Page MenuHomePhabricator
Create Task
Maniphest T106066

Don't show "Nonce already used" error on memcache failure
Closed, ResolvedPublic
Actions

Description

MWOAuthDataStore::lookup_nonce() calls memcached and does not differentiate between a successful lookup (which, for the OAuth protocol, means a nonce reuse error) and a memcached error. This means that the client receives an mwoauth-invalid-authorization error ("The authorization headers in your request are not valid: Nonce already used: XXX") even if the actual error is some memcached server dropping connections. This is very confusing for the client and should be improved. Unfortunately this behavior comes from the external OAuth library so that might not be easy (but maybe we can just throw an exception?), but at a minimum we should differentiate in our internal logging and set up an alert via T100735.

Related Objects
Search...

Event Timeline

Sitic created this task.Jul 16 2015, 5:46 PM
Sitic raised the priority of this task from to Needs Triage.
Sitic updated the task description. (Show Details)
Sitic added projects: MediaWiki-Action-API, MediaWiki-extensions-OAuth.
Sitic subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 16 2015, 5:46 PM
Tgr subscribed.Jul 16 2015, 7:35 PM

One possibility is double-posting of some kind. The other is a memcached error; the extension uses MWOAuthDataStore::lookup_nonce() to store nonces for 5 mins in memcached and check uniqueness, and it returns false both when the nonce is already used and when a memcached operation fails. Given that accepting a nonce without a duplication check opens us to replay attacks, I don't think much can be done about that (although we could improve logging to differentiate between the two cases).

Sitic added a comment.Jul 16 2015, 9:30 PM

I'm pretty sure that it isn't double-posting, the first instance of this error I can find is from 15 Jul 2015 20:19:29 -0700 (PDT), everything worked fine in the last weeks.
As a test 100 API requests resulted in 5 errors: (the nonce is definitely used for fist time here by me, there were no other API requests and the last 10 digits are the unix time)

import requests
from requests_oauthlib import OAuth1

auth1 = OAuth1(consumer_token['key'],
               client_secret=consumer_token['secret'],
               resource_owner_key=access_token['key'],
               resource_owner_secret=access_token['secret'])
for i in range(100):
    response = requests.get(
        "https://meta.wikimedia.org/w/api.php",
        params={
            'action': "query",
            'meta': "userinfo",
            'format': "json"  
        },
        auth=auth1
    )
    if 'error' in response.json():
        print response.json()
    time.sleep(3)     


{u'servedby': u'mw1128', u'error': {u'info': u'The authorization headers in your request are not valid: Nonce already used: 8100470808494508661437080839', u'*': u'See https://meta.wikimedia.org/w/api.php for API usage', u'code': u'mwoauth-invalid-authorization'}}
{u'servedby': u'mw1128', u'error': {u'info': u'The authorization headers in your request are not valid: Nonce already used: 91229791883386003641437080945', u'*': u'See https://meta.wikimedia.org/w/api.php for API usage', u'code': u'mwoauth-invalid-authorization'}}
{u'servedby': u'mw1128', u'error': {u'info': u'The authorization headers in your request are not valid: Nonce already used: 19195888973674011721437080983', u'*': u'See https://meta.wikimedia.org/w/api.php for API usage', u'code': u'mwoauth-invalid-authorization'}}
{u'servedby': u'mw1139', u'error': {u'info': u'The authorization headers in your request are not valid: Nonce already used: 141774547467664134131437081014', u'*': u'See https://meta.wikimedia.org/w/api.php for API usage', u'code': u'mwoauth-invalid-authorization'}}
{u'servedby': u'mw1128', u'error': {u'info': u'The authorization headers in your request are not valid: Nonce already used: 85106567837463406581437081030', u'*': u'See https://meta.wikimedia.org/w/api.php for API usage', u'code': u'mwoauth-invalid-authorization'}}

I've also just seen mw1134 as servedby, unfortunately I don't have the servedby information in my logfile for the previous errors.

Sitic added a comment.Jul 16 2015, 9:59 PM

Seems to have been fixed

[23:26:17] <ori> !log bounced nutcracker on mw1128 and mw1134
[23:26:21] <hashar> mw1139 seems to have the same issue :-(
[23:26:22] <morebots> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log, Master
[23:27:08] <grrrit-wm> (PS5) Lokal Profil: Add DCAT-AP for Wikibase [puppet] - https://gerrit.wikimedia.org/r/219800 (https://phabricator.wikimedia.org/T103087)
[23:27:11] <ori> !log bounced nutcracker on mw1139 as well. hashar noticed flood of errors from these hosts on https://logstash.wikimedia.org/#/dashboard/elasticsearch/mediawiki-errors . lack of monitoring / alerts is troubling.

Tgr renamed this task from Some OAuth API requests return "Nonce already used" errors to Don't show "Nonce already used" error on memcache failure.Jul 16 2015, 10:06 PM
Tgr updated the task description. (Show Details)
Tgr set Security to None.
Tgr updated the task description. (Show Details)Jul 16 2015, 10:08 PM
Tgr added a subtask: T100735: Have Logstash report per-channel log message rate to Graphite.
Sitic mentioned this in T106057: Nonce already used OAuth errors.Jul 16 2015, 10:39 PM
Nemo_bis added projects: Sustainability, Performance Issue.Jul 17 2015, 10:39 AM
Nemo_bis subscribed.

This sounds related to T102199.

Anomie removed a project: MediaWiki-Action-API.Jul 17 2015, 1:17 PM
Tgr mentioned this in T102199: Reports of a high number of edits being rejected due to loss of session data.Jul 17 2015, 3:26 PM
fgiunchedi added subscribers: ori, fgiunchedi.Jul 17 2015, 3:31 PM
In T106066#1458967, @Sitic wrote:

Seems to have been fixed

[23:26:17] <ori> !log bounced nutcracker on mw1128 and mw1134
[23:26:21] <hashar> mw1139 seems to have the same issue :-(
[23:26:22] <morebots> Logged the message at https://wikitech.wikimedia.org/wiki/Server_Admin_Log, Master
[23:27:08] <grrrit-wm> (PS5) Lokal Profil: Add DCAT-AP for Wikibase [puppet] - https://gerrit.wikimedia.org/r/219800 (https://phabricator.wikimedia.org/T103087)
[23:27:11] <ori> !log bounced nutcracker on mw1139 as well. hashar noticed flood of errors from these hosts on https://logstash.wikimedia.org/#/dashboard/elasticsearch/mediawiki-errors . lack of monitoring / alerts is troubling.

@ori any idea if nutcracker failure was related to T105131: intermittent nutcracker failures ?

bd808 closed subtask T100735: Have Logstash report per-channel log message rate to Graphite as Resolved.Aug 14 2015, 10:38 PM
jayvdb mentioned this in T109173: "Nonce already used" regularly occurring on beta cluster.Aug 15 2015, 10:48 AM
Tgr mentioned this in T107230: OAuth sometimes stops providing tokens for a user, even though the app was not deauthorized.Sep 9 2016, 7:01 PM
Tgr triaged this task as Low priority.Mar 7 2017, 4:10 AM
Steinsplitter subscribed.Jan 13 2018, 5:44 PM
Tgr added a parent task: T245477: OAuth server should provide clear and useful feedback about client errors.Feb 18 2020, 1:13 AM
Tgr removed a subtask: T100735: Have Logstash report per-channel log message rate to Graphite.Feb 18 2020, 1:15 AM
Tgr mentioned this in T247562: Warning: Memcached::setMulti(): failed to set key global:segment:....Mar 16 2020, 10:14 AM
Krinkle subscribed.Mar 16 2020, 7:02 PM

Regarding Memcached sometimes failing to store (e.g. due to being expired within one second of storing, or due to switching a shard to a new host, or due to resharding, or due to a host briefly not responding),

In T247562#5973562, @Krinkle wrote:

That's a fundamental contract between MW and Memcached that I don't think we will depart from anytime soon. Non-cache use cases do not belong in Memcached. The use case of T106066 is what session store, main stash, db-replicated, or dedicated tables are for.

JJMC89 mentioned this in T272319: Frequent "Nonce already used" errors in scripts and tools.Jan 18 2021, 7:58 PM
SD0001 subscribed.Jan 25 2021, 8:32 AM
Krinkle raised the priority of this task from Low to Medium.Mar 4 2021, 8:14 AM
Krinkle edited projects, added Sustainability (Incident Followup); removed Performance Issue, Sustainability.
Tgr mentioned this in T286409: DiscussionTools reply tool needs double-posting protection.Oct 18 2021, 4:55 AM
Krinkle closed this task as Resolved.Aug 23 2022, 1:56 PM
Krinkle claimed this task.
Krinkle added a project: Performance-Team.

Change since:

  • mcrouter introduced, which handles failures differently from nutcracker.
  • gutter pool introduced, which adds fallback capacity to be able to keep storing things temporarily during a memc shard failover (T244852).
  • oauth nonces moved from nutcracker/Redis to mcrouter (T313578).
bd808 mentioned this in T350836: OAuth login to wikitech fails when running MediaWiki 1.42.0-wmf.4.Nov 8 2023, 10:29 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL