Page MenuHomePhabricator
Create Task
Maniphest T384829

Differentiate between stackable and final redirects in PostLoginRedirect hook
Open, Needs TriagePublic
Actions

Description

The PostLoginRedirect gives extensions an opportunity to redirect after login (or signup). Conceptually, there are three kinds of redirects:

  • The redirect does something, invisibly to the user, then returns (e.g. CentralAuth central login). There's some minimal risk that it doesn't return because of an error / browser intervention.
  • The redirect takes the user to some UI, then returns after the user finishes (e.g. GrowthExperiments welcome survey). There is a modest risk that it doesn't return because the user abandons the flow.
  • The redirect takes the user to some location they aren't supposed to return from, replacing the default new user landing page (e.g. GrowthExperiments newcomer homepage).

The first two kinds are stackable (you could in theory do several of them in sequence), the third kind isn't. There is no way to differentiate between them currently, so it's kinda random what happens when there are multiple hook handlers. CentralAuth tries to work around this by providing a custom CentralAuthPostLoginRedirect hook, so when other extensions see CentralAuth is enabled, they can ignore the normal hook and use the custom hook instead; but that's fragile and doesn't scale.

We should have a new post-authentication redirect hook where hooks can add redirect URLs or callbacks, explicitly marked as one of the three categories above, and MediaWiki executes the invisible redirects first, the visible but non-final ones next, and logs an error if there are multiple final redirects (or maybe has some priority mechanism).

Event Timeline

Tgr created this task.Jan 27 2025, 12:50 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJan 27 2025, 12:50 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr added a subscriber: daniel.Jan 27 2025, 12:52 PM

@daniel FYI since you are thinking about redesigning hooks - this is a somewhat common problem I think, that some handlers can coexist with other handlers and some can't, and the current system doesn't handle that well.

mszabo subscribed.Jan 27 2025, 1:00 PM
larissagaulia moved this task from Inbox, needs triage to Roadmap on the MediaWiki-Platform-Team board.Feb 3 2025, 3:26 PM
larissagaulia edited projects, added: MediaWiki-Platform-Team (Roadmap); removed: MediaWiki-Platform-Team.
OWresch-WMF edited projects, added: MediaWiki-Platform-Team; removed: MediaWiki-Platform-Team (Roadmap).Jan 16 2026, 1:55 PM
Maintenance_bot added a project: MW-Interfaces-Team.Jan 16 2026, 2:31 PM
matmarex moved this task from Inbox, needs triage to DO NOT USE (was: Not planned) on the MediaWiki-Platform-Team board.Jan 19 2026, 3:37 PM
OWresch-WMF moved this task from DO NOT USE (was: Not planned) to Not planned / Patches welcome on the MediaWiki-Platform-Team board.Jan 20 2026, 11:24 AM
aaron moved this task from Incoming (Needs Triage) to Needs Further Discussion on the MW-Interfaces-Team board.Jan 21 2026, 6:13 AM
Tgr added a comment.Mar 6 2026, 1:56 PM

Another use case that came up is adding a query parameter to returntoquery (but otherwise not doing changes that could be incompatible with other handlers' intentions) and expecting that to show up on the next non-redirect response.

Michael subscribed.Mar 6 2026, 6:53 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits