Page MenuHomePhabricator
Create Task
Maniphest T225814

m.wikidata: login status not detected
Closed, ResolvedPublic
Actions

Description

Expected behavior
GIVEN I am successfully logged in on the desktop site, e.g. https://www.wikidata.org/
WHEN I open the mobile site, e.g. https://m.wikidata.org/
THEN I am logged as the same user

Actual behavior
GIVEN I am successfully logged in on the desktop site, e.g. https://www.wikidata.org/
WHEN I open the mobile site, e.g. https://m.wikidata.org/
THEN my logged in status is not detected and I can not make use of it

Technical insights
When opening the mobile login page, e.g. https://m.wikidata.org/w/index.php?title=Special:UserLogin&returnto=Wikidata%3AMain+Page&returntoquery=, the requests that try to facilitate the login can be inspected.
Apparently requests get sent against login.wikimedia.org but are answered in a wrong way for the wikidata domain - the Location header instructs our browser to connect to "https://www.m.wikidata.org/..." which is incorrect (stray "www.").

Bildschirmfoto von 2019-06-14 13-52-03.png (1×1 px, 242 KB)

Applies to both production and beta.

Related Objects

Event Timeline

Pablo-WMDE created this task.Jun 14 2019, 12:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 14 2019, 12:55 PM
Pablo-WMDE mentioned this in T221831: Add "You are not logged in" overlay popup on termbox editing.Jun 14 2019, 1:00 PM
WMDE-leszek added a comment.Jun 14 2019, 2:46 PM

Seems to also happen for mediawiki.org.
Does not happen on test.wikidata.org.

Network connection stack trace:
...
https://login.wikimedia.org/wiki/Special:CentralAutoLogin/checkLoggedIn?type=script&wikiid=wikidatawiki&mobile=1&proto=https&mobile=1
https://www.m.wikidata.org/wiki/Special:CentralAutoLogin/createSession?token=...&type=script&proto=https&mobile=1

I believe (but I do not claim to be right on this one) the issue happens inside https://github.com/wikimedia/mediawiki-extensions-CentralAuth/blob/e7ff08db5325ba0d1a4728dcc3d70df06a0cec7f/includes/specials/SpecialCentralAutoLogin.php#L608-L625

Not very extensive testing around MobileContext::getMobileUrl has not identify issues over there. Current working hypothesis of mine is that it is WikiMap::getForeignURL what adds the superfluous www. to the URL.

Pablo-WMDE added a project: MediaWiki-extensions-CentralAuth.Jun 14 2019, 4:55 PM

Would be great to get word from the MediaWiki-extensions-CentralAuth people if they have a suspicion where this problem originates from.

Framawiki subscribed.Jun 15 2019, 1:01 PM
WMDE-leszek triaged this task as High priority.Jun 17 2019, 2:25 PM
WMDE-leszek added subscribers: vvv, csteipp, hoo, Legoktm.Jun 17 2019, 3:40 PM

Pinging maintainers according to https://www.mediawiki.org/wiki/Developers/Maintainers: @hoo, @vvv, @csteipp, @Legoktm: any idea why mediawiki.org and wikidata.org might behave special (and arguably incorrect)?

WMDE-leszek lowered the priority of this task from High to Medium.Jun 17 2019, 3:44 PM
Lea_WMDE added a project: Wikidata-Termbox.Jun 18 2019, 7:57 AM
Lea_WMDE moved this task from Backlog to Other on the Wikidata-Termbox board.
Pablo-WMDE updated the task description. (Show Details)Jun 18 2019, 8:26 AM
Pablo-WMDE added a project: Wikimedia-production-error.Jul 8 2019, 3:51 PM

It is a bit concerning to see this has not been triaged by the maintainers after more than 3 weeks.

Jakob_WMDE subscribed.Jul 8 2019, 3:55 PM
Lydia_Pintscher merged a task: T196531: Use same login mechanism on desktop and mobile.Jul 8 2019, 7:05 PM
Lydia_Pintscher added a subscriber: Jonas.
Pablo-WMDE added a project: Wikidata Mobile.Jul 9 2019, 7:30 AM
Krinkle removed a project: Wikimedia-production-error.Jul 9 2019, 9:30 PM
WMDE-leszek raised the priority of this task from Medium to Needs Triage.Jul 22 2019, 1:04 PM
WMDE-leszek added a subscriber: Reedy.

Trying the ping again: @hoo, @vvv, @csteipp, @Legoktm: any idea why mediawiki.org and wikidata.org might behave in "special" way (and arguably incorrect)?
Also, I dare to ping @Reedy as the second most active code contributor according to github, maybe he has an idea what the issue here, or know who would be able to say something about.

Also, I reverted the priority triage of this task, as it is not our code/bug.

Addshore added a project: MediaWiki-Core-AuthManager.Aug 8 2019, 3:32 PM
Addshore subscribed.

Also going to tag MediaWiki-Core-AuthManager as it could be related and likely to catch some more eyes.

Addshore added a comment.Aug 8 2019, 3:44 PM

My hunch would be that this has to do with the CA cookie domain for things like wikipedia being set to ".wikipedia.org" but the domain for wikidata gets set to "www.wikidata.org".

Which would mean this related to wgCentralAuthLoginWiki which is documented on https://www.mediawiki.org/wiki/Extension:CentralAuth and also our default settings for that var which can be found in InitialiseSettings.php

		'.wikipedia.org' => 'enwiki',
		'meta.wikimedia.org' => 'metawiki',
		'.wiktionary.org' => 'enwiktionary',
		'.wikibooks.org' => 'enwikibooks',
		'.wikiquote.org' => 'enwikiquote',
		'.wikisource.org' => 'enwikisource',
		'commons.wikimedia.org' => 'commonswiki',
		'.wikinews.org' => 'enwikinews',
		'.wikiversity.org' => 'enwikiversity',
		'.mediawiki.org' => 'mediawikiwiki',
		'www.wikidata.org' => 'wikidatawiki',
		'species.wikimedia.org' => 'specieswiki',
		'incubator.wikimedia.org' => 'incubatorwiki',
		'.wikivoyage.org' => 'enwikivoyage',

Needs a bit more investigation thoguh

Stryn subscribed.Dec 11 2019, 7:22 PM
WDoranWMF added a project: Platform Engineering.Mar 23 2020, 4:50 PM
WDoranWMF added subscribers: Anomie, WDoranWMF.

@Anomie could you review this and give an opinion on who would be best/which team to request input from?

Anomie edited projects, added MobileFrontend, Web-Team-Backlog; removed Platform Engineering, MediaWiki-extensions-CentralAuth.Mar 23 2020, 5:15 PM

This has nothing directly to do with CentralAuth. The logic that mangles URLs for mobile domains belongs to MobileFrontend, specifically it's in MobileContext::getMobileUrl() and its downstream methods.

anomie@mwmaint1002:~$ mwscript shell.php --wiki=enwiki
Psy Shell v0.9.12 (PHP 7.2.26-1+0~20191218.33+debian9~1.gbpb5a340+wmf1 — cli) by Justin Hileman
>>> $wiki = WikiMap::getWiki( 'wikidatawiki' );
=> WikiReference {#5960}
>>> $url = $wiki->getFullUrl( 'Special:CentralAutoLogin/start' );
=> "//www.wikidata.org/wiki/Special:CentralAutoLogin/start"
>>> MobileContext::singleton()->getMobileUrl( $url )
=> "//www.m.wikidata.org/wiki/Special:CentralAutoLogin/start"

Digging a little deeper, it seems to assume that every URL being mangled can use the local value for $wgMobileUrlTemplate rather than determining the mangling based on the target domain.

Poking to Web-Team-Backlog as the owner of MobileFrontend.

Anomie merged a task: T108201: CentralAuth autologin broken for non-www mobile domains (mediawiki.org, wikidata.org).Mar 23 2020, 5:15 PM
Anomie mentioned this in T108201: CentralAuth autologin broken for non-www mobile domains (mediawiki.org, wikidata.org).
Anomie added subscribers: Krinkle, aude, Jdlrobson.
Anomie added a comment.Mar 23 2020, 5:25 PM
In T225814#5992589, @Anomie wrote:

Digging a little deeper, it seems to assume that every URL being mangled can use the local value for $wgMobileUrlTemplate rather than determining the mangling based on the target domain.

On that note, it may be causing problems in links out of wikidata.org and similar domains too:

anomie@mwmaint1002:~$ mwscript shell.php --wiki=wikidatawiki
Psy Shell v0.9.12 (PHP 7.2.26-1+0~20191218.33+debian9~1.gbpb5a340+wmf1 — cli) by Justin Hileman
>>> $wiki = WikiMap::getWiki( 'enwiki' );
=> WikiReference {#2944}
>>> $url = $wiki->getFullUrl( 'Special:CentralAutoLogin/start' );
=> "//en.wikipedia.org/wiki/Special:CentralAutoLogin/start"
>>> MobileContext::singleton()->getMobileUrl( $url )
=> "//m.wikipedia.org/wiki/Special:CentralAutoLogin/start"
WDoranWMF added a comment.Mar 23 2020, 6:22 PM

Thanks @Anomie !

darthmon_wmde subscribed.Mar 23 2020, 7:00 PM
Jdlrobson assigned this task to ovasileva.Mar 30 2020, 4:40 PM
Jdlrobson moved this task from Incoming to Needs Prioritization on the Web-Team-Backlog board.
Jdlrobson edited projects, added MediaWiki-extensions-CentralAuth, Web-Team-Backlog (Tracking); removed Web-Team-Backlog.EditedMay 19 2020, 8:48 PM

This is not a MobileFrontend issue TBH.

On wikidata.org (wmf-config/InitialiseSettings.php) $wgMobileUrlTemplate is set to m.%h1.%h2

		$url = MobileContext::singleton()->getMobileUrl(
			wfAppendQuery(
				"//www.wikidata.org/wiki/Special:CentralAutoLogin/start",
				[]
			)
		);

gives "//m.wikidata.org/wiki/Special:CentralAutoLogin/start"

The only way I seem to be able to get https://www.m.wikidata.org/...%22 is if I pass in "https://m.www.wikidata.org/wiki/Special:CentralAutoLogin/start" which is garbage in.

Although that works fine if I call that function with other projects, I'm going to get bad results. For example on English Wikipedia $wgMobileUrlTemplate is set to '%h0.m.%h1.%h2'. so if you call getMobileUrl on a wiki with a different host you are going to have a bad time.

The issue should be resolved in CentralAuth (I'm not sure who maintains that) however I'm not quite sure how this will work.

The hook in MobileFrontend GetMobileUrl could be used or alternatively CentralNotice could make use of Varnish/redirects to determine what these links should be.

Note:
I remember vaguely working on a similar bug several years ago with help from the security team that introduced the hook GetMobileUrl. We use to have a GetMobileUrl hook somewhere in our codebase, but that seems to have disappeared so that might provide further clues on how this broke.

Jdlrobson removed ovasileva as the assignee of this task.May 19 2020, 8:48 PM
Jdlrobson added a subscriber: ovasileva.
Krinkle mentioned this in T214998: RFC: Remove .m. subdomain, serve mobile and desktop variants through the same URL.May 19 2020, 8:49 PM
Krinkle unsubscribed.
WMDE-leszek added a comment.May 20 2020, 5:00 AM

Thanks @Jdlrobson for your elaboration.

The issue should be resolved in CentralNotice (I'm not sure who maintains that) however I'm not quite sure how this will work.

Did you mean CentralAuth, or actually CentralNotice? (First time Central Notice is mentioned in this context, hence I felt like I'd double check)

Jdlrobson added a comment.May 20 2020, 5:55 AM

Sorry Centralauth my bad. Always mixing up those 2.

Jdlrobson moved this task from Backlog to Tracking on the MobileFrontend board.Jul 24 2020, 2:40 AM
Jdlrobson edited projects, added MobileFrontend (Tracking); removed MobileFrontend.
Pablo-WMDE added a comment.Sep 9 2020, 1:42 PM

T214998: RFC: Remove .m. subdomain, serve mobile and desktop variants through the same URL would render this obsolete (but pose different challenges, no doubt).

Jdlrobson added a comment.Sep 9 2020, 4:45 PM

FWIW I can't see T214998 happening any time soon. As far as I can see that's a product decision and I'd recommend reaching out to Jon Katz or Olga Vaseliva if you need a more accurate update on the state of that task.

Framawiki unsubscribed.Sep 13 2020, 5:42 PM
Aklapper removed subscribers: Anomie, Jonas.Oct 16 2020, 5:01 PM
Pablo-WMDE added a project: User-Pablo-WMDE.Nov 19 2020, 8:46 AM
Pablo-WMDE moved this task from Incoming to Blocked outside WMDE on the User-Pablo-WMDE board.
Jdlrobson moved this task from Untriaged to Untag on the Web-Team-Backlog (Tracking) board.Sep 21 2021, 8:47 PM
LGoto removed a project: Web-Team-Backlog (Tracking).Nov 9 2021, 4:23 PM
Zabe subscribed.Mar 29 2022, 7:55 PM

Is this a dupe of T239669?

Tacsipacsi subscribed.May 14 2022, 11:38 PM
JAnD subscribed.Jun 5 2022, 12:11 PM
Lucas_Werkmeister_WMDE mentioned this in T318138: Cannot manually log in on mobile Wikidata (real or test).Sep 20 2022, 9:24 AM
Addshore unsubscribed.Jun 27 2023, 12:37 PM
XanonymusX subscribed.Jul 10 2023, 7:17 PM
Tgr mentioned this in T257852: CentralAuth edge login and autologin for some Wikimedia domains broken on mobile.Oct 16 2023, 6:01 AM
Pogieme10 subscribed.Oct 16 2023, 6:17 AM
Tgr closed this task as Resolved.Nov 27 2023, 1:55 AM
Tgr claimed this task.
Tgr added subscribers: Anomie, Tgr.

The specific issue described in the reproduction steps is working as intended - we cannot share login state between www.wikidata.org and m.wikidata.org because they do not have a shared parent domain that's safe for cookie sharing (wikidata.org isn't because query.wikidata.org, a non-MediaWiki application, also has access to the cookies).

In T225814#5992589, @Anomie wrote:

This has nothing directly to do with CentralAuth. The logic that mangles URLs for mobile domains belongs to MobileFrontend, specifically it's in MobileContext::getMobileUrl() and its downstream methods.

This has been fixed in rEMFRee049b8e45e0: Handle mobile URLs for other wikis. It wasn't related to the exact issue described in the reproduction steps, but did cause other login problems, such as edge login not working for Wikidata (see Extension:CentralAuth/authentication#Central_session for the explanation of the various login types).

Nothing actionable left here, I think.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits