grant-createeditmovepage | 建立、編輯與移動頁面 | required to warn users who don't have talk page yet |
grant-patrol | 巡邏頁面的變更 | |
grant-rollback | 回退對於頁面的變更 | |
grant-blockusers | 封鎖與解除封鎖使用者 | |
grant-delete | 刪除頁面、修訂與日誌記錄 | |
grant-protect | 保護與取消保護頁面 | |
grant-viewmywatchlist | 檢視您的監視清單 | |
grant-editmywatchlist | 編輯您的監視清單 |
Restricting Huggle from any of these permissions may result in random failures of various features.
Uī-siánn-mi̍h in koh-khah án-tsuánn?
Logging in over a password that has full access to your account is probably least secure method that should be avoided everywhere possible, not only in Huggle. The password as it is typed could be logged by keylogger virus or recorded in some other way. Someone could also in theory compile some malware-version of Huggle from its source code and offer this binary to naive users who would run it and enter their password into it.
If someone steals your bot password, they can't do so much with it. Editing is possible only via API and they are far more restricted than if they were using your real password.
Uī-siánn-mi̍h Huggle m̄-nā sú-iōng OAuth
Because OAuth is a technology that was never designed with desktop applications in mind. OAuth was designed to allow web-based applications to login over another web server that hosts the credential database (in this case, over Wikimedia's central auth).
Each web based application therefore has its own secret that is located on a web server run by the provider of the application and uses this secret to verify the authenticity of the application. Then, using web callbacks the authentication server communicates the results of a login back to the website you want to login to.
Now, Huggle is not a web server, it's an application running on your system, so there is no way to securely store a secret used to validate its authenticity, and there is no easy way to handle callbacks from an OAuth server, and the process is overly complex for something that could be done much more simply. The security features of OAuth don't have any benefit for an application that is running directly on your PC and that is fully under your control. Therefore OAuth is a huge overkill that only adds complexity and no security, unlike "bot passwords" (actual Application Passwords).
Tsham-ua̍t
- Manual:Bot passwords
- w:Wikipedia:Using AWB with 2FA - Sú-iōng BotPasswords ê kán-tan tsí-lâm