Reported via email on 2020-05-14 by @Mjohnson_WMF.
Login attempts at https://iegreview.wikimedia.org/campaigns are failing with an "invalid request" message indicating CSRF token mismatch. Reproducible by other users as well.
Log output on mwlog1001.eqiad.wmnet shows errors like:
$ tail -1 /srv/mw-log/iegreview.log | python -mjson.tool { "@timestamp": "2020-05-14T19:31:40.779714+00:00", "@version": 1, "channel": "iegreview", "expected": "7f82ce00b2f7189cfe9929ccce5683e58b097478", "got": "76576ac736dcd65b720c37b07f36b75e74b571e2", "host": "miscweb1002", "http_method": "POST", "ip": "**REDACTED**", "level": "ERROR", "message": "Missing or invalid CSRF token", "process_id": 9274, "referrer": "https://iegreview.wikimedia.org/campaigns", "server": "iegreview.wikimedia.org", "type": "iegreview", "uid": "99d43ae", "url": "/login.post" }
Possibly some session storage retrieval issues causing this? CSRF tokens are actually in the html form and being posted to the backend.
@Mjohnson_WMF reports that authentication had been working recently (within the last week) and certainly after the application was migrated to miscweb1002 (T247648: miscweb1001/2001 - upgrade to buster or decom).