Page MenuHomePhabricator
Create Task
Maniphest T298351

Extension WSOAuth problems with account existence checking during registration
Closed, ResolvedPublicBUG REPORT
Actions

Description

List of steps to reproduce (step by step, including full links if applicable):

  • Allow only login by external account (no local account). Make sure your account is not created yet on your wiki.
  • Try to make first login
  • See error message

What happens?:
Message wsoauth-user-already-exists-message is displayed, account is not created or logged. It informs my username is already used on wiki but no local account or previous login tries before.

What should have happened instead?:
I should be logged in.

Possible cause:
This change: https://github.com/wikimedia/mediawiki-extensions-WSOAuth/commit/852683a8e2e005cac5751c4bdfc75df76c8c5909#diff-df6a7ea90992f626a6690270b956967af397eb5046988cb782a49279470a92a0

In the new version of the file there is no exception in the condition for "guest" user, as in previous version on line https://github.com/wikimedia/mediawiki-extensions-WSOAuth/blob/51475be460dee8da0f9ebf31c6eb32b54d84b7e6/src/WSOAuth.php#L115 but from line 131 of new version code from line 146 is applied to anonymous user who of course may not have account.

Revisions and Commits

rEWAU extension-WSOAuth
rEWAUc85a5a1c425d Fix T298351.
rEWAU203d51dd9099 Implement auto-account usurpation

Related Objects

Event Timeline

Wargo created this task.Dec 28 2021, 3:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptDec 28 2021, 3:46 PM
Wargo triaged this task as High priority.Dec 28 2021, 3:47 PM
Wargo added a commit: rEWAU203d51dd9099: Implement auto-account usurpation.Dec 28 2021, 3:56 PM
valerio.bozzolan subscribed.Dec 29 2021, 8:50 AM

If you want to allow remote login only, first make sure existing users agree to it, then you can disable local login.

The wiki has no idea that your local account and your remote account are the same person.

It may happen that a user first registers on the wiki via the local user registration and then tries to login through OAuth, encountering the error message you have found.

Then, you can just use local login to approve your remote login. Here how:

https://www.mediawiki.org/wiki/File:MediaWiki_1.31_special_preferences_WSOAuth_extension_connect_remote_account_English.png

valerio.bozzolan added a comment.Dec 29 2021, 8:55 AM

BTW in my wiki I've replaced wsoauth-user-already-exists-message from:

  • The username "{{{1}}}" is already taken.

to

  • An username called "{{{1}}}" already exists but was not registered via this remote login. Please do a local login and visit the Preferences page.

More info:

https://www.mediawiki.org/wiki/Extension:WSOAuth#System_messages

Aklapper added a comment.Dec 31 2021, 12:23 PM

@Wargo: Do you plan to work on fixing this task, as you increased the priority of this task?

Wargo added a comment.Jan 1 2022, 1:10 AM

N-No. I did not noticed this rule.

valerio.bozzolan closed this task as Invalid.Jan 1 2022, 1:23 PM

Hi @Wargo :) I have not understood if you have fixed with this tip:

In T298351#7591024, @valerio.bozzolan wrote:

If you want to allow remote login only, first make sure existing users agree to it, then you can disable local login.

The wiki has no idea that your local account and your remote account are the same person.

It may happen that a user first registers on the wiki via the local user registration and then tries to login through OAuth, encountering the error message you have found.

Then, you can just use local login to approve your remote login. Here how:

https://www.mediawiki.org/wiki/File:MediaWiki_1.31_special_preferences_WSOAuth_extension_connect_remote_account_English.png

Aklapper raised the priority of this task from High to Needs Triage.Jan 1 2022, 1:23 PM
valerio.bozzolan added a comment.Jan 1 2022, 1:24 PM

(Oh sorry I've marked as invalid from my smartphone. BTW if it's still a valid bug please reopen!)

Wargo reopened this task as Open.Jan 1 2022, 11:43 PM

You can test on https://notwikilambda.toolforge.org (not my wiki).

valerio.bozzolan added a subscriber: LucasWerkmeister.Jan 2 2022, 12:08 PM
In T298351#7592688, @Wargo wrote:

You can test on https://notwikilambda.toolforge.org (not my wiki).

Thank you @Wargo! Yeah, at a first look it seems the WSOAuth extension is not able anymore to register a new user since it always gives that "The username "you" is already taken" which is nonsense if you are trying to register yourself in the website for the first time.

Let's contact the maintainer if I can do something:

Hi @LucasWerkmeister! :D Sorry if I bother you but, hoping to be useful there, I'm available to be temporarily set as Toolforge maintainer of notwikilambda to do little in-production troubleshooting on the WSOAuth extension there. I could also do it in other ways to it would take much longer. Oh, happy new year! ihih

valerio.bozzolan renamed this task from Extension WSOAuth problems with account existence checking to Extension WSOAuth problems with account existence checking during registration.Jan 2 2022, 12:08 PM
valerio.bozzolan claimed this task.
valerio.bozzolan triaged this task as High priority.
LucasWerkmeister added a comment.Jan 24 2022, 9:09 PM

I’m not sure what’s going on here, I can’t find a trace of an existing Wargo user:

tools.notwikilambda@tools-sgebastion-07:~$ php public_html/w/maintenance/mysql.php 
MariaDB [s54524__mediawiki]> SELECT * FROM user WHERE user_name = 'Wargo';
Empty set (0.00 sec)
MariaDB [s54524__mediawiki]> SELECT * FROM actor WHERE actor_name = 'Wargo';
Empty set (0.01 sec)
MariaDB [s54524__mediawiki]> SELECT * FROM logging WHERE log_namespace = 2 AND log_title = 'Wargo';
Empty set (0.00 sec)

Any idea where WSOAuth might be getting this user from?

Wargo added a comment.Feb 1 2022, 10:12 PM

It not created my account.

gerritbot added a comment.Feb 6 2022, 6:49 PM

Change 760263 had a related patch set uploaded (by Xxmarijnw; author: Xxmarijnw):

[mediawiki/extensions/WSOAuth@master] This commit fixes T298351.

https://gerrit.wikimedia.org/r/760263

gerritbot added a project: Patch-For-Review.Feb 6 2022, 6:49 PM
Xxmarijnw subscribed.Feb 6 2022, 6:53 PM

Thank you for your bug report. It should be fixed in the above commit. @Wargo can you take a look?

Stashbot added a comment.Feb 6 2022, 6:55 PM

Mentioned in SAL (#wikimedia-cloud) [2022-02-06T18:55:24Z] <wm-bot> <lucaswerkmeister> Checked out WSOAuth change Ie0a828e368 PS2 (commit c85a5a1c42), hopefully fixes T298351

valerio.bozzolan reassigned this task from valerio.bozzolan to Xxmarijnw.Feb 6 2022, 8:13 PM

I'm unassigning since I see that my dear @Xxmarijnw is doing a great job here. Thank you so much for your help!

gerritbot added a comment.Feb 12 2022, 7:59 PM

Change 760263 merged by Xxmarijnw:

[mediawiki/extensions/WSOAuth@master] Fix T298351.

https://gerrit.wikimedia.org/r/760263

Xxmarijnw closed this task as Resolved.Feb 12 2022, 7:59 PM
Maintenance_bot removed a project: Patch-For-Review.Feb 12 2022, 8:10 PM
Restricted Repository Identity mentioned this in rEWAU372652abc5c9: Merge "Fix T298351.".Feb 12 2022, 8:13 PM
Restricted Repository Identity added a commit: rEWAUc85a5a1c425d: Fix T298351..Feb 12 2022, 8:13 PM
Stashbot added a comment.Feb 13 2022, 2:02 PM

Mentioned in SAL (#wikimedia-cloud) [2022-02-13T14:02:36Z] <wm-bot> <lucaswerkmeister> Checked out WSOAuth master again (T298351)

valerio.bozzolan added a comment.Feb 14 2022, 4:29 PM

Hi @Wargo! How are you? Can you confirm that now you are able to register in https://notwikilambda.toolforge.org successfully? It seems the fix is in production.

valerio.bozzolan added a comment.EditedFeb 14 2022, 4:31 PM

Ouch note that recent versions of WSOAuth are not compatible with old versions of PluggableAuth:

[3dcafb17de74839c4e53a04e] /wiki/Special:PluggableAuthLogin Error: Class 'PluggableAuth' not found
https://notwikilambda.toolforge.org/wiki/Special:PluggableAuthLogin

So before being able to test that wiki let's wait for T299934: notwikilambda Toolforge service down

LucasWerkmeister added a comment.Feb 14 2022, 6:12 PM

I’m confused… is there any version of PluggableAuth that current WSOAuth is compatible with?

valerio.bozzolan awarded a token.Feb 14 2022, 8:10 PM
Xxmarijnw added a comment.Feb 24 2022, 7:41 PM

@LucasWerkmeister Sorry for letting you wait, I don't check Phabricator that often. WSOAuth is not compatible with the latest version of PluggableAuth (6.0-dev), but it should be compatible with version 5.7. The error @valerio.bozzolan is referring to happens because 6.0-dev is installed on notwikilambda.toolforge.org.

I am currently working on making WSOAuth compatible with PA 6.0-dev, but this will break compatibility with 5.7.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL