Page MenuHomePhabricator
Create Task
Maniphest T100413

"You are centrally logged in." toast on every page view on commons
Closed, ResolvedPublic
Actions

Description

Tested on Chrome and Firefox (both desktop, not tested on mobile so far...) and two different computers:
Logged in using the desktop site of some wiki.
Visit http://commons.m.wikimedia.org, and get a login toast notification with message "Central login
You are centrally logged in. Reload the page to apply your user settings."
If i reload the page, i get the same toast again (and on every other page view).

Maybe related to T88860: Authentication sharing between desktop and mobile Commons is broken ?

Details

ProjectBranchLines +/-Subject
mediawiki/extensions/CentralAuthmaster+8 -0Set mobile flag for autologin js
mediawiki/extensions/CentralAuthmaster+55 -10Autologin for m. domains
mediawiki/extensions/MobileFrontendmaster+34 -13Add detection for mobile domain request
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
csteipp added a comment.Jun 5 2015, 12:51 AM

@kaldari, I'm still not certain what the best way is to detect that a request came to a mobile domain. Everything I've tried feels horribly hacky. But probably better to just get something working for now on WMF sites, and we can generalize it in code review.

I'll try to get something up tomorrow.

csteipp added a project: Security-Team.Jun 5 2015, 12:51 AM
csteipp moved this task from Incoming to In Progress on the Security-Team board.
KLans_WMF edited projects, added Mobile-Web-Sprint-49-Wayne's-World; removed Mobile-Web-Sprint-48-Voyage-of-the-Damned.Jun 8 2015, 4:39 PM
KLans_WMF moved this task from Needs Analysis to To Do on the Mobile-Web-Sprint-49-Wayne's-World board.
Jdlrobson moved this task from To Do to Doing on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 10 2015, 3:26 PM
csteipp added a comment.Jun 10 2015, 8:14 PM

The interactions with mobile frontend are turning out to be more complicated than I thought. Can I pair with someone on mobile to work through the patch sometime in the next week?

Jdlrobson added a comment.Jun 16 2015, 12:33 AM

We sat down on Friday and worked out a way to do this. Patch coming soon I suspect :)!

csteipp added a comment.Jun 16 2015, 4:52 PM

Yes soon! Should be end of the week at the latest.

gerritbot added a subscriber: gerritbot.Jun 18 2015, 10:26 PM

Change 219272 had a related patch set uploaded (by CSteipp):
Add detection for mobile domain request

https://gerrit.wikimedia.org/r/219272

gerritbot added a project: Patch-For-Review.Jun 18 2015, 10:26 PM
gerritbot added a comment.Jun 18 2015, 10:31 PM

Change 219275 had a related patch set uploaded (by CSteipp):
Autologin for m. domains

https://gerrit.wikimedia.org/r/219275

Jdlrobson moved this task from Doing to Code Review on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 19 2015, 5:32 PM
Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 19 2015, 8:22 PM
Jdlrobson moved this task from -1 (Needs More Work) to Code Review on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 20 2015, 12:20 AM
KLans_WMF added a project: Reading-Web-Sprint-50-The-X-Files.Jun 22 2015, 4:25 PM
Jdlrobson moved this task from Needs Analysis to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 22 2015, 4:34 PM
KLans_WMF removed a project: Mobile-Web-Sprint-49-Wayne's-World.Jun 22 2015, 4:52 PM
Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jun 22 2015, 6:32 PM
Krinkle mentioned this in T103883: CentralAuth wrongly reports successful auto-login on mirrors.Jun 25 2015, 6:24 PM
Jdlrobson moved this task from -1 (Needs More Work) to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 26 2015, 5:49 PM
Restricted Application added a subscriber: Steinsplitter. · View Herald TranscriptJun 26 2015, 5:49 PM
Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jun 26 2015, 6:07 PM
Steinsplitter added a project: Commons.Jun 26 2015, 6:47 PM
Steinsplitter moved this task from Incoming to Backlog on the Commons board.
Jdlrobson moved this task from -1 (Needs More Work) to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 26 2015, 11:56 PM
Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jun 29 2015, 8:53 PM
phuedx moved this task from -1 (Needs More Work) to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 30 2015, 9:06 AM
gerritbot added a comment.Jul 1 2015, 10:15 PM

Change 219272 merged by jenkins-bot:
Add detection for mobile domain request

https://gerrit.wikimedia.org/r/219272

Diffusion mentioned this in rMEXT1bfbd890c939: Updated mediawiki/extensions Project: mediawiki/extensions/MobileFrontend….Jul 1 2015, 10:16 PM
csteipp mentioned this in rEMFRfa24535cb261: Add detection for mobile domain request.Jul 1 2015, 10:16 PM
Forrestbot added a project: WMF-deploy-2015-07-07_(1.26wmf13).Jul 1 2015, 11:00 PM
Jhernandez removed a project: Readers-Web-Backlog.Jul 2 2015, 9:51 AM
phuedx moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jul 2 2015, 10:39 AM
Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJul 2 2015, 10:39 AM
KLans_WMF edited projects, added Reading-Web-Sprint-51-YOLO; removed Reading-Web-Sprint-50-The-X-Files.Jul 6 2015, 4:07 PM
Restricted Application added a subscriber: MGChecker. · View Herald TranscriptJul 6 2015, 4:07 PM
KLans_WMF moved this task from Needs Analysis to -1 (Needs More Work) on the Reading-Web-Sprint-51-YOLO board.Jul 6 2015, 4:08 PM
Jdlrobson added a subscriber: phuedx.Jul 6 2015, 8:57 PM

@csteipp there is an open question from @phuedx on your patchset

Jdlrobson moved this task from -1 (Needs More Work) to Ready for Signoff on the Reading-Web-Sprint-51-YOLO board.Jul 15 2015, 10:12 AM
gerritbot added a comment.Jul 15 2015, 10:13 AM

Change 219275 merged by jenkins-bot:
Autologin for m. domains

https://gerrit.wikimedia.org/r/219275

Diffusion mentioned this in rMEXTae4701eeebaf: Updated mediawiki/extensions Project: mediawiki/extensions/CentralAuth….Jul 15 2015, 10:13 AM
csteipp mentioned this in rECAU30143286e4e8: Autologin for m. domains.Jul 15 2015, 10:14 AM
Forrestbot added a project: WMF-deploy-2015-07-21_(1.26wmf15).Jul 15 2015, 11:00 AM
KLans_WMF edited projects, added Reading-Web-Sprint-52-Zoolander; removed Reading-Web-Sprint-51-YOLO.Jul 20 2015, 4:06 PM
KLans_WMF moved this task from Needs Analysis to Ready for Signoff on the Reading-Web-Sprint-52-Zoolander board.
Jdlrobson updated the task description. (Show Details)Jul 27 2015, 11:17 PM

@csteipp bad news this seems to still be a problem on wmf15 despite the fact that both patches should have been deployed.

Jdlrobson moved this task from Ready for Signoff to -1 (Needs More Work) on the Reading-Web-Sprint-52-Zoolander board.Jul 27 2015, 11:19 PM
csteipp added a comment.Jul 28 2015, 12:00 AM

It works for me... without javascript.

The issue is ext.centralauth.centralautologin doesn't have logic to add mobile=1 when it constructs the url for loginwiki. Jon and I had briefly talked about loading a different version of that script for mobile using resource loader targets.

Jdlrobson removed a project: Patch-For-Review.Jul 29 2015, 8:11 PM
Jdlrobson added a comment.Jul 31 2015, 6:52 PM

@csteipp do you need help with this?

csteipp added a comment.Aug 1 2015, 12:10 AM

@Jdlrobson, yeah, help would be appreciated! I didn't see an obvious, clean way to handle it, but if you have ideas, I'd be happy to review.

KLans_WMF edited projects, added Reading-Web-Sprint-53-12-Monkeys; removed Reading-Web-Sprint-52-Zoolander.Aug 3 2015, 4:08 PM
KLans_WMF moved this task from Needs Analysis to -1 (Needs More Work) on the Reading-Web-Sprint-53-12-Monkeys board.
Jdlrobson mentioned this in T108201: CentralAuth autologin broken for non-www mobile domains (mediawiki.org, wikidata.org).Aug 6 2015, 5:15 PM
csteipp mentioned this in T108101: Isolate wikidata.org cookies and CORS policies.Aug 14 2015, 6:51 PM
Jhernandez edited projects, added Reading-Web-Sprint-54-28-Days-Later; removed Reading-Web-Sprint-53-12-Monkeys.Aug 17 2015, 4:07 PM
Jhernandez moved this task from Needs Analysis to -1 (Needs More Work) on the Reading-Web-Sprint-54-28-Days-Later board.
Jdlrobson moved this task from -1 (Needs More Work) to To Do on the Reading-Web-Sprint-54-28-Days-Later board.Aug 17 2015, 4:24 PM
Jdlrobson added a subtask: T109538: Vagrant wikis should have mobile site setup when MobileFrontend role is enabled.Aug 18 2015, 11:45 PM

Tricky to test this locally without T109538 resolved.

Jdlrobson changed the task status from Open to Stalled.Aug 19 2015, 12:23 AM
bd808 changed the status of subtask T109538: Vagrant wikis should have mobile site setup when MobileFrontend role is enabled from Open to Stalled.Aug 19 2015, 11:53 PM
gerritbot added a comment.Aug 22 2015, 5:07 AM

Change 233091 had a related patch set uploaded (by CSteipp):
Set mobile flag for autologin js

https://gerrit.wikimedia.org/r/233091

gerritbot added a project: Patch-For-Review.Aug 22 2015, 5:07 AM
csteipp moved this task from In Progress to Waiting on the Security-Team board.Aug 24 2015, 7:11 PM
phuedx moved this task from To Do to Code Review on the Reading-Web-Sprint-54-28-Days-Later board.Aug 25 2015, 9:09 AM
Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-54-28-Days-Later board.Aug 25 2015, 10:13 PM
Jdlrobson removed a project: Reading-Web-Sprint-54-28-Days-Later.Sep 2 2015, 7:00 PM
JanZerebecki added a parent task: T108101: Isolate wikidata.org cookies and CORS policies.Sep 10 2015, 11:54 AM
JanZerebecki removed a parent task: T108101: Isolate wikidata.org cookies and CORS policies.Sep 10 2015, 11:57 AM
JanZerebecki added a parent task: T112087: [Bug] m.wikidata.org is not CORS whitelisted.Sep 10 2015, 11:59 AM
csteipp moved this task from Waiting to In Progress on the Security-Team board.Sep 11 2015, 2:09 PM
jrbs added a subscriber: jrbs.Sep 12 2015, 11:04 AM
csteipp moved this task from In Progress to Waiting on the Security-Team board.Sep 14 2015, 11:14 PM
Florian added a comment.Oct 26 2015, 6:48 PM

Hmm, I'm wondering if this is already fixed? (I haven't seen such a notification for a long time now), because there is one open change here :)

Jdlrobson added a comment.Oct 26 2015, 7:00 PM

Bug still exists. See https://phabricator.wikimedia.org/T100413#1486959

https://gerrit.wikimedia.org/r/#/c/233091/ is waiting for feedback from @Krinkle afaik

zhuyifei1999 moved this task from Backlog to MediaWiki Interface and i18n on the Commons board.Nov 15 2015, 2:26 PM
Aklapper added a comment.Nov 30 2015, 11:20 AM
In T100413#1754527, @Jdlrobson wrote:

https://gerrit.wikimedia.org/r/#/c/233091/ is waiting for feedback from @Krinkle afaik

That patch got a +1. Anything else blocking this "Unbreak now"-priority task?

Krinkle added a comment.Nov 30 2015, 12:12 PM

The patch looks fine (added +1), though it does work around two problems that will remain unsolved:

  • Internal domain variation is not verified. So whenever a new way comes up to view a page, it will result in the same bug again. Curious if this affects Wikipedia Zero, for example. It might make sense to validate the hostname server-side instead of passing mobile=1 which doesn't scale and leaves the same bug to happen if other "mobile" domains appear. It also negatively affects caching proxies and mirrors (which already have this bug for both mobile and desktop origins).
  • Silently attempting to log-in from a any domain where the code runs is fine (that one request isn't a problem), but we should at least validate the domain as part of that request so it doesn't fan-out further then needed.
  • MobileFrontend toast "You've been logged-in,.. reload .." message is displayed regardless of whether the login succeeded. This is the root cause of this bug and will likely happen again in the future.
csteipp moved this task from Waiting to Our Part Is Done on the Security-Team board.Dec 1 2015, 7:54 PM
Muedigkeit changed the status of subtask T109538: Vagrant wikis should have mobile site setup when MobileFrontend role is enabled from Stalled to Open.Dec 6 2015, 5:07 PM
phuedx mentioned this in T109538: Vagrant wikis should have mobile site setup when MobileFrontend role is enabled.Dec 7 2015, 9:28 AM
Luke081515 removed a subscriber: Luke081515.Dec 22 2015, 5:45 PM
Jdlrobson changed the task status from Stalled to Open.Jan 8 2016, 10:12 PM
gerritbot added a comment.Jan 8 2016, 10:14 PM

Change 233091 merged by jenkins-bot:
Set mobile flag for autologin js

https://gerrit.wikimedia.org/r/233091

ReleaseTaggerBot added a project: MW-1.27-release (WMF-deploy-2016-01-12_(1.27.0-wmf.10)).Jan 8 2016, 11:00 PM
csteipp closed this task as Resolved.Jan 26 2016, 4:52 PM

The original issue seems to be resolved now

MarcoAurelio moved this task from Incoming to Done on the MediaWiki-extensions-CentralAuth board.Dec 15 2016, 4:20 PM
Restricted Application added subscribers: Jay8g, TerraCodes. · View Herald TranscriptDec 15 2016, 4:20 PM
Aklapper removed a subscriber: Anomie.Oct 16 2020, 5:38 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL