MAL API is down

[Akamaru]

It seems that MyAnimeList has had a vulnerability in the API and has now disabled it. Taiga does not work anymore and shows an error.

MyAnimeList returned an error: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Foud</h1> <p>The requested URL /api/account/verify_credentials.xml was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocu...

I know it's not an taiga issue and erengy can't fix this. We have to wait for MAL.

[hyoretsu]

Looks like it wasn't just me

[taigalover]

Phew, wasn't just me either

[moyitpro]

This is like a train wreck. The new official MAL API stop working and now this. This is very frustrating.

[erengy]

It's a serious issue. They completely disabled the API without prior notice to third-party developers, and even went as far as removing the API documentation page. This affects all applications that make use of the official API. It's undoubtedly a new low in their track record.

There's no telling when the issue is going to be resolved, but contacting DeNA's customer support seems to be the best way to file your complaints at the moment. From what I can tell, this whole thing is related to DeNA (MAL's parent company) rather than the MAL staff.

Note that you can continue using Taiga while the MAL API is down, to some extent. But you won't be able to sync your list, retrieve new anime information, etc. Taiga will send any queued updates to MAL when the API becomes available.

---

Relevant forum topics: https://myanimelist.net/forum/?topicid=1731317 https://myanimelist.net/forum/?topicid=1731329

[moyitpro]

Ugh, not this again. I guess I should focus more on adding AniList support to Hachidori.

[onlybrad]

I don't even remember what email I used to create my MAL account. So not only I can't recuperate my account, I can't even resync my anime list with a new account because the API is down...

[erengy]

We've been told that the API outage is for an indefinite period of time. MAL staff are unable to comment further on the issue; they encourage us to speak with DeNA's customer support instead. Apparently there's been some disagreement between them and DeNA on the matter.

We currently don't know what this is all about, but it wasn't due to a security breach. If I had to speculate, it might be related to GDPR (aka "we've updated our privacy policy" regulation) coming into effect tomorrow. Perhaps they couldn't work out the issues in time and ended up shutting down the API entirely. In any case though, DeNA handled the situation quite poorly so far. We're hoping to get a proper response tomorrow.

In the best-case scenario, the API will come back online soon and Taiga will continue working as usual. In the worst-case (?) scenario, many third-party application developers, including myself, will stop using MAL altogether and suggest other people to do the same.

[guft]

Yes I believe it is GDPR related. Over the last week many online services have updated their privacy policies and forced users to reset passwords and reconfirm permissions. Considering that MAL's entire purpose is tracking stats and information about its users, it makes sense they would have to jump through a large number of hoops to be GDPR compliant. Taking the API down is a drastic step, but considering GDPR's fines for noncompliance are 20 million euros or 4% of global revenue (whichever is greater) it makes sense they would do this if they are afraid they are not in compliance. However, keeping the site on lockdown is not good for their business either, so if they can't satisfy regulator demands they will likely resort to blocking EU users and restoring the API everywhere else, which is what many other online services have resorted to doing in the last week.

[Ruhrpottpatriot]

GDPR is a bullshit excuse! That regulation is in effect since TWO years, today the transition period ended that was put into place by the EU to allow relevant services to migrate their stuff. That means, they had two years time to make everything GDPR compliant, yet sat on their asses and did nothing.

Is Kitsu still working? If so MAL has seen the last of me.

While we're at it. How do I clear the sync queue?

[moyitpro]

@Ruhrpottpatriot

MAL importing on Kitsu still work and Taiga and other third party clients that work with Kitsu should still work.

[Kovaelin]

MAL's going to lose a lot of users if they don't fix their API.

[Ruhrpottpatriot]

@moyitpro Yeah, I figured that out. But not I have to manually update my list, since Taiga first pulls the list, then pushes it back. That resulted in a loss of data for me.

@erengy Could you implement a way to force push the list to the selected online service. Sometimes the user knows that the online service is outdated and just wants to overwrite it with new data.

[Zenithtb]

@Ruhrpottpatriot - interesting idea - using Taiga as a pull-me-push-you of data to be able to change service... I like your thinking!

[taigalover]

Taiga will send any queued updates to MAL when the API becomes available.

So do we now use our old password or new password to login to Taiga? So when (if) the API becomes available, taiga can send the queued updates?

[Ruhrpottpatriot]

@Azraelle I heard that MAL has an xml export function multiple times now. Where can I find it?

[asakurato]

Just received this from DeNa (MAL support), so maybe there is hope

[Akamaru]

There is now a statement https://myanimelist.net/forum/?topicid=1731860

[Ruhrpottpatriot]

Which, is a complete bullshit excuse as an admin (Xinil) has stated in the forum, that there was no security breach.

[tophf]

A weird workaround could be writing a Chrome/Firefox extension that communicates with Taiga via nativeMessaging and keeps MAL site in a hidden iframe with a content script inside that can supposedly do everything the API provided via page DOM. It can even run in a shell tray when all browser windows are closed unless the user explicitly exited the browser via Ctrl-Shift-Q or Exit command. Such extension seems relatively easy to implement.

[spillerrec]

Thanks for this issue even though it is not due to Taiga, as I came here to see what was going on.

To me it sounds like it might be a third party website that stole peoples login information, though the timing is suspiciously close to the GDPR deadline. (Correction for above, it is up to 20 million euros or 4% of revenue, whichever is greater.) I do think it is a very bad idea that the API uses the username/password for credentials, now that they apparently have a store and can save peoples credit card information. Very bad idea... Some sort of API key system (such as SSH keys or whatever) where you can have multiple keys and set permissions for each would be much better.

I would give it a bit more time before putting in too much work on a workaround. I would prefer if everything was done in Taiga though, so there is no dependency on browsers and IPC. Just too much that can go wrong and I fear it wouldn't work in Wine either. I doubt their internal API is so weird that you can't simulate the requests without using a full-featured web browser.

For convenience, here is the MAL link to export your anime/manga list: [https://myanimelist.net/panel.php?go=export]()

[notAutomne]

Fine I will develop a C# API tomorrow.

[moyitpro]

@spillerrec I have worked with the new MAL API before they closed down the new official MAL API. It was using OAuth2 with PCE challenge, which is more secure than using Basic Auth. If the username and password thing was an issue, they should of retrofit OAuth2 to the old API and require developers to register their apps to obtain a OAuth2 client and secret to the old API until the new API is ready.

[KrisKamweru]

I think I'll just be switching over to Kitsu. Would there be any reason why I should not, i.e. is Kitsu inferior in any way to MAL?

[Akamaru]

Hm, I hope they fix this now

[erengy]

How do I clear the sync queue?

You can select the items in your queue and then use either the right-click menu or the Del key.

Taiga first pulls the list, then pushes it back. That resulted in a loss of data for me.

It does the opposite, actually. If you have queued updates, Taiga will always try to upload them first. The only exception is when the account password is unavailable. In that case, Taiga ignores the queue and downloads the list.

So do we now use our old password or new password to login to Taiga?

You must use the new one, of course.

A weird workaround could be writing a Chrome/Firefox extension that communicates with Taiga (...)

Thanks for the suggestion, but no. I'm not going to spend any more effort on workarounds. I've been doing that for almost ten years now (I started developing Taiga in late 2008, and made it public in 2010). That's enough, don't you think?

I do think it is a very bad idea that the API uses the username/password for credentials, now that they apparently have a store and can save peoples credit card information. Very bad idea...

That is (hopefully) not the case. Quoting from the recent Account Freeze/Password Reset & Broken Applications thread:

Your payment information is definitely safe. This data is not stored on MAL's servers. Your credit card information is stored on Stripe, a payment processing company that is PCI DSS compliant. Even if MAL were to have a legitimate security breach (which this was not or DeNA would have had to post the potential ramifications to user data, to the best of my knowledge), your credit card number would still be safe as its stored on Stripe only.

I think I'll just be switching over to Kitsu. Would there be any reason why I should not, i.e. is Kitsu inferior in any way to MAL?

See this Reddit post for a comparison. I'd say that MAL still has the best database overall, but the alternatives are all ahead in terms of design and features.

[taigalover]

Damn, forgot to export my list. Is there possibly anyway i can export my list using Taiga? Wanna export to AniList.

[erengy]

If you don't want to wait any longer:

• MAL → AniList: https://anilist.co/forum/thread/3151
• MAL → Kitsu: https://kitsu.io/posts/8930915

Note that Taiga may not have your entire list data (e.g. how many times you've re-watched a series) due to limitations of MAL API (sigh).

[Ruhrpottpatriot]

@erengy

It does the opposite, actually. If you have queued updates, Taiga will always try to upload them first. The only exception is when the account password is unavailable. In that case, Taiga ignores the queue and downloads the list.

It also does that when switching to a different provider, and that's what has caused my data loss. I'd be great if you could implement a check to see if the provider was changed and if so, ask the user if he wants to pull then push, or do a push --force (git terms seem appropriate here) (Note: This would also be a nice little workaround to allow users to sync to multiple providers -- manually, yet better than nothing).

[erengy]

@Ruhrpottpatriot Could you open a new issue about this? In that issue, please describe the steps you took and the data you lost as a result.

[erengy]

I added an export feature to Taiga in 6af570edfc4836c448eea79a6af325f730ca9ded to make things a bit easier:

1. Get the latest build of Taiga.
2. Use the new feature via Tools → Export anime list → Export as MyAnimeList XML.
3. Upload the generated XML file to AniList or Kitsu.

This file will include your queued updates. However, my previous warning still stands:

Note that Taiga may not have your entire list data (e.g. how many times you've re-watched a series) due to limitations of MAL API (sigh).

Let me know if it works for you.

---

(MAL's website is back online, so you can now export your lists from there.)

[EliEron]

AniList's importer did not do too well when I tried to import the XML Taiga generated.

It was unable to import 127 of 293 series. In contrast the XML file generated by the python script that Morimasa (https://anilist.co/forum/thread/3151) created only failed to import one series.

The XML Morimasa's script generates list the names in this format: "malID( 2167 )" in other words it provides the MAL ID instead of the actual name, which the AniList importer seems to be a lot better at handling.

Disregard all of that, this issue was caused by a mistake I made. I exported the list while Taiga was set to AniList, instead of MAL. Which caused the exported IDs to be wrong.

[spillerrec]

I do think it is a very bad idea that the API uses the username/password for credentials, now that they apparently have a store and can save peoples credit card information. Very bad idea...

That is (hopefully) not the case. Quoting from the recent Account Freeze/Password Reset & Broken Applications thread:

I didn't mean that you would be able to extract the credit card information, but if you enter your credentials to a service, they could log into your account and click that 'Buy' button for you. Or just use your account to post Russian propaganda on the forums. It is never a good idea, but adding money and potentially sensitive personal information into the mix makes it a lot more serious.

I tried switching to AniList personally, of the ~1060 entries in my list, 11 failed. (Export through MALs website.) Most of it was obscure stuff but a few OVAs/specials were not in AniList's database. An OVA series was listed as two seasons in MAL and only one season in AniList, causing the episode count to be wrong. So just a heads up that those services might not be completely compatible and that AniList appears to be less complete, but an error rate of only 1 % is really good nevertheless.

MALs error page has been updated btw:

Do you seriously want me to believe that you shut down a site with millions of users for an undetermined amount of time just because there was a slight suspicion?

[erengy]

AniList's importer did not do too well when I tried to import the XML Taiga generated.

It was unable to import 127 of 293 series. In contrast the XML file generated by the python script that Morimasa (https://anilist.co/forum/thread/3151) created only failed to import one series.

Hey @EliEron, thanks for the feedback. I wonder why you had such a high error rate. I just tried importing 786 series, and only 5 of them failed. If it makes any difference, I deleted my anime list from AniList's settings before importing the XML file.

The XML Morimasa's script generates list the names in this format: "malID( 2167 )" in other words it provides the MAL ID instead of the actual name, which the AniList importer seems to be a lot better at handling.

I'd assume that the Python script does that only because it doesn't know the actual titles. I doubt AniList uses that, since MAL ID is already provided in series_animedb_id.

[EliEron]

After some further testing and troubleshooting I now realize what the issue was, and it was entirely caused by a mistake I made. I accidentally used the export function while Taiga was set to my AniList account, meaning that the generated XML was filled with AniList IDs instead of MAL IDs, which of course confuses the importer.

When I switched it over to the MAL list and exported that the importer worked exactly as well as it did with the XML Morimasa's script generated.

I apologize for my mistaken report, and any confusion it might have caused.

[Ruhrpottpatriot]

@spillerrec I had the same issue, mostly Picture Dramas, but I opened a topic on their forums. If an anime is missing you can report it HERE

[erengy]

The website is back online, but the API isn't. You still cannot use Taiga or any other application with MAL. You can, however, export your list now.

[erengy]

MAL API has been offline for two weeks now. Our current situation is this:

Our dev team is currently focused on getting the website fully reviewed right now, so it's difficult to say when we may have news about the API.

They still have to review character and staff databases, user profiles and blogs, forums and clubs, videos, reviews, recommendations, news, articles, store... At their current pace, that's going to take them at least two more weeks. So, you should set your expectations accordingly.

MAL's API has never been a priority for them, because they didn't use it themselves. Contrast this with AniList and Kitsu: Their websites consume their own public APIs, so they have to keep it working.

[erengy]

It's been three weeks now. Still no news about the API. Their latest tweet says:

Unofficial apps (e.g. iMAL, MyAniList, MALClient, PocketMAL) will still not be working properly as our public API is still disabled. We are aware this is an important issue for users, and apologize for not having any new information to provide yet.

I won't be posting any more updates here until something substantial happens.

[Fcort237]

Hello, very interesting your post, I want to thank you, but I would like you to answer me the following: which API anime database you currently use for your anime website, I'm starting in this I already have a movie website, but I want Can you make an anime one?

[Nevalopo]

I feel so lost without Taiga :(

I hope they fix their API really soon or i might have to go check out other anime databases

[Fcort237]

si tienes una página web de una serie de anime, ¿qué otras bases de datos conoces? menciona todo lo que sabes por favor, para investigar

2018-07-10 1:13 GMT-06:00 Nevalopo notifications@github.com:

I feel so lost without Taiga :(

I hope they fix their API really soon or i might have to go check out other anime databases

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/erengy/taiga/issues/588#issuecomment-403724174, or mute the thread https://github.com/notifications/unsubscribe-auth/AnEiPOkFaLqOnJQbpYrpl3a7OLsTK5zuks5uFFQcgaJpZM4UMHvi .

[Fcort237]

If you have a website from an anime series, what other databases do you know? mention everything you know please, to investigate

2018-07-10 6:26 GMT-06:00 francisco jose rojas tellez < josefcort237@gmail.com>:

si tienes una página web de una serie de anime, ¿qué otras bases de datos conoces? menciona todo lo que sabes por favor, para investigar

2018-07-10 1:13 GMT-06:00 Nevalopo notifications@github.com:

I feel so lost without Taiga :(

I hope they fix their API really soon or i might have to go check out other anime databases

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/erengy/taiga/issues/588#issuecomment-403724174, or mute the thread https://github.com/notifications/unsubscribe-auth/AnEiPOkFaLqOnJQbpYrpl3a7OLsTK5zuks5uFFQcgaJpZM4UMHvi .

[qgustavor]

@Fcort237 No te entiendo: ¿no conoces AniList y Kitsu? Ambos funcionan con el Taiga. También existe AniDB y Anime Planet. No soy el responsable de Taiga, pero por mi experiencia con el GitHub recomiendo que no quede enviando varios mensajes y espere que alguien te responda. Probablemente aún no te respondieron porque están sin tiempo. En cuanto a crear otra base de datos mi opinión es que ya hay varios de ellos, crear otro más no sería una buena idea.

[haliliceylan]

MAL API is still offline...

[Volatar]

iMAL, the iOS app, switched to spoofing the web interface to restore partial functionality to it's app. Might be time to consider that.

[qgustavor]

@Volatar Browser spoofing isn't hard to implement, but it's hard to maintain: as MyAnimeList never had a complete API clients used to spoof browsers and parse data which the original API don't provided (example 1, example 2). Because of this most clients already have tools in order to parse HTML.

One of the features the official API had is updating the anime list: it's not hard to implement spoofing a browser, just do a GET request to the edit anime page, edit the <form> as you want, add the CSRF token to it and then submit it. In the other hand it's likely to break as MyAnimeList is updating the entire website to fix "issues" and because there are some people thinking they're doing that in order to kill third party applications. I don't think they will put a captcha on this page - users would hate this - but there other things that they can do in order to make spoofing harder.

[Volatar]

@qgustavor The question then becomes "is it worth it" I guess.

I for one would love Taiga to be able push the two months of queued syncing it's been waiting on so I could then think about moving to a difference service if nothing else.

I can only speak from the user perspective (with some coding knowledge, so I do know how difficult these things can be), but man, I really miss Tagia. Without it I honestly find myself discouraged from watching anime these days. Went from watching 14 shows last season, to two this season. I just can't keep track of more than that without tools.

I wish I could contribute myself.

[Nevalopo]

I just went to https://myanimelist.net/panel.php?go=export To export my anime list from MAL and then imported it at kitsu now everything is working flawlessly agian after changing the service to Kitsu in Taiga.

[spillerrec]

@Volatar erengy added an export option from Taiga, so you should be able to use that to move to a different service without loosing your 2 months of progress I believe. See one of the posts above for details.

Tools → Export anime list → Export as MyAnimeList XML.

[Zorua]

@spillerrec I'll let you know that even though

Taiga is up to date! Current version: 1.3.0

the menu entry is not there.