Page MenuHomePhabricator
Create Task
Maniphest T388250

LogicException: CentralAuthReturnRequest not found
Closed, ResolvedPublicPRODUCTION ERROR
Actions

Description

Error
normalized_message
[{reqId}] {exception_url}   LogicException: CentralAuthReturnRequest not found
FrameLocationCall
from/srv/mediawiki/php-1.44.0-wmf.19/extensions/CentralAuth/includes/CentralAuthRedirectingPrimaryAuthenticationProvider.php(149)
#0/srv/mediawiki/php-1.44.0-wmf.19/includes/auth/AuthManager.php(638)MediaWiki\Extension\CentralAuth\CentralAuthRedirectingPrimaryAuthenticationProvider->continuePrimaryAuthentication(array)
#1/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/AuthManagerSpecialPage.php(401)MediaWiki\Auth\AuthManager->continueAuthentication(array)
#2/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/AuthManagerSpecialPage.php(533)MediaWiki\SpecialPage\AuthManagerSpecialPage->performAuthenticationStep(string, array)
#3/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/AuthManagerSpecialPage.php(511)MediaWiki\SpecialPage\AuthManagerSpecialPage->handleFormSubmit(array)
#4/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/LoginSignupSpecialPage.php(404)MediaWiki\SpecialPage\AuthManagerSpecialPage->trySubmit()
#5/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/SpecialPage.php(729)MediaWiki\SpecialPage\LoginSignupSpecialPage->execute(null)
#6/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/SpecialPageFactory.php(1737)MediaWiki\SpecialPage\SpecialPage->run(null)
#7/srv/mediawiki/php-1.44.0-wmf.19/includes/actions/ActionEntryPoint.php(503)MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, MediaWiki\Context\RequestContext)
#8/srv/mediawiki/php-1.44.0-wmf.19/includes/actions/ActionEntryPoint.php(145)MediaWiki\Actions\ActionEntryPoint->performRequest()
#9/srv/mediawiki/php-1.44.0-wmf.19/includes/MediaWikiEntryPoint.php(202)MediaWiki\Actions\ActionEntryPoint->execute()
#10/srv/mediawiki/php-1.44.0-wmf.19/index.php(58)MediaWiki\MediaWikiEntryPoint->run()
#11/srv/mediawiki/w/index.php(3)require(string)
#12{main}
Impact
Notes

Details

Request URL
https://commons.wikimedia.org/wiki/Special:UserLogin
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
authmanager: Use an URL parameter to keep track of returnsmediawiki/corewmf/1.44.0-wmf.21+13 -8
authmanager: Use an URL parameter to keep track of returnsmediawiki/coremaster+13 -8
Customize query in gerrit

Event Timeline

Reedy created this task.Mar 7 2025, 4:07 PM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptMar 7 2025, 4:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Reedy moved this task from Untriaged to Mar 2025 on the Wikimedia-production-error board.Mar 7 2025, 4:57 PM
Tgr subscribed.Mar 7 2025, 8:14 PM

This seems weird - the URL is /wiki/Special:UserLogin and it must be a POST request since otherwise the code path that leads to continuePrimaryAuthentication() wouldn't be active, but the referrer is https://commons.m.wikimedia.org/wiki/Special:ConfirmEmail/517c09033f0a5ce67a12cdeacc68acc1. How is that even possible?

CentralAuthRedirectingPrimaryAuthenticationProvider::beginPrimaryAuthentication() returns a response with a CentralAuthReturnRequest object in it, in theory that means the following continuePrimaryAuthentication() call should also have that object. But maybe if the corresponding GET/POST parameter is missing, we automatically skip adding the object? I thought that would only happen to AuthenticationRequest objects where $required is set to OPTIONAL, but maybe I'm misremembering.

So I suspect this is some kind of manual request tampering, but in theory the LogicException should not be reachable, and if it is reachable, we need a proper StatusValue-based error instead.

Tgr added a comment.Mar 7 2025, 8:16 PM

There are maybe a dozen instances of this BTW - logstash.

DAlangi_WMF subscribed.EditedMar 10 2025, 11:50 AM

This seems really weird, vaguely following the Special:ConfirmEmail code, I see that it sometimes call Special:UserLogin as a GET request. I think maybe this is when we some weird behavior when cookies on shared domain are set but not on local domain (when continueAuthentication is called) - maybe some timeout(?). Then that throws the logic error but I wonder why/when that should ever happen.

But nevertheless, I'll try to reproduce it and see.

Tgr added a comment.EditedMar 10 2025, 1:11 PM

I guess what's happening is:

  • login or signup succeeds on the shared domain and redirects the user to Special:UserLogin/return on the local domain
  • AuthManagerSpecialPage::handleReturnBeforeExecute() sets the session key for handling this request as a POST, and redirects to Special:UserLogin
  • for some reason that redirect doesn't work, or maybe there is just a race between it and the user using another browser tab
  • the user clicks on the link in the confirmation email, gets sent to the login page, but since they still have the session cookie and the session has the special key, AuthManagerSpecialPage thinks this is the last step of remote authentication, and should be interpreted as a form submit. But the URL parameter that would be used for CentralAuthReturnRequest is not actually there.

We should probably use a query parameter to ensure that the special /return processing only happens on the same redirect chain, and not in an unrelated browser window.

larissagaulia assigned this task to DAlangi_WMF.Mar 10 2025, 3:28 PM
larissagaulia moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.
Tgr added a comment.Mar 10 2025, 8:05 PM

There's also a bunch of Validation error on return logstash entries, which I imagine is a side effect of this, but we'll need to double-check that.

Tgr added a comment.Mar 16 2025, 3:36 PM

~150 cases in the last 7 days.

gerritbot added a comment.Mar 16 2025, 4:01 PM

Change #1128039 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] authmanager: Use an URL parameter to keep track of returns

https://gerrit.wikimedia.org/r/1128039

gerritbot added a project: Patch-For-Review.Mar 16 2025, 4:01 PM
Tgr claimed this task.Mar 16 2025, 8:10 PM
gerritbot added a comment.Mar 21 2025, 9:48 PM

Change #1128039 merged by jenkins-bot:

[mediawiki/core@master] authmanager: Use an URL parameter to keep track of returns

https://gerrit.wikimedia.org/r/1128039

ReleaseTaggerBot added a project: MW-1.44-notes (1.44.0-wmf.22; 2025-03-25).Mar 21 2025, 10:00 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 21 2025, 10:30 PM
gerritbot added a comment.Mar 23 2025, 4:06 PM

Change #1130320 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.44.0-wmf.21] authmanager: Use an URL parameter to keep track of returns

https://gerrit.wikimedia.org/r/1130320

gerritbot added a project: Patch-For-Review.Mar 23 2025, 4:06 PM
gerritbot added a comment.Mar 24 2025, 8:48 AM

Change #1130320 merged by jenkins-bot:

[mediawiki/core@wmf/1.44.0-wmf.21] authmanager: Use an URL parameter to keep track of returns

https://gerrit.wikimedia.org/r/1130320

Stashbot added a comment.Mar 24 2025, 8:48 AM

Mentioned in SAL (#wikimedia-operations) [2025-03-24T08:48:31Z] <tgr@deploy1003> Started scap sync-world: Backport for [[gerrit:1130320|authmanager: Use an URL parameter to keep track of returns (T388250)]]

Stashbot added a comment.Mar 24 2025, 8:54 AM

Mentioned in SAL (#wikimedia-operations) [2025-03-24T08:54:01Z] <tgr@deploy1003> tgr: Backport for [[gerrit:1130320|authmanager: Use an URL parameter to keep track of returns (T388250)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

ReleaseTaggerBot edited projects, added: MW-1.44-notes (1.44.0-wmf.21; 2025-03-18); removed: MW-1.44-notes (1.44.0-wmf.22; 2025-03-25).Mar 24 2025, 9:00 AM
Stashbot added a comment.Mar 24 2025, 9:04 AM

Mentioned in SAL (#wikimedia-operations) [2025-03-24T09:04:49Z] <tgr@deploy1003> Finished scap sync-world: Backport for [[gerrit:1130320|authmanager: Use an URL parameter to keep track of returns (T388250)]] (duration: 16m 18s)

Maintenance_bot removed a project: Patch-For-Review.Mar 24 2025, 9:30 AM
Tgr closed this task as Resolved.Mar 24 2025, 6:00 PM

Errors are gone:

Validation error on returnLogicException: CentralAuthReturnRequest not found
Screenshot Capture - 2025-03-24 - 18-58-12.png (1,348×426 px, 41 KB)
Screenshot Capture - 2025-03-24 - 18-56-59.png (1,356×436 px, 42 KB)

Doesn't seem to have been replaced by new errors either.

Krinkle moved this task from Mar 2025 to Jan-Mar 2025 on the Wikimedia-production-error board.Apr 1 2025, 2:20 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits