[08:21:18] <zabe>	 any more opinions on https://gerrit.wikimedia.org/r/c/mediawiki/core/+/834686? :)
[08:49:17] <James_F>	 Possibly silly question – we agreed to scrap the idea of different tokens back in 1.26, and deprecated the relevant code then, but there's still the watchlist token. Is there a task to scrap that too? If not, why not? Can we migrate it to a narrower, supported use case?
[09:29:09] <Krinkle>	 watchlisttoken isn't a session bound csrf token (where csrf/edit tokens are not stored, but generated on the spot with timestamp and hmac validation, you can mint infinitely many that are each valid, and multiple sessions). Instead, watchlist token is a singular stored persistent secret on the database, to allow stateless access to your watchlist from RSS. It's more akin to a very limited bot password in that regard.
[09:29:25] <Krinkle>	 The word "token" in its name is an unfortunate coincidence.
[11:26:37] <James_F>	 Krinkle: Should we move it to the bot password framework, then? Deprecated code from 20 versions of MW ago that are still critical aren't great.
[12:08:57] <MatmaRex_>	 i don't think the watchlist token is deprecated. it's just a slightly weird unique feature
[12:46:39] <Krinkle>	 Unique feature with unique security requirements. Solved narrowly without any unneeded abstractions or support systems for us to maintain or finish removal of.