Page MenuHomePhabricator

Accounts created through OAuth are rate-limited even when the user has account creator rights
Closed, ResolvedPublic

Description

On outreachdashboard.wmflabs.org we recently deployed a feature to allow new users to request accounts, and then event organizers can approve these requests and create the new accounts, which happens via OAuth API actions. However, we have unexpectedly run into account creation IP limit failures, even when the user creating the accounts has account creator rights. For example:

https://en.wikipedia.org/w/index.php?title=Special%3AUserRights&user=Theredproject
https://en.wikipedia.org/wiki/Special:Log/Theredproject

A few accounts were created successfully through OAuth, but later ones have all be rate limited, despite User:Theredproject having account creator rights.

Errors:

{:failure=>"Could not create account for SayHi / xx@xx.xx.\n https://en.wikipedia.org message:\n acct_creation_throttle_hit\n — Visitors to Wikipedia using your [[IP address]] have created 6 accounts in the last 24 hours, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment. If you would like to request an account be created for you, follow the instructions at [[Wikipedia:Request an account]]."}
{:failure=>"Could not create account for Nadine Roestenburg / xx@xx.xx.\n https://en.wikipedia.org message:\n acct_creation_throttle_hit\n — Visitors to Wikipedia using your [[IP address]] have created 6 accounts in the last 24 hours, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment. If you would like to request an account be created for you, follow the instructions at [[Wikipedia:Request an account]]."}
{:failure=>"Could not create account for NadineRoestenburg / xx@xx.xx.\n https://en.wikipedia.org message:\n acct_creation_throttle_hit\n — Visitors to Wikipedia using your [[IP address]] have created 6 accounts in the last 24 hours, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment. If you would like to request an account be created for you, follow the instructions at [[Wikipedia:Request an account]]."}
{:failure=>"Could not create account for Wiki editor eindhoven / xx@xx.xx.\n https://en.wikipedia.org message:\n acct_creation_throttle_hit\n — Visitors to Wikipedia using your [[IP address]] have created 6 accounts in the last 24 hours, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment. If you would like to request an account be created for you, follow the instructions at [[Wikipedia:Request an account]]."}
{:failure=>"Could not create account for ivguimaraes17 / xx@xx.xx.\n https://pt.wikipedia.org message:\n acct_creation_throttle_hit\n — Pedimos desculpa, mas não foi possível criar a conta porque foi atingido o número máximo de contas. Já foram criadas 6 contas num período de 1 dia a partir do [[número IP]] que está a usar. Normalmente isso acontece a quem acede à Wikipédia através de uma rede usada por muitas pessoas, como uma instituição de ensino ou um ciber-café, nas quais usam um endereço IP atribuído a muitos computadores através de um ''[[proxy]]'' ou ''[[firewall]]''. Este limite visa prevenir abusos com sistemas automatizados.\n\nPara criar uma conta tente uma das seguintes soluções:\n*aguarde algum tempo, para que o número de contas criadas a cada 1 dia seja inferior ao limite e tente criar de novo a conta;\n*use outro computador, de preferência noutro local ou rede, nem que seja apenas para a criar a conta, pois este limite apenas se aplica ao número de contas criadas e não às edições na Wikipédia."}
{:failure=>"Could not create account for zombievulcan / xx@xx.xx.\n https://pt.wikipedia.org message:\n acct_creation_throttle_hit\n — Pedimos desculpa, mas não foi possível criar a conta porque foi atingido o número máximo de contas. Já foram criadas 6 contas num período de 1 dia a partir do [[número IP]] que está a usar. Normalmente isso acontece a quem acede à Wikipédia através de uma rede usada por muitas pessoas, como uma instituição de ensino ou um ciber-café, nas quais usam um endereço IP atribuído a muitos computadores através de um ''[[proxy]]'' ou ''[[firewall]]''. Este limite visa prevenir abusos com sistemas automatizados.\n\nPara criar uma conta tente uma das seguintes soluções:\n*aguarde algum tempo, para que o número de contas criadas a cada 1 dia seja inferior ao limite e tente criar de novo a conta;\n*use outro computador, de preferência noutro local ou rede, nem que seja apenas para a criar a conta, pois este limite apenas se aplica ao número de contas criadas e não às edições na Wikipédia."}
{:failure=>"Could not create account for AleksandraPlatko / xx@xx.xx.\n https://en.wikipedia.org message:\n userexists\n — Username entered already in use.\nPlease choose a different name."}
{:failure=>"Could not create account for Bárbara Cristina Caldeira / xx@xx.xx .\n https://pt.wikipedia.org message:\n invalidemailaddress\n — Formato inválido: não é possível aceitar esse endereço de e-mail. Por favor, introduza um endereço válido ou esvazie o campo."}
{:failure=>"Could not create account for CKLLVNV / xx@xx.xx.\n https://en.wikipedia.org message:\n userexists\n — Username entered already in use.\nPlease choose a different name."}
{:failure=>"Could not create account for -02joverdose / xx@xx.xx.\n https://en.wikipedia.org message:\n acct_creation_throttle_hit\n — Visitors to Wikipedia using your [[IP address]] have created 6 accounts in the last 24 hours, which is the maximum allowed in this time period. As a result, visitors using this IP address cannot create any more accounts at the moment. If you would like to request an account be created for you, follow the instructions at [[Wikipedia:Request an account]]."}

Event Timeline

@Tgr any insight you can share about this? This feature is key for the wave of Art+Feminism editathons that is about to start, and we're not sure how to proceed.

This is pretty urgent, as we have ~300 events happening starting today, the first of March. We have instructed them to create accounts via Dashboard, so we fear we may have a real problem on our hands if we cannot debug this, or figure out a workaround. Thanks All!!!

You have to grant OAuth the right to use ratelimit

Is this your OAuth application?
https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/b4ba1b0a02c6ac8f3d463249f9cfd3b9

It has only:
Applicable grants
Interact with pages
Edit existing pages; Create, edit, and move pages

You need High-volume editing (highvolume) from https://meta.wikimedia.org/wiki/Special:ListGrants

On https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose you can see the list of grants (no need to request a new one, an OAuth admin can change the settings or the owner can change it over Special:OAuthManageConsumers)

The admins are listed at https://meta.wikimedia.org/wiki/Special:ListUsers/oauthadmin

Are we talking about outreachdashboard.wmflabs.org (2.0)? That app does not have the highvolume grant which is needed for righs like no rate limiting to available in OAuth actions.

Change 415624 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[operations/mediawiki-config@master] Temporary account creation limit raise for outreach dashboard

https://gerrit.wikimedia.org/r/415624

Change 415624 merged by jenkins-bot:
[operations/mediawiki-config@master] Temporary account creation limit raise for outreach dashboard

https://gerrit.wikimedia.org/r/415624

Mentioned in SAL (#wikimedia-operations) [2018-03-01T19:13:04Z] <thcipriani@tin> Synchronized wmf-config/throttle.php: SWAT: [[gerrit:415629|Fix throttle date for outreach dashboard]] T188630 (duration: 01m 13s)

Mentioned in SAL (#wikimedia-operations) [2018-03-01T19:17:16Z] <thcipriani@tin> Synchronized wmf-config/throttle.php: SWAT: [[gerrit:415630|Make last throttle limit raise work accross all wikis]] T188630 (duration: 01m 13s)

Tgr claimed this task.

A temporary throttle exception was added, @Ragesoss will submit a new version of the app with the highvolume grant, nothing left to do here.

Thank you @Tgr and @Umherirrender for clearing this up so quickly!