Page MenuHomePhabricator

CentralAuth autologin does not work in beta cluster
Closed, ResolvedPublic

Description

Steps to reproduce:

  • create new account on beta enwiki
  • visit beta dewiki

Expected result: logged in via JS autologin (logged-out personal toolbar is visible for a fraction of a second but then replaced)
Actual result: not logged in, have to log in manually

Event Timeline

Tgr created this task.Jun 2 2016, 2:46 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJun 2 2016, 2:46 PM
Anomie added a subscriber: Anomie.Jun 2 2016, 3:01 PM

It appears that the account creation POST on beta isn't redirecting to loginwiki, so the necessary session never gets created there.

Change 292369 had a related patch set uploaded (by Anomie):
Do redirect for Special:CreateAccount as well

https://gerrit.wikimedia.org/r/292369

Tgr added a comment.Jun 2 2016, 3:08 PM

I have suspected that signup not doing the same things as login was part of the problem, so the actual test I did was: create account on en, login on de, check on nl. That still didn't work.

Anomie added a comment.Jun 2 2016, 3:26 PM

After the login on beta dewiki, I find I'm already logged in on beta nlwiki without any need for the check. You'll probably want to capture the HTTP requests and responses so we can see what's going on when you're trying it.

Change 292369 merged by jenkins-bot:
Do redirect for Special:CreateAccount as well

https://gerrit.wikimedia.org/r/292369

Tgr added a comment.Jun 2 2016, 5:19 PM

Tried to reproduce a few time. Usually when POSTing the account creation, I got an error saying No active login attempt is in progress for your session. The flow is

  • Special:CreateAccount POST: sets local + central login, redirects to Special:CentralLogin/start on loginwiki
  • loginwiki sets the local and central cookie, but deletes a bunch of cookies I don't think it should, then redirects back to Special:CentralLogin/complete on enwiki
  • enwiki deletes all cookies and displays the error message.

The account was created but I did not get logged in even on enwiki.

One time the account creation was successful (I don't recall doing anything differently). The user was not logged in on dewiki (but after logging in manually, it was logged in on nlwiki as well): cookies got deleted in the response to the dewiki mainpage GET request, then there was a request to loginwiki's Special:CentralAutoLogin/checkLoggedIn started from JS which returned the not-logged-in JS (this is the same thing I saw earlier, although earlier I saw it for nlwiki as well). Then after doing a manaul dewiki login there was a Special:CentralLogin redirect chain and a bunch of Special:CentralAutoLogin chains and the browser got logged in on every wiki, as expected.

The edge login sequence done on enwiki on the signup landing page also seemed wrong: Special:CentralAutoLogin/start on the target wiki -> redirect to Special:CentralAutoLogin/checkLoggedIn on loginwiki, which contains X-CentralAuth-Status:Not centrally logged in, deletes the local and central session cookies and does not redirect anywhere.

Tgr added a comment.Jun 2 2016, 5:36 PM

Possibly caused by T136853

Change 292410 had a related patch set uploaded (by Anomie):
AuthManager::setDefaultUserOptions shouldn't invalidate tokens

https://gerrit.wikimedia.org/r/292410

Change 292410 merged by jenkins-bot:
AuthManager::setDefaultUserOptions and LoginForm::initUser shouldn't invalidate CA tokens

https://gerrit.wikimedia.org/r/292410

Change 292479 had a related patch set uploaded (by Gergő Tisza):
AuthManager::setDefaultUserOptions and LoginForm::initUser shouldn't invalidate CA tokens

https://gerrit.wikimedia.org/r/292479

Change 292479 merged by jenkins-bot:
AuthManager::setDefaultUserOptions and LoginForm::initUser shouldn't invalidate CA tokens

https://gerrit.wikimedia.org/r/292479

Tgr closed this task as Resolved.Jun 3 2016, 1:25 PM
Tgr claimed this task.

I can't reproduce the bug anymore; both autologin and edge login works fine, for normal login and for account creation. (I could still reproduce it yesterday an hour or so after deploying the patch, but maybe that was just beta updating slower than usual?) Assuming it's fixed. Thanks Brad!

Tgr reassigned this task from Tgr to Anomie.Jun 3 2016, 1:31 PM

Change 297496 had a related patch set uploaded (by Gergő Tisza):
Do redirect for Special:CreateAccount as well

https://gerrit.wikimedia.org/r/297496

Change 297496 merged by jenkins-bot:
Do redirect for Special:CreateAccount as well

https://gerrit.wikimedia.org/r/297496