Page MenuHomePhabricator
Create Task
Maniphest T385572

SUL3: CheckUser is told about two successful logins with different IP addresses for one successful login on a SUL3 enabled wiki
Closed, ResolvedPublicBUG REPORT
Actions

Description

Summary

When SUL3 is enabled for a wiki, the CheckUser extension has the login hook called twice with different IP addresses and different amounts of Client Hints data. This results in two duplicate entries which have different data, which will be confusing for CheckUsers.

Background

  • The CheckUser extension creates a private event when a user logs in, logs out, and creates an account
  • A user with the checkuser right can see these events in the results list when running a check
  • SUL3 makes the user log in on a central wiki which is only used for authentication
  • However, SUL3 causes the login to be stored twice
    • On WMF wikis these duplicate events have at least once had different Client Hints data and IP addresses
  • This is confusing for users running a check, as they will be unsure of what is the correct data or think that the user logged in twice when they only logged in once

Technical notes

  • I can share the specific data with WMF staff on request, but won't post it here given that it's my CU data about my account from a production wiki
    • The first entry has a limited amount of Client Hints data (only low entropy) and was logged under an IPv4 address
    • The second entry had the full Client Hints data (i.e. high entropy) and was logged under an IPv6 address
  • It appears that the onAuthManagerAuthenticateAudit hook is being called twice for the same login at different points during the login process in the context of the local wiki
  • The account I had been testing on uses 2FA
  • Logging in on https://test-commons.wikimedia.org (which does not have SUL3 enabled yet) only caused one entry to be created

Acceptance criteria

  • Only one private CheckUser event is created for a login, which has the high entropy Client Hints data associated with it

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Suppress login audit hook in local leg of SUL3 authenticationmediawiki/extensions/CentralAuthmaster+59 -2
Suppress login audit hook in local leg of SUL3 authenticationmediawiki/extensions/CentralAuthwmf/1.44.0-wmf.16+59 -2
Customize query in gerrit

Related Objects
Search...

Event Timeline

Dreamy_Jazz created this task.Feb 4 2025, 12:23 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 4 2025, 12:23 PM
Dreamy_Jazz changed the subtype of this task from "Task" to "Bug Report".Feb 4 2025, 12:23 PM
Dreamy_Jazz renamed this task from SUL3: CheckUser has two login entries with different IP addresses for a SUL3 enabled wiki to SUL3: CheckUser is told about two successful logins with different IP addresses for one successful login on a SUL3 enabled wiki.Feb 4 2025, 12:26 PM
Dreamy_Jazz updated the task description. (Show Details)
Dreamy_Jazz mentioned this in T385574: LoginNotify and SUL3: Two emails are sent for a new device login when logging in on a SUL3 wiki.Feb 4 2025, 12:39 PM
Dreamy_Jazz moved this task from Inbox to Tracking work by others on the Trust and Safety Product Team board.Feb 4 2025, 1:38 PM
kostajh subscribed.Feb 4 2025, 2:42 PM

Discussed with @Dreamy_Jazz, we think this is something for MediaWiki-Platform-Team to take on as part of the SUL3 work, but we would be happy to review the patch(es).

Tgr added a parent task: T364866: Adapt to changes in post-login/signup hooks after switching to a central login wiki.Feb 4 2025, 3:51 PM
Tgr subscribed.Feb 4 2025, 10:03 PM

What happens is that testwiki sends you to auth.wikimedia.org to be used as a remote identity provider, but then internally auth.wikimedia.org is also testwiki. So you do a normal login there, the auth.wikimedia.org session gets written, and then get sent back to the normal testwiki domain, where another login happens, and the local session gets written.

In theory the second login is the "weird" one (e.g. if you are signing up instead of logging in, the first action will be a signup but the second a login) so that's the one that should be suppressed. It's a bit of a hack but we can probably send a "was this a remote login" flag in the extraData array of AuthManagerLoginAuthenticateAudit - not sure what's a reasonable abstraction there, though. Would it make sense to generally not send LoginNotify emails / not log CheckUser data for remote identity provider logins (think something like a "log in with Facebook" button)? Probably not, and I'd rather not add a completely SUL3-specific check to CheckUser/LoginNotify. Not sure I see a better option, though.

The first entry has a limited amount of Client Hints data (only low entropy) and was logged under an IPv4 address
The second entry had the full Client Hints data (i.e. high entropy) and was logged under an IPv6 address

No idea what's up with that. How is this data collected? And why would the IP differ, even if requesting high entropy fails for some reason?

Dreamy_Jazz added a comment.EditedFeb 5 2025, 10:40 AM
In T385572#10523361, @Tgr wrote:

How is this data collected?

For a successful login attempt this is collected via HTTP headers. For failed login attempts this is collected via JS code which sends the data to a REST API.

And why would the IP differ

I've no idea either, but maybe because one site accepts IPv6 over IPv4? The IP is taken from the main request context when calling the hook, so the code doing this is not in CheckUser.

Tgr mentioned this in T384232: QA for SUL3 on testwikis.Feb 5 2025, 2:57 PM
gerritbot added a comment.Feb 9 2025, 10:03 PM

Change #1118249 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@master] Suppress login audit hook in local leg of SUL3 authentication

https://gerrit.wikimedia.org/r/1118249

gerritbot added a project: Patch-For-Review.Feb 9 2025, 10:03 PM
Tgr claimed this task.Feb 9 2025, 10:11 PM
Tgr moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
matmarex subscribed.Feb 9 2025, 11:05 PM

Regarding the IPv6 vs IPv4 addresses, @Dreamy_Jazz can you look at the output of these API requests, and say whether they respond with an IPv6 or IPv4 address?

For me, they both report my IPv6 address. If that's not the case for everyone, I think that would be a question for SRE whether that's normal or a bug.

kostajh added a comment.Feb 10 2025, 10:41 AM
In T385572#10534366, @matmarex wrote:

Regarding the IPv6 vs IPv4 addresses, @Dreamy_Jazz can you look at the output of these API requests, and say whether they respond with an IPv6 or IPv4 address?

For me, they both report my IPv6 address. If that's not the case for everyone, I think that would be a question for SRE whether that's normal or a bug.

I see IPv6 addresses when visiting those URLs.

Dreamy_Jazz added a comment.EditedFeb 10 2025, 5:32 PM
In T385572#10534366, @matmarex wrote:

Regarding the IPv6 vs IPv4 addresses, @Dreamy_Jazz can you look at the output of these API requests, and say whether they respond with an IPv6 or IPv4 address?

For me, they both report my IPv6 address. If that's not the case for everyone, I think that would be a question for SRE whether that's normal or a bug.

Both links produce IPv6 addresses for me. This is the same for a request to test.wikipedia.org.

Dreamy_Jazz updated the task description. (Show Details)Feb 10 2025, 5:32 PM
gerritbot added a comment.Feb 15 2025, 8:02 PM

Change #1118249 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] Suppress login audit hook in local leg of SUL3 authentication

https://gerrit.wikimedia.org/r/1118249

Maintenance_bot removed a project: Patch-For-Review.Feb 15 2025, 8:30 PM
ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.17; 2025-02-18).Feb 15 2025, 9:00 PM
gerritbot added a comment.Feb 16 2025, 2:41 PM

Change #1119874 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.16] Suppress login audit hook in local leg of SUL3 authentication

https://gerrit.wikimedia.org/r/1119874

gerritbot added a project: Patch-For-Review.Feb 16 2025, 2:41 PM
Tgr closed this task as Resolved.Feb 16 2025, 3:06 PM
gerritbot added a comment.Feb 17 2025, 2:13 PM

Change #1119874 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.16] Suppress login audit hook in local leg of SUL3 authentication

https://gerrit.wikimedia.org/r/1119874

Stashbot added a comment.Feb 17 2025, 2:21 PM

Mentioned in SAL (#wikimedia-operations) [2025-02-17T14:21:19Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1119874|Suppress login audit hook in local leg of SUL3 authentication (T385574 T385572)]]

Stashbot added a comment.Feb 17 2025, 2:26 PM

Mentioned in SAL (#wikimedia-operations) [2025-02-17T14:26:30Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1119874|Suppress login audit hook in local leg of SUL3 authentication (T385574 T385572)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.Feb 17 2025, 2:49 PM

Mentioned in SAL (#wikimedia-operations) [2025-02-17T14:49:02Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1119874|Suppress login audit hook in local leg of SUL3 authentication (T385574 T385572)]] (duration: 27m 43s)

ReleaseTaggerBot edited projects, added MW-1.44-notes (1.44.0-wmf.16; 2025-02-11); removed MW-1.44-notes (1.44.0-wmf.17; 2025-02-18).Feb 17 2025, 3:00 PM
Tgr added a comment.Feb 17 2025, 10:47 PM

I tested both SUL2 and SUL3 login and saw the same (IPv6) IP and the same amount of client hints (high-entropy, I think? it included the exact browser version). And only once per login, now that the patch is deployed.

Blablubbs mentioned this in T391194: CheckUser displays low-entropy client hints for login actions by Android devices running Chrome .Apr 6 2025, 3:14 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 6 2025, 3:30 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits