Page MenuHomePhabricator

API Logins are failing to authenticate with existing botpassword
Open, NormalPublic

Description

API Logins are failing to authenticate

Multiple users are reporting that API based logins are being refused. Able to replicate to all sites, examples from utilities such as Huggle and AutoWiki Browser

Event Timeline

Xaosflux created this task.May 4 2018, 3:14 AM
Restricted Application added subscribers: Scoopfinder, Aklapper. · View Herald TranscriptMay 4 2018, 3:14 AM
Xaosflux triaged this task as High priority.May 4 2018, 3:14 AM

Regenerated botpassword, verified that web logon was working for account - no change

Note: after regeneration of bot password, that account can now logon, second account that was not regenerated is unable to logon still

Xaosflux renamed this task from API Logins are failing to authenticate to API Logins are failing to authenticate with existing botpassword.May 4 2018, 3:27 AM
Xaosflux lowered the priority of this task from High to Normal.May 4 2018, 4:24 AM

Some users are reporting success now - please monitor

Petrb added a subscriber: Petrb.May 4 2018, 9:39 AM
Anomie added a subscriber: Anomie.May 4 2018, 1:21 PM

If you change the main password on your account, that also invalidates all bot passwords.

Change 430908 had a related patch set uploaded (by Anomie; owner: Anomie):
[mediawiki/core@master] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/430908

@Anomie I personally observed this on accounts that had not had their main passwords changed since the botpassword was established, and the bot password was stored and previously working. AFAIK botpasswords should never "expire" correct?

Anomie added a comment.May 4 2018, 3:17 PM

If you tell me the name of the account and the name of the bot password in question, I can take a closer look.

Bot passwords don't expire, but they do get invalidated whenever "authentication data" (e.g. passwords) is changed.

Since this is being reported just after the recent spate of failed logins due to someone apparently trying a password list against many accounts, it seemed likely that the issue was due to people changing their passwords (or other credentials) in response.

Hi Anomie, I was able to do this on my own:

User:Fluxbot / Fluxbot@FluxbotAWB

It just stopped working yesterday after working consistently for a long time, to get it to work again I logged in manually and changed the password on that account, then regenerated the botpassword.

I think I'm still able to reproduce this on my main account as well:
User:Xaosflux / Xaosflux@XaosfluxAWB

Anomie added a comment.May 4 2018, 7:40 PM

I see that the bot password for Xaosflux@XaosfluxAWB has indeed been invalidated. I don't see any logs in the past 30 days that seem likely to have caused it.

Thanks, I've let others know on the noticeboards that if they run in to this to try to regenerate their bot password. Hopefully the work in "BotPasswords: Indicate when a password needs reset" can help make this better visible.

Change 430908 merged by jenkins-bot:
[mediawiki/core@master] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/430908

Restricted Application added a subscriber: RichSmith. · View Herald TranscriptJun 13 2018, 2:45 PM
Vvjjkkii renamed this task from API Logins are failing to authenticate with existing botpassword to 6mdaaaaaaa.Jul 1 2018, 1:12 AM
Vvjjkkii raised the priority of this task from Normal to High.
Vvjjkkii updated the task description. (Show Details)
Vvjjkkii removed subscribers: gerritbot, Aklapper.
CommunityTechBot renamed this task from 6mdaaaaaaa to API Logins are failing to authenticate with existing botpassword.Jul 2 2018, 2:05 PM
CommunityTechBot lowered the priority of this task from High to Normal.
CommunityTechBot updated the task description. (Show Details)
CommunityTechBot added subscribers: gerritbot, Aklapper.

Change 444364 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_31] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444364

Change 444365 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_30] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444365

Change 444366 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_29] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444366

Change 444367 had a related patch set uploaded (by Reedy; owner: Anomie):
[mediawiki/core@REL1_27] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444367

Change 444367 merged by jenkins-bot:
[mediawiki/core@REL1_27] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444367

Change 444366 merged by jenkins-bot:
[mediawiki/core@REL1_29] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444366

Change 444365 merged by jenkins-bot:
[mediawiki/core@REL1_30] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444365

Change 444364 merged by jenkins-bot:
[mediawiki/core@REL1_31] BotPasswords: Indicate when a password needs reset

https://gerrit.wikimedia.org/r/444364