SUL3 broke the ability to send new user's password via email
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue (include links if applicable):

Go to outreachdashboard https://outreachdashboard.wmflabs.org/
go to pending account requests (e.g. https://outreachdashboard.wmflabs.org/requested_accounts/jeXed/The_viability_of_using_LLMs_in_Higher_Education )
Click "create these accoutns"

What happens?:

Process fails with error:

Failure: Could not create account for jeXed / EMAILREDACTED@DOMAIN.COM. response: {"warnings"=>{"main"=>{"*"=>"Unrecognized parameter: mailpassword."}}, "createaccount"=>{"status"=>"FAIL", "message"=>"The supplied credentials could not be used for account creation.", "messagecode"=>"authmanager-create-no-primary"}}

What should have happened instead?:
The account should have been created

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
WMF Production

Other information (browser name/version, screenshots, etc.):

Details

Related Changes in Gerrit:

Subject	Repo	Branch	Lines +/-
SUL3: Fix account creation by username & email (with temp password)	mediawiki/extensions/CentralAuth	REL1_44	+48 -36
SUL3: Fix account creation by username & email (with temp password)	mediawiki/extensions/CentralAuth	wmf/1.45.0-wmf.1	+48 -36
SUL3: Fix account creation by username & email (with temp password)	mediawiki/extensions/CentralAuth	wmf/1.44.0-wmf.28	+48 -36
SUL3: Fix account creation by username & email (with temp password)	mediawiki/extensions/CentralAuth	master	+48 -36

Customize query in gerrit

Related Objects

Mentioned In: T387861: Remove SUL3 opt-in code from CentralAuth
T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation
Mentioned Here: rOMWC430edba28ba9: Enable SUL3 everywhere
T151012: CentralAuth should have its own temporary password handling
T390437: Deploy Extension:EmailAuth

Event Timeline

Xaosflux created this task.Apr 1 2025, 3:35 PM

Restricted Application added subscribers: Base, Aklapper. · View Herald TranscriptApr 1 2025, 3:35 PM

Hmm... I am getting this error with a test account request as well. My first guess was that it's related to T390437, which just deployed.

The bot account that is used for fallback account creation (https://en.wikipedia.org/wiki/User:OutreachDashboardBot) didn't have an email set, so set one and verified it, but that didn't fix the problem. However, the Dashboard first tries creating it using the account of whoever is processing the requests, so I think these errors are coming from the actions attempted with our accounts rather than the bot account.

@kostajh: this is an error we haven't seen before, triggered by attempting to create an account via the API using OAuth credentials for the user who is trying to create the account. Is this related to the EmailAuth changes?

I don't think EmailAuth is related here. It's set only to log. @Tgr do you know what is going on here?

This error is used when no authentication provider thinks the supplied set of data is relevant to them. Some possible reasons:

you didn't provide some required field (e.g. neither a password nor an email address)
somehow SUL3 is enabled despite it generally being disabled for API requests, so the normal providers are not loaded
we broke account-creation-by-email handling when we switched from TemporaryPasswordPrimaryAuthenticationProvider to CentralAuthTemporaryPasswordPrimaryAuthenticationProvider in T151012: CentralAuth should have its own temporary password handling

The requests definitely include an email address (and no password). The account creation flow from the Dashboard was working at least as recently as March 28, so I assume it's something that changed in the April 1 deployment.

somehow SUL3 is enabled despite it generally being disabled for API requests, so the normal providers are not loaded

It's that one.
https://en.wikipedia.org/wiki/Special:ApiSandbox#action=query&format=json&meta=authmanagerinfo&formatversion=2&amirequestsfor=create&amimergerequestfields=1

I guess this must have been caused by rOMWC430edba28ba9: Enable SUL3 everywhere somehow, since otherwise enwiki has been using SUL3 signup for two weeks.

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptApr 1 2025, 8:15 PM

This will break the mobile apps, at a minimum.

Change #1133255 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/CentralAuth@master] SUL3: Fix account creation by username & email (with temp password)

https://gerrit.wikimedia.org/r/1133255

gerritbot added a project: Patch-For-Review.Apr 1 2025, 11:08 PM

In T390751#10701194, @Tgr wrote:

This will break the mobile apps, at a minimum.

Actually only affects account creation via the API where the creator is already logged in. Still not great.

DAlangi_WMF changed the task status from Open to In Progress.Apr 2 2025, 12:28 AM

DAlangi_WMF claimed this task.

DAlangi_WMF moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.

Hi there, just to say that I'm also getting this issue, both username and email address have been provided in this instance.

We are also seeing this issue on the English Wikipedia Account Creation tool (ACC). For now, we have disabled API based account creations, but it would be nice to have it working again.

taavi renamed this task from outreachdashboard - unable to process account creation requests to SUL3 broke the ability to send new user's password via email.Apr 8 2025, 8:55 AM

taavi merged a task: T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation.

taavi added subscribers: LuciferianThomas, Stang.

stwalkerster subscribed.Apr 8 2025, 8:39 PM

• Tgr moved this task from Backlog to In progress on the SUL3 board.Apr 8 2025, 9:14 PM

LuciferianThomas mentioned this in T391324: Missing "send temporary password through email" option in Wikimedia SUL account creation.Apr 9 2025, 8:23 AM

mdaniels5757 subscribed.Apr 11 2025, 2:07 AM

matmarex mentioned this in T387861: Remove SUL3 opt-in code from CentralAuth.Apr 11 2025, 2:31 AM

Any update on this? We still have account requests coming in regularly on Programs & Events Dashboard for editathons and such, and can't process them.

Change #1133255 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SUL3: Fix account creation by username & email (with temp password)

https://gerrit.wikimedia.org/r/1133255

Maintenance_bot removed a project: Patch-For-Review.May 13 2025, 3:30 AM

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).May 13 2025, 4:00 AM

Sorry it took us a while to get to this. The fix would be deployed next week per the usual schedule. I wonder if we should backport it earlier?

In T390751#10814781, @matmarex wrote:

Sorry it took us a while to get to this. The fix would be deployed next week per the usual schedule. I wonder if we should backport it earlier?

It would be nice to backport this since the week is still early.

Change #1145096 had a related patch set uploaded (by D3r1ck01; author: Derick Alangi):

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.28] SUL3: Fix account creation by username & email (with temp password)

https://gerrit.wikimedia.org/r/1145096

gerritbot added a project: Patch-For-Review.May 13 2025, 8:07 AM

Change #1145193 had a related patch set uploaded (by Bartosz Dziewoński; author: Derick Alangi):

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.1] SUL3: Fix account creation by username & email (with temp password)

https://gerrit.wikimedia.org/r/1145193

Change #1145096 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.44.0-wmf.28] SUL3: Fix account creation by username & email (with temp password)

https://gerrit.wikimedia.org/r/1145096

Change #1145193 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@wmf/1.45.0-wmf.1] SUL3: Fix account creation by username & email (with temp password)

https://gerrit.wikimedia.org/r/1145193

Mentioned in SAL (#wikimedia-operations) [2025-05-13T13:23:49Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1145096|SUL3: Fix account creation by username & email (with temp password) (T390751)]], [[gerrit:1145193|SUL3: Fix account creation by username & email (with temp password) (T390751)]]

Mentioned in SAL (#wikimedia-operations) [2025-05-13T13:30:20Z] <lucaswerkmeister-wmde@deploy1003> lucaswerkmeister-wmde, matmarex, d3r1ck01: Backport for [[gerrit:1145096|SUL3: Fix account creation by username & email (with temp password) (T390751)]], [[gerrit:1145193|SUL3: Fix account creation by username & email (with temp password) (T390751)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Maintenance_bot removed a project: Patch-For-Review.May 13 2025, 1:31 PM

Mentioned in SAL (#wikimedia-operations) [2025-05-13T13:37:57Z] <lucaswerkmeister-wmde@deploy1003> Finished scap sync-world: Backport for [[gerrit:1145096|SUL3: Fix account creation by username & email (with temp password) (T390751)]], [[gerrit:1145193|SUL3: Fix account creation by username & email (with temp password) (T390751)]] (duration: 14m 07s)

Mentioned in SAL (#wikimedia-operations) [2025-05-13T13:39:59Z] <lucaswerkmeister-wmde@deploy1003> Started scap sync-world: Backport for [[gerrit:1145096|SUL3: Fix account creation by username & email (with temp password) (T390751)]]

Following instructions in the commit message, I was able to create an account using API sandbox with password sent via email: https://test.wikipedia.org/w/index.php?title=Special:Log&logid=424666

I also confirmed that the same API request did not work before deploying the patch.

This is now fixed, and the fix is deployed to all wikis.

Mentioned in SAL (#wikimedia-operations) [2025-05-13T13:46:12Z] <lucaswerkmeister-wmde@deploy1003> d3r1ck01, lucaswerkmeister-wmde: Backport for [[gerrit:1145096|SUL3: Fix account creation by username & email (with temp password) (T390751)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

ReleaseTaggerBot edited projects, added MW-1.44-notes (1.44.0-wmf.28; 2025-05-06), MW-1.45-notes (1.45.0-wmf.1; 2025-05-13); removed MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).May 13 2025, 2:00 PM

Thanks! I just processed the backlog of account requests on Programs & Events Dashboard, and things are working normally again.

Change #1145239 had a related patch set uploaded (by Bartosz Dziewoński; author: Derick Alangi):

[mediawiki/extensions/CentralAuth@REL1_44] SUL3: Fix account creation by username & email (with temp password)

https://gerrit.wikimedia.org/r/1145239

gerritbot added a project: Patch-For-Review.May 13 2025, 2:47 PM

Change #1145239 merged by jenkins-bot: