Page MenuHomePhabricator

With some accounts but not others, API throws badsession error on OAuth options update
Closed, ResolvedPublic0 Estimated Story Points

Description

In the Wiki Ed dashboard OAuth app, I'm adding the ability for the app to update user preferences, setting VisualEditor-related settings to match our training materials and documentation by enabling multi-tab and disabling the welcoming and user education flags.

I got this working locally, but when I deployed to staging, I discovered that is only works for some users. When I try to set the options — action=options&change=visualeditor-editor=visualeditor|visualeditor-hidebetawelcome=1|visualeditor-hideusered=1|visualeditor-tabs=multi-tab, I get options: success back for users Ragesock (which was created in 2007) and Ragesoss (2005), but when I try with users Sage (Wiki Ed) (2014) or Ragetest 14 (2015), I always the badsession error. Other OAuth API actions, such as page edits, work fine for these users; only the options action fails.

I can replicate this locally as well; it always works for Ragesock, but never for Ragetest 14.

(Not sure where exactly this problem comes from, so I tagged a few possible projects.)

Event Timeline

Ragesoss created this task.Jul 11 2016, 7:58 PM
Restricted Application added subscribers: Zppix, Aklapper. · View Herald TranscriptJul 11 2016, 7:58 PM
Anomie added a subscriber: Anomie.

The only thing I see that returns a "badsession" error is ApiCentralAuthToken (action=centralauthtoken), which can't be used at all in conjunction with OAuth.

It looks to me like this is basically the same Echo bug as T119736#2451527. Particularly since I note that Ragesock and Ragesoss currently wind up with $potentialWikis empty in MWEchoNotifUser::getForeignData() and therefore the call to EchoForeignNotifications::getApiEndpoints( $this->wikis ) in EchoForeignWikiRequest::getRequestParams() will return empty, so it will never make the call at line #5 in the stacktrace quoted in that comment, while Sage (Wiki Ed) and Ragetest 14 currently have a non-empty $potentialWikis.

Jdforrester-WMF renamed this task from With some accounts but not others, API throws badsession error on VE options update to With some accounts but not others, API throws badsession error on OAuth options update.Jul 12 2016, 7:16 PM
Jdforrester-WMF triaged this task as Medium priority.
Jdforrester-WMF set the point value for this task to 0.
Jdforrester-WMF moved this task from To Triage to TR0: Interrupt on the VisualEditor board.
Ragesoss closed this task as Resolved.Aug 5 2016, 8:27 PM

I haven't had the error again since the fix went live, and it hasn't showed up in Wiki Ed production. Thanks all!