Striker, Horizon, and Stashbot all started having problems when MediaWiki 1.42.0-wmf.4 landed on Wikitech circa 2023-11-08T09:00. All three projects use the mwclient python library with owner-only OAuth credentials to interact with Wikitech.
The symptom seen in debug logs was messages about OAuth nonce values being already consumed. The mwclient library logged this as potentially related to the now resolved T106066: Don't show "Nonce already used" error on memcache failure.
@Krinkle and @matmarex were pinged into help figure out what was going wrong. @matmarex deserves the hero points for eventually figuring out that @tstarling's recent change to includes/user/User.php was implicated. This change led to code in OAuth's src/SessionProvider.php attempting to unstub the User while already unstubbing the User in a classic AuthManger chicken and egg problem of attempting a rights check while unstubbing. Wikitech is specifically affected because it is one of the few Wikimedia managed wikis that sets $wgBlockDisablesLogin = true;.
A hotfix hack on Wikitech that eliminates the double unstubbing is:
--- php-1.42.0-wmf.3/extensions/OAuth/src/SessionProvider.php 2023-10-31 03:00:56.493529422 +0000 +++ php-1.42.0-wmf.4/extensions/OAuth/src/SessionProvider.php 2023-11-08 22:22:31.801610334 +0000 @@ -20,6 +20,7 @@ use MediaWiki\Hook\RecentChange_saveHook; use MediaWiki\Linker\Linker; use MediaWiki\MediaWikiServices; +use MediaWiki\Permissions\Authority; use MediaWiki\Session\ImmutableSessionProviderWithCookie; use MediaWiki\Session\SessionBackend; use MediaWiki\Session\SessionInfo; @@ -227,7 +228,7 @@ ); } if ( $localUser->isLocked() || - ( $this->config->get( 'BlockDisablesLogin' ) && $localUser->getBlock() ) + ( $this->config->get( 'BlockDisablesLogin' ) && $localUser->getBlock( Authority::READ_NORMAL, /*$disableIpBlockExemptChecking*/ true ) ) ) { $this->logger->debug( 'OAuth request for blocked user {user}', $logData ); return $this->makeException( 'mwoauth-invalid-authorization-blocked-user' );