Page MenuHomePhabricator
Create Task
Maniphest T373925

Cross-wiki API does not work any more
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
matmarex
Authored By
IKhitron
Sep 3 2024, 6:47 PM
Tags
Referenced Files
F57457421: image.png
Sep 4 2024, 12:40 PM
F57434921: Screenshot_20240903_213754_Samsung Internet.png
Sep 3 2024, 6:47 PM
Subscribers
Agusbou2015
Aklapper
IKhitron
Jdforrester-WMF
matmarex
Novem_Linguae

Description

Hi. Today at noon I recognized that every time I refresh the Global Watchlist, I get an internet connection error for test.wikipedia.org. Usually these error message boxes appear for all the the wikis simultaneosly, if there are some internet issues. Looks like it started about at the time of the new MediaWiki version deployment. Now I can see the same problem with mediawiki.org, exactly when Special:Version tells us about today's group 0 deployment. My guess is that tomorrow the same will happen with group 1, and the day after tomorrow with group 2, killing the Global Watchlist, and, more important, stopping the interwiki API completely everywhere.

  • Open Special:GlobalWatchlist on Meta.
  • Add testwiki, mediawiki.org, at least one group 1 wiki and at least one group 2 wiki in the settings.
  • Refresh the watchlist.
  • Expected: no connection errors.
  • Got:
    • If there wasn't group 1 deployment yet, you can see two error boxes.
    • Otherwise there probably be more.

This is what I can see while opening this URL.

Screenshot_20240903_213754_Samsung Internet.png (953×1 px, 537 KB)

There is a chance, of course, that the Global Watchlist was broken in this deployment. But FMHO it's a breaking change in the API parameters, or a bug there. Thank you.

Details

SubjectRepoBranchLines +/-
Do not consume 'centralauthtoken' on api.php OPTIONS requestsmediawiki/extensions/CentralAuthwmf/1.43.0-wmf.21+33 -18
Add a test for 'centralauthtoken' handling on OPTIONS requestsmediawiki/extensions/CentralAuthmaster+20 -0
Do not consume 'centralauthtoken' on api.php OPTIONS requestsmediawiki/extensions/CentralAuthmaster+33 -18
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedReleasedancyT373640 1.43.0-wmf.21 deployment blockers
 ResolvedBUG REPORTmatmarexT373925 Cross-wiki API does not work any more

Event Timeline

IKhitron created this task.Sep 3 2024, 6:47 PM
Restricted Application added a project: User-DannyS712. · View Herald TranscriptSep 3 2024, 6:47 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
IKhitron added a comment.Sep 3 2024, 9:37 PM

UPD. There is only testwiki again. Special:Version on Mediawiki:org shows a rollback.

Aklapper added a comment.Sep 4 2024, 7:50 AM

(See https://versions.toolforge.org/ for a versions overview and T373640: 1.43.0-wmf.21 deployment blockers for this week's deployment train status.)

matmarex added a project: MediaWiki-extensions-CentralAuth.Sep 4 2024, 12:40 PM
matmarex subscribed.

The cross-wiki request to test.wikipedia.org is failing with code: "badtoken", info: "The centralauthtoken is not valid.":

image.png (2×3 px, 1005 KB)

I would guess that the token is consumed by the OPTIONS request, and thus invalid in the GET request, when it wasn't happening before.

Could be caused by https://gerrit.wikimedia.org/r/c/mediawiki/extensions/CentralAuth/+/1055945.

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptSep 4 2024, 12:40 PM
matmarex added a parent task: T373640: 1.43.0-wmf.21 deployment blockers.Sep 4 2024, 12:40 PM
Jdforrester-WMF triaged this task as Unbreak Now! priority.Sep 4 2024, 12:45 PM
Jdforrester-WMF subscribed.

Train blocker -> UBN! status.

IKhitron updated the task description. (Show Details)Sep 4 2024, 12:48 PM
matmarex claimed this task.Sep 4 2024, 1:21 PM

I will make OPTIONS requests not consume the token again. This is how it worked before, but in a complicated way, and we changed it without understanding what it does. We were consuming the token in a dynamically registered ApiCheckCanExecute hook handler, which is not called for OPTIONS requests (see code here: https://gerrit.wikimedia.org/g/mediawiki/core/+/2a9b9675e20bb67d30df015bca43508a18929bbb/includes/api/ApiMain.php#912 which exits before calling $this->executeAction()$this->checkExecutePermissions( $module )$this->getHookRunner()->onApiCheckCanExecute( $module, $user, $message )).

matmarex renamed this task from Interwiki API does not work any more to Cross-wiki API does not work any more.Sep 4 2024, 1:22 PM
DAlangi_WMF moved this task from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.Sep 4 2024, 1:46 PM
gerritbot added a comment.Sep 4 2024, 2:15 PM

Change #1070609 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] Do not consume 'centralauthtoken' on api.php OPTIONS requests

https://gerrit.wikimedia.org/r/1070609

gerritbot added a project: Patch-For-Review.Sep 4 2024, 2:15 PM
matmarex added a comment.EditedSep 4 2024, 2:24 PM

To run into this problem, the api.php requests must do something to require preflight requests (e.g. set a custom HTTP header; GlobalWatchlist sets a User-Agent header, following the best practices), and the user has to do something to require the 'centralauthtoken' to be used in ForeignApi requests (e.g. disallow third-party cookies in your browser, or be logged out on the target wiki, in this case test.wikipedia.org), and you have to configure Special:GlobalWatchlistSettings to add test.wikipedia.org to the site list.

This explains why other people had a hard time reproducing your bug report, and it's a bit lucky that I reproduced it immediately; I don't even remember when I configured GlobalWatchlist that way, I must have done it when investigating some different cross-wiki bug a long time ago.

Minimal code to reproduce the problem outside of GlobalWatchlist:

api = new mw.ForeignApi( 'https://test.wikipedia.org/w/api.php',{
	ajax: {
		headers: {
			'Api-User-Agent': 'testing T373925'
		}
	}
} );
api.foreignLoginPromise = $.Deferred().reject(); // to force use of 'centralauthtoken'
await api.get( { meta: 'userinfo' } );
hashar mentioned this in T373640: 1.43.0-wmf.21 deployment blockers.Sep 4 2024, 3:08 PM
Agusbou2015 subscribed.Sep 4 2024, 3:23 PM
gerritbot added a comment.Sep 4 2024, 4:00 PM

Change #1070609 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Do not consume 'centralauthtoken' on api.php OPTIONS requests

https://gerrit.wikimedia.org/r/1070609

gerritbot added a comment.Sep 4 2024, 4:26 PM

Change #1070638 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.21] Do not consume 'centralauthtoken' on api.php OPTIONS requests

https://gerrit.wikimedia.org/r/1070638

gerritbot added a comment.Sep 4 2024, 4:37 PM

Change #1070638 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.43.0-wmf.21] Do not consume 'centralauthtoken' on api.php OPTIONS requests

https://gerrit.wikimedia.org/r/1070638

Stashbot added a comment.Sep 4 2024, 4:37 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-04T16:37:57Z] <dancy@deploy1003> Started scap sync-world: Backport for [[gerrit:1070638|Do not consume 'centralauthtoken' on api.php OPTIONS requests (T373925)]]

Stashbot added a comment.Sep 4 2024, 4:40 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-04T16:40:04Z] <dancy@deploy1003> matmarex, dancy: Backport for [[gerrit:1070638|Do not consume 'centralauthtoken' on api.php OPTIONS requests (T373925)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Sep 4 2024, 4:48 PM

Mentioned in SAL (#wikimedia-operations) [2024-09-04T16:48:13Z] <dancy@deploy1003> Finished scap sync-world: Backport for [[gerrit:1070638|Do not consume 'centralauthtoken' on api.php OPTIONS requests (T373925)]] (duration: 10m 16s)

IKhitron added a comment.Sep 4 2024, 4:49 PM

Looks fine now.

matmarex closed this task as Resolved.Sep 4 2024, 4:54 PM

Thanks for confirming! Also looks good for me.

gerritbot added a comment.Sep 4 2024, 4:59 PM

Change #1070645 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/CentralAuth@master] Add a test for 'centralauthtoken' handling on OPTIONS requests

https://gerrit.wikimedia.org/r/1070645

ReleaseTaggerBot added a project: MW-1.43-notes (1.43.0-wmf.22; 2024-09-10).Sep 4 2024, 5:00 PM
Novem_Linguae subscribed.Sep 4 2024, 5:17 PM
gerritbot added a comment.Sep 4 2024, 6:40 PM

Change #1070645 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Add a test for 'centralauthtoken' handling on OPTIONS requests

https://gerrit.wikimedia.org/r/1070645

Maintenance_bot removed a project: Patch-For-Review.Sep 4 2024, 7:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits