Page MenuHomePhabricator
Create Task
Maniphest T341656

Special:OAuth/identify broken (affects pagepile+massviews tools, phab mw.o login, …)
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

What happens?:
The Page pile tool is currently experiencing an issue. Previously, I used it without any problems to extract the number of views for a group of articles using the mass views tool. However, today the tool is no longer functioning properly. Whenever I try to log in to the site, I'm greeted with a 502 bad gateway message.

What should have happened instead?:
The tool should have worked properly with no problems as before.

Software version (skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):
Example: https://pageviews.wmcloud.org/massviews/?platform=all-access&agent=user&source=pagepile&start=2023-02-01&end=2023-02-28&target=34555&sort=views&direction=1&view=list&target=34555

Tool site: https://pagepile.toolforge.org/

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Temporarily allow OAuth on non-API entry points againmediawiki/extensions/OAuthwmf/1.41.0-wmf.17+3 -1
Temporarily allow OAuth on non-API entry points againmediawiki/extensions/OAuthmaster+3 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

MohammadHijjawi created this task.Jul 12 2023, 7:46 AM
Restricted Application added subscribers: MusikAnimal, Aklapper. · View Herald TranscriptJul 12 2023, 7:47 AM
LucasWerkmeister subscribed.Jul 12 2023, 8:32 AM

error.log has this:

2023-07-12 08:18:51: (mod_fastcgi.c.421) FastCGI-stderr: PHP Fatal error:  Uncaught Exception: Invalid identify response: <!DOCTYPE html>
2023-07-12 08:18:51: (mod_fastcgi.c.421) FastCGI-stderr: <html class="client-nojs vector-feature-language-in-header-disabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-enabled vector-feature-main-menu-pinned-disabled vector-feature-limited-width-enabled vector-feature-limited-width-content-disabled vector-feature-zebra-design-disabled" lang="en" dir="ltr">
2023-07-12 08:18:51: (mod_fastcgi.c.421) FastCGI-stderr: <head>
2023-07-12 08:18:51: (mod_fastcgi.c.421) FastCGI-stderr: <meta charset="UTF-8">
2023-07-12 08:18:51: (mod_fastcgi.c.421) FastCGI-stderr: <title>Error - MediaWiki</title>
2023-07-12 08:18:51: (mod_fastcgi.c.421) FastCGI-stderr: <script>document.documentElement.className="client-js vector-feature-language-in-header-disabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-enabled vector-feature-main-menu-pinned-disabled vector-feature-limited-width-enabled vector-feature-limited-width-content-disabled vecto in /data/project/magnustools/public_html/php/oauth.php on line 372

Apparently the OAuth /identify endpoint is returning an error. The output isn’t super readable because it’s been HTML-escaped, but “conveniently” I actually got the same error when trying to log into Phabricator via MediaWiki.org:

image.png (277×1 px, 45 KB)

[HTTP/400] 
<!DOCTYPE html>
<html class="client-nojs vector-feature-language-in-header-disabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-enabled vector-feature-main-menu-pinned-disabled vector-feature-limited-width-enabled vector-feature-limited-width-content-disabled vector-feature-zebra-design-disabled" lang="en" dir="ltr">
<head>
<meta charset="UTF-8">
<title>Error - MediaWiki</title>
<script>documen...

Seems to be a general OAuth error in the current train.

LucasWerkmeister added a parent task: T340245: 1.41.0-wmf.17 deployment blockers.Jul 12 2023, 8:33 AM
LucasWerkmeister added a subscriber: Tgr.

Ohhhh, I think I know why… @Tgr I think we need to revert Fail when OAuth is used with a non-API entry point, Special:OAuth/identify is technically a non-API entry point and needs to stay working.

gerritbot added a comment.Jul 12 2023, 8:36 AM

Change 937120 had a related patch set uploaded (by Lucas Werkmeister; author: Lucas Werkmeister):

[mediawiki/extensions/OAuth@master] Revert "Fail when OAuth is used with a non-API entry point"

https://gerrit.wikimedia.org/r/937120

gerritbot added a project: Patch-For-Review.Jul 12 2023, 8:36 AM
LucasWerkmeister added a project: MediaWiki-extensions-OAuth.Jul 12 2023, 8:38 AM
taavi removed a project: Toolforge.Jul 12 2023, 8:42 AM
taavi merged a task: T341578: PagePile and mass views tools problem.
LucasWerkmeister added a comment.Jul 12 2023, 8:43 AM
In T341656#9007910, @LucasWerkmeister wrote:

Ohhhh, I think I know why… @Tgr I think we need to revert Fail when OAuth is used with a non-API entry point, Special:OAuth/identify is technically a non-API entry point and needs to stay working.

(Or amend the change, of course, but reverting is easier at first.)

LucasWerkmeister renamed this task from Pagepiles are not working to Special:OAuth/identify broken (affects pagepile+massviews tools, phab mw.o login, …).Jul 12 2023, 8:45 AM
LucasWerkmeister added a comment.EditedJul 12 2023, 9:02 AM

Come to think of it, other Special:OAuth subpages (in the source code, I see Special:OAuth/initiate, Special:OAuth/approve, Special:OAuth/authorize=Special:OAuth/authenticate, Special:OAuth/token, Special:OAuth/verified, Special:OAuth/grants, Special:OAuth/identify and Special:OAuth/rest_redirect) might also be broken, possibly including the OAuth 1.0a authorization flow as a whole. (The OAuth 2 flow uses the REST API, so it’s probably fine.)

LucasWerkmeister triaged this task as Unbreak Now! priority.Jul 12 2023, 2:00 PM

Train blocker ⇒ UBN

gerritbot added a comment.Jul 12 2023, 2:24 PM

Change 937471 had a related patch set uploaded (by Gergő Tisza; author: Lucas Werkmeister):

[mediawiki/extensions/OAuth@wmf/1.41.0-wmf.17] Temporarily allow OAuth on non-API entry points again

https://gerrit.wikimedia.org/r/937471

gerritbot added a comment.Jul 12 2023, 2:33 PM

Change 937120 merged by jenkins-bot:

[mediawiki/extensions/OAuth@master] Temporarily allow OAuth on non-API entry points again

https://gerrit.wikimedia.org/r/937120

gerritbot added a comment.Jul 12 2023, 2:40 PM

Change 937471 merged by jenkins-bot:

[mediawiki/extensions/OAuth@wmf/1.41.0-wmf.17] Temporarily allow OAuth on non-API entry points again

https://gerrit.wikimedia.org/r/937471

Stashbot added a comment.Jul 12 2023, 2:41 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-12T14:41:12Z] <lucaswerkmeister-wmde@deploy1002> Started scap: Backport for [[gerrit:937471|Temporarily allow OAuth on non-API entry points again (T341656)]]

Stashbot added a comment.Jul 12 2023, 2:42 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-12T14:42:44Z] <lucaswerkmeister-wmde@deploy1002> tgr and lucaswerkmeister-wmde: Backport for [[gerrit:937471|Temporarily allow OAuth on non-API entry points again (T341656)]] synced to the testservers: mwdebug2002.codfw.wmnet, mwdebug1001.eqiad.wmnet, mwdebug2001.codfw.wmnet, mwdebug1002.eqiad.wmnet

Stashbot added a comment.Jul 12 2023, 2:49 PM

Mentioned in SAL (#wikimedia-operations) [2023-07-12T14:49:15Z] <lucaswerkmeister-wmde@deploy1002> Finished scap: Backport for [[gerrit:937471|Temporarily allow OAuth on non-API entry points again (T341656)]] (duration: 08m 03s)

LucasWerkmeister closed this task as Resolved.Jul 12 2023, 2:51 PM
LucasWerkmeister claimed this task.
LucasWerkmeister lowered the priority of this task from Unbreak Now! to High.

Alright, the fix is merged and backported (with thanks to @Tgr and the cough random person in #wikimedia-operations doing the deployment), and both the PagePile tool and mw.o login on Phabricator are working again as far as I can tell.

LucasWerkmeister mentioned this in T340919: OAuth requests to MediaWiki endpoints not supporting OAuth should be rejected.Jul 12 2023, 2:52 PM
MohammadHijjawi reopened this task as Open.Jul 12 2023, 2:55 PM

Hi Lucas and all, I appreciate your efforts, but I still get the same error "No data found"! https://pageviews.wmcloud.org/massviews/?platform=all-access&agent=user&source=pagepile&start=2023-02-01&end=2023-02-28&target=34555&sort=views&direction=1&view=list&target=34555

MohammadHijjawi added a comment.Jul 12 2023, 2:57 PM

The same problem with all page piles I created: https://pageviews.wmcloud.org/massviews/?platform=all-access&agent=user&source=pagepile&start=2022-03-16&end=2022-04-28&target=41906&sort=views&direction=1&view=list&target=41906

ReleaseTaggerBot added a project: MW-1.41-notes (1.41.0-wmf.17; 2023-07-11).Jul 12 2023, 3:00 PM
Stashbot added a comment.Jul 12 2023, 3:04 PM

Mentioned in SAL (#wikimedia-cloud) [2023-07-12T15:04:10Z] <wm-bot> <lucaswerkmeister> kubectl rollout restart deployment pagepile (lighttpd was failing to write temp files; “PHP Warning: Unknown: POST data can't be buffered; all data discarded”; cc T341656)

LucasWerkmeister added a comment.Jul 12 2023, 3:04 PM

Should be working better now.

MohammadHijjawi closed this task as Resolved.Jul 12 2023, 3:05 PM

I am sorry, yes it worked. thank you so much. ♥

Maintenance_bot removed a project: Patch-For-Review.Jul 12 2023, 3:10 PM
Tgr added a comment.Jul 13 2023, 2:01 AM

Thanks @LucasWerkmeister for catching and fixing this quickly!

In T341656#9007969, @LucasWerkmeister wrote:

Come to think of it, other Special:OAuth subpages (in the source code, I see Special:OAuth/initiate, Special:OAuth/approve, Special:OAuth/authorize=Special:OAuth/authenticate, Special:OAuth/token, Special:OAuth/verified, Special:OAuth/grants, Special:OAuth/identify and Special:OAuth/rest_redirect) might also be broken, possibly including the OAuth 1.0a authorization flow as a whole. (The OAuth 2 flow uses the REST API, so it’s probably fine.)

token requires an OAuth signature. The others would not be affected in theory.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits