- Create a subscription manager user on Beta Metawiki
- Update push subscription service configuration with subscription manager user credentials and API config (NOTE: Don't expose the subscription manager password publicly via the service configuration in instance hiera settings!)
- Confirm that bad subscriptions are deleted on message request failure
Description
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Duplicate | None | T261789 Enable push subscription cleanup on the Beta Cluster | |||
Resolved | • Mholloway | T262552 [Beta Cluster] How can secrets be stored for use in a docker_services service configuration? | |||
Resolved | MSantos | T264101 Find a way for the push service to authenticate to MediaWiki in beta and production |
Event Timeline
Today's progress on this: After improving MW API error handling I was able to verify that API requests in Beta that require CSRF tokens are failing with badtoken errors, and after adding HTTP request debug logging I was able to verify that this is because session cookies are not being set on requests to the MediaWiki API as expected. The reason for this is that in both Beta and production MediaWiki is currently configured such that the Secure attribute is unconditionally set on all cookies we receive from MediaWiki, and we are making internal connections to MediaWiki via the insecure http: protocol (as TLS is AFAIK unavailable for Beta Cluster-internal requests). Cookies with the Secure attribute are only set on requests over secure (https:) connections.
I think we may have better authentication options than action=clientlogin, which is what we're currently using. On Monday I'll try coding up a bot password login method and see where that gets us.