Page MenuHomePhabricator
Create Task
Maniphest T140006

With some accounts but not others, API throws badsession error on OAuth options update
Closed, ResolvedPublic0 Estimated Story Points
Actions

Description

In the Wiki Ed dashboard OAuth app, I'm adding the ability for the app to update user preferences, setting VisualEditor-related settings to match our training materials and documentation by enabling multi-tab and disabling the welcoming and user education flags.

I got this working locally, but when I deployed to staging, I discovered that is only works for some users. When I try to set the options — action=options&change=visualeditor-editor=visualeditor|visualeditor-hidebetawelcome=1|visualeditor-hideusered=1|visualeditor-tabs=multi-tab, I get options: success back for users Ragesock (which was created in 2007) and Ragesoss (2005), but when I try with users Sage (Wiki Ed) (2014) or Ragetest 14 (2015), I always the badsession error. Other OAuth API actions, such as page edits, work fine for these users; only the options action fails.

I can replicate this locally as well; it always works for Ragesock, but never for Ragetest 14.

(Not sure where exactly this problem comes from, so I tagged a few possible projects.)

Related Objects

Event Timeline

Ragesoss created this task.Jul 11 2016, 7:58 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 11 2016, 7:58 PM
Anomie added a project: Notifications.Jul 12 2016, 2:27 PM
Anomie added a subscriber: Anomie.

The only thing I see that returns a "badsession" error is ApiCentralAuthToken (action=centralauthtoken), which can't be used at all in conjunction with OAuth.

It looks to me like this is basically the same Echo bug as T119736#2451527. Particularly since I note that Ragesock and Ragesoss currently wind up with $potentialWikis empty in MWEchoNotifUser::getForeignData() and therefore the call to EchoForeignNotifications::getApiEndpoints( $this->wikis ) in EchoForeignWikiRequest::getRequestParams() will return empty, so it will never make the call at line #5 in the stacktrace quoted in that comment, while Sage (Wiki Ed) and Ragetest 14 currently have a non-empty $potentialWikis.

Anomie moved this task from Unsorted to Non-core-API stuff on the MediaWiki-API board.Jul 12 2016, 2:27 PM
Anomie mentioned this in T140127: "Can only obtain a centralauthtoken when using CentralAuth sessions" during auto-creation.Jul 12 2016, 5:26 PM
Jdforrester-WMF renamed this task from With some accounts but not others, API throws badsession error on VE options update to With some accounts but not others, API throws badsession error on OAuth options update.Jul 12 2016, 7:16 PM
Jdforrester-WMF triaged this task as Medium priority.
Jdforrester-WMF set the point value for this task to 0.
Jdforrester-WMF moved this task from To Triage to TR0: Interrupt on the VisualEditor board.
Mattflaschen-WMF added a subscriber: Mattflaschen-WMF.Jul 21 2016, 12:09 AM

If this was caused by Echo, it should be resolved now by rOMWC8dce65d489c0: Remove Echo transition flags.

Mattflaschen-WMF mentioned this in T140963: ForeignWikiRequest and getFromForeign will fail if OAuth or bot passwords are in use.Jul 21 2016, 12:19 AM
Mattflaschen-WMF added a project: Collaboration-Team-Triage.Aug 5 2016, 7:08 PM
Ragesoss closed this task as Resolved.Aug 5 2016, 8:27 PM

I haven't had the error again since the fix went live, and it hasn't showed up in Wiki Ed production. Thanks all!

Aklapper removed subscribers: Mattflaschen-WMF, Anomie.Oct 16 2020, 5:42 PM
Restricted Application added a project: User-Ryasmeen. · View Herald TranscriptOct 16 2020, 5:42 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL