"You are centrally logged in." toast on every page view on commons
Closed, ResolvedPublic
Actions

Description

Tested on Chrome and Firefox (both desktop, not tested on mobile so far...) and two different computers:
Logged in using the desktop site of some wiki.
Visit http://commons.m.wikimedia.org, and get a login toast notification with message "Central login
You are centrally logged in. Reload the page to apply your user settings."
If i reload the page, i get the same toast again (and on every other page view).

Details

Project	Branch	Lines +/-	Subject
mediawiki/extensions/CentralAuth	master	+8 -0	Set mobile flag for autologin js
mediawiki/extensions/CentralAuth	master	+55 -10	Autologin for m. domains
mediawiki/extensions/MobileFrontend	master	+34 -13	Add detection for mobile domain request

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T67626 [Epic] Support for queries on-wiki (automated list generation)
Resolved	Smalyshev	T85159 [EPIC] Deploy a Wikidata Query Service into production
Resolved	Joe	T107602 Set up a public interface to the wikidata query service
Resolved	Deskana	T105196 Security review for Wikidata Query Service code before deploying to production hardware
Resolved	csteipp	T90115 BlazeGraph Security Review
Resolved	None	T108101 Isolate wikidata.org cookies and CORS policies
Resolved	Jdlrobson	T78430 [Epic] Getting Wikidata to render nicely on mobile web
Resolved	None	T110033 [Story] Redirect users on mobile devices to mobile site automatically
Resolved	Bene	T112087 [Bug] m.wikidata.org is not CORS whitelisted
Resolved	csteipp	T100413 "You are centrally logged in." toast on every page view on commons
Open	None	T109538 Vagrant wikis should have mobile site setup when MobileFrontend role is enabled
Resolved	Gilles	T54302 Varnish vagrant role

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

@kaldari, I'm still not certain what the best way is to detect that a request came to a mobile domain. Everything I've tried feels horribly hacky. But probably better to just get something working for now on WMF sites, and we can generalize it in code review.

I'll try to get something up tomorrow.

csteipp added a project: Security-Team.Jun 5 2015, 12:51 AM

csteipp moved this task from Incoming to In Progress on the Security-Team board.

KLans_WMF edited projects, added Mobile-Web-Sprint-49-Wayne's-World; removed Mobile-Web-Sprint-48-Voyage-of-the-Damned.Jun 8 2015, 4:39 PM

KLans_WMF moved this task from Needs Analysis to To Do on the Mobile-Web-Sprint-49-Wayne's-World board.

Jdlrobson moved this task from To Do to Doing on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 10 2015, 3:26 PM

The interactions with mobile frontend are turning out to be more complicated than I thought. Can I pair with someone on mobile to work through the patch sometime in the next week?

We sat down on Friday and worked out a way to do this. Patch coming soon I suspect :)!

Yes soon! Should be end of the week at the latest.

Change 219272 had a related patch set uploaded (by CSteipp):
Add detection for mobile domain request

https://gerrit.wikimedia.org/r/219272

gerritbot added a project: Patch-For-Review.Jun 18 2015, 10:26 PM

Change 219275 had a related patch set uploaded (by CSteipp):
Autologin for m. domains

https://gerrit.wikimedia.org/r/219275

Jdlrobson moved this task from Doing to Code Review on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 19 2015, 5:32 PM

Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 19 2015, 8:22 PM

Jdlrobson moved this task from -1 (Needs More Work) to Code Review on the Mobile-Web-Sprint-49-Wayne's-World board.Jun 20 2015, 12:20 AM

KLans_WMF added a project: Reading-Web-Sprint-50-The-X-Files.Jun 22 2015, 4:25 PM

Jdlrobson moved this task from Needs Analysis to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 22 2015, 4:34 PM

KLans_WMF removed a project: Mobile-Web-Sprint-49-Wayne's-World.Jun 22 2015, 4:52 PM

Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jun 22 2015, 6:32 PM

Krinkle mentioned this in T103883: CentralAuth wrongly reports successful auto-login on mirrors.Jun 25 2015, 6:24 PM

Jdlrobson moved this task from -1 (Needs More Work) to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 26 2015, 5:49 PM

Restricted Application added a subscriber: Steinsplitter. · View Herald TranscriptJun 26 2015, 5:49 PM

Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jun 26 2015, 6:07 PM

Steinsplitter added a project: Commons.Jun 26 2015, 6:47 PM

Steinsplitter moved this task from Incoming to Backlog on the Commons board.

Jdlrobson moved this task from -1 (Needs More Work) to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 26 2015, 11:56 PM

Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jun 29 2015, 8:53 PM

phuedx moved this task from -1 (Needs More Work) to Code Review on the Reading-Web-Sprint-50-The-X-Files board.Jun 30 2015, 9:06 AM

Change 219272 merged by jenkins-bot:
Add detection for mobile domain request

https://gerrit.wikimedia.org/r/219272

Diffusion mentioned this in rMEXT1bfbd890c939: Updated mediawiki/extensions Project: mediawiki/extensions/MobileFrontend….Jul 1 2015, 10:16 PM

csteipp mentioned this in rEMFRfa24535cb261: Add detection for mobile domain request.Jul 1 2015, 10:16 PM

Forrestbot added a project: WMF-deploy-2015-07-07_(1.26wmf13).Jul 1 2015, 11:00 PM

Jhernandez removed a project: Readers-Web-Backlog.Jul 2 2015, 9:51 AM

phuedx moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-50-The-X-Files board.Jul 2 2015, 10:39 AM

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJul 2 2015, 10:39 AM

KLans_WMF edited projects, added Reading-Web-Sprint-51-YOLO; removed Reading-Web-Sprint-50-The-X-Files.Jul 6 2015, 4:07 PM

Restricted Application added a subscriber: MGChecker. · View Herald TranscriptJul 6 2015, 4:07 PM

KLans_WMF moved this task from Needs Analysis to -1 (Needs More Work) on the Reading-Web-Sprint-51-YOLO board.Jul 6 2015, 4:08 PM

@csteipp there is an open question from @phuedx on your patchset

Jdlrobson moved this task from -1 (Needs More Work) to Ready for Signoff on the Reading-Web-Sprint-51-YOLO board.Jul 15 2015, 10:12 AM

Change 219275 merged by jenkins-bot:
Autologin for m. domains

https://gerrit.wikimedia.org/r/219275

Diffusion mentioned this in rMEXTae4701eeebaf: Updated mediawiki/extensions Project: mediawiki/extensions/CentralAuth….Jul 15 2015, 10:13 AM

csteipp mentioned this in rECAU30143286e4e8: Autologin for m. domains.Jul 15 2015, 10:14 AM

Forrestbot added a project: WMF-deploy-2015-07-21_(1.26wmf15).Jul 15 2015, 11:00 AM

KLans_WMF edited projects, added Reading-Web-Sprint-52-Zoolander; removed Reading-Web-Sprint-51-YOLO.Jul 20 2015, 4:06 PM

KLans_WMF moved this task from Needs Analysis to Ready for Signoff on the Reading-Web-Sprint-52-Zoolander board.

@csteipp bad news this seems to still be a problem on wmf15 despite the fact that both patches should have been deployed.

Jdlrobson moved this task from Ready for Signoff to -1 (Needs More Work) on the Reading-Web-Sprint-52-Zoolander board.Jul 27 2015, 11:19 PM

It works for me... without javascript.

The issue is ext.centralauth.centralautologin doesn't have logic to add mobile=1 when it constructs the url for loginwiki. Jon and I had briefly talked about loading a different version of that script for mobile using resource loader targets.

Jdlrobson removed a project: Patch-For-Review.Jul 29 2015, 8:11 PM

@csteipp do you need help with this?

@Jdlrobson, yeah, help would be appreciated! I didn't see an obvious, clean way to handle it, but if you have ideas, I'd be happy to review.

KLans_WMF edited projects, added Reading-Web-Sprint-53-12-Monkeys; removed Reading-Web-Sprint-52-Zoolander.Aug 3 2015, 4:08 PM

KLans_WMF moved this task from Needs Analysis to -1 (Needs More Work) on the Reading-Web-Sprint-53-12-Monkeys board.

Jdlrobson mentioned this in T108201: CentralAuth autologin broken for non-www mobile domains (mediawiki.org, wikidata.org).Aug 6 2015, 5:15 PM

csteipp mentioned this in T108101: Isolate wikidata.org cookies and CORS policies.Aug 14 2015, 6:51 PM

Jhernandez edited projects, added Reading-Web-Sprint-54-28-Days-Later; removed Reading-Web-Sprint-53-12-Monkeys.Aug 17 2015, 4:07 PM

Jhernandez moved this task from Needs Analysis to -1 (Needs More Work) on the Reading-Web-Sprint-54-28-Days-Later board.

Jdlrobson moved this task from -1 (Needs More Work) to To Do on the Reading-Web-Sprint-54-28-Days-Later board.Aug 17 2015, 4:24 PM

Tricky to test this locally without T109538 resolved.

Jdlrobson changed the task status from Open to Stalled.Aug 19 2015, 12:23 AM

bd808 changed the status of subtask T109538: Vagrant wikis should have mobile site setup when MobileFrontend role is enabled from Open to Stalled.Aug 19 2015, 11:53 PM

Change 233091 had a related patch set uploaded (by CSteipp):
Set mobile flag for autologin js

https://gerrit.wikimedia.org/r/233091

gerritbot added a project: Patch-For-Review.Aug 22 2015, 5:07 AM

csteipp moved this task from In Progress to Waiting on the Security-Team board.Aug 24 2015, 7:11 PM

phuedx moved this task from To Do to Code Review on the Reading-Web-Sprint-54-28-Days-Later board.Aug 25 2015, 9:09 AM

Jdlrobson moved this task from Code Review to -1 (Needs More Work) on the Reading-Web-Sprint-54-28-Days-Later board.Aug 25 2015, 10:13 PM

Jdlrobson removed a project: Reading-Web-Sprint-54-28-Days-Later.Sep 2 2015, 7:00 PM

JanZerebecki added a parent task: T108101: Isolate wikidata.org cookies and CORS policies.Sep 10 2015, 11:54 AM

JanZerebecki removed a parent task: T108101: Isolate wikidata.org cookies and CORS policies.Sep 10 2015, 11:57 AM

JanZerebecki added a parent task: T112087: [Bug] m.wikidata.org is not CORS whitelisted.Sep 10 2015, 11:59 AM

csteipp moved this task from Waiting to In Progress on the Security-Team board.Sep 11 2015, 2:09 PM

jrbs added a subscriber: jrbs.Sep 12 2015, 11:04 AM

csteipp moved this task from In Progress to Waiting on the Security-Team board.Sep 14 2015, 11:14 PM

Hmm, I'm wondering if this is already fixed? (I haven't seen such a notification for a long time now), because there is one open change here :)

Bug still exists. See https://phabricator.wikimedia.org/T100413#1486959

https://gerrit.wikimedia.org/r/#/c/233091/ is waiting for feedback from @Krinkle afaik

zhuyifei1999 moved this task from Backlog to MediaWiki Interface and i18n on the Commons board.Nov 15 2015, 2:26 PM

In T100413#1754527, @Jdlrobson wrote:

https://gerrit.wikimedia.org/r/#/c/233091/ is waiting for feedback from @Krinkle afaik

That patch got a +1. Anything else blocking this "Unbreak now"-priority task?

The patch looks fine (added +1), though it does work around two problems that will remain unsolved:

Internal domain variation is not verified. So whenever a new way comes up to view a page, it will result in the same bug again. Curious if this affects Wikipedia Zero, for example. It might make sense to validate the hostname server-side instead of passing mobile=1 which doesn't scale and leaves the same bug to happen if other "mobile" domains appear. It also negatively affects caching proxies and mirrors (which already have this bug for both mobile and desktop origins).
Silently attempting to log-in from a any domain where the code runs is fine (that one request isn't a problem), but we should at least validate the domain as part of that request so it doesn't fan-out further then needed.
MobileFrontend toast "You've been logged-in,.. reload .." message is displayed regardless of whether the login succeeded. This is the root cause of this bug and will likely happen again in the future.