Page MenuHomePhabricator
Create Task
Maniphest T393628

Temporary accounts: Use anonymous user performer when creating a named account
Closed, ResolvedPublic
Actions

Description

Summary

Replace the temporary account perfomer with a new, anonymous user performer when creating a named account

Background

  • As discussed with Legal in T335508: Connect temporary and permanent account during signup in Special:CheckUser / Special:Investigate, it's important to avoid leaking the association between a temporary account and a permanent account. In the temporary account to permanent account creation workflow, it's easiest to avoid leaking the temporary account's identity in various code paths if we require the temporary account user to be logged-out before creating a permanent account.
  • Some options for this include:
    • Log the temporary account user out upon visiting Special:CreateAccount (and in API attempts)
    • Introduce a modal on clicks to "Create account", where "Proceed" does an API call to logout before redirecting to Special:CreateAccount
    • Swap out the temporary account performer in AuthManager::beginAccountCreation with a new anonymous user object

Acceptance criteria

  • The performer seen in AuthManager::beginAccountCreation is an anonymous user object

Details

Other Assignee
Tchanders
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Invalidate temp user's sessions when creating a permanent accountmediawiki/coremaster+8 -3
Use anonymous user when creating named account from temp accountmediawiki/coreREL1_43+66 -0
Use anonymous user when creating named account from temp accountmediawiki/coreREL1_44+66 -0
Use anonymous user when creating named account from temp accountmediawiki/corewmf/1.45.0-wmf.1+66 -0
Use anonymous user when creating named account from temp accountmediawiki/coremaster+66 -0
Customize query in gerrit

Related Objects

Event Timeline

kostajh created this task.May 7 2025, 5:39 PM
Restricted Application added a project: Trust and Safety Product Team. · View Herald TranscriptMay 7 2025, 5:39 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
kostajh claimed this task.May 7 2025, 5:44 PM
gerritbot added a comment.May 7 2025, 5:46 PM

Change #1143146 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/core@master] [WIP] Log temporary account users out when creating accounts

https://gerrit.wikimedia.org/r/1143146

gerritbot added a project: Patch-For-Review.May 7 2025, 5:46 PM
Bugreporter subscribed.EditedMay 7 2025, 5:56 PM

This assumes accounts are created via Special:CreateAccount. However, some apps may create accounts via API - it will be a breaking change if API behavior is changed.

kostajh added a comment.May 7 2025, 5:58 PM
In T393628#10801750, @Bugreporter wrote:

This assumes accounts are created via Special:CreateAccount. However, some apps may create accounts via API.

Thanks :) the patch above also handles the API. We will probably also create subtasks for the Wikimedia iOS and Android apps.

kostajh renamed this task from Temporary accounts: Require temporary users to logout before creating permanent accounts to Temporary accounts: Use anonymous user performer when creating a named account.May 8 2025, 12:53 PM
kostajh updated the task description. (Show Details)
kostajh moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 9 2025, 6:04 AM
gerritbot added a comment.May 13 2025, 3:22 PM

Change #1143146 merged by jenkins-bot:

[mediawiki/core@master] Use anonymous user when creating named account from temp account

https://gerrit.wikimedia.org/r/1143146

Maintenance_bot removed a project: Patch-For-Review.May 13 2025, 3:30 PM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).May 13 2025, 4:00 PM
gerritbot added a comment.May 14 2025, 6:19 AM

Change #1145455 had a related patch set uploaded (by Kosta Harlan; author: Kosta Harlan):

[mediawiki/core@wmf/1.45.0-wmf.1] Use anonymous user when creating named account from temp account

https://gerrit.wikimedia.org/r/1145455

gerritbot added a project: Patch-For-Review.May 14 2025, 6:19 AM
gerritbot added a comment.May 14 2025, 7:06 AM

Change #1145455 merged by jenkins-bot:

[mediawiki/core@wmf/1.45.0-wmf.1] Use anonymous user when creating named account from temp account

https://gerrit.wikimedia.org/r/1145455

Stashbot added a comment.May 14 2025, 7:06 AM

Mentioned in SAL (#wikimedia-operations) [2025-05-14T07:06:52Z] <kharlan@deploy1003> Started scap sync-world: Backport for [[gerrit:1145455|Use anonymous user when creating named account from temp account (T393628)]]

Stashbot added a comment.May 14 2025, 7:11 AM

Mentioned in SAL (#wikimedia-operations) [2025-05-14T07:11:35Z] <kharlan@deploy1003> kharlan: Backport for [[gerrit:1145455|Use anonymous user when creating named account from temp account (T393628)]] synced to the testservers (https://wikitech.wikimedia.org/wiki/Mwdebug)

Stashbot added a comment.May 14 2025, 7:26 AM

Mentioned in SAL (#wikimedia-operations) [2025-05-14T07:26:44Z] <kharlan@deploy1003> Finished scap sync-world: Backport for [[gerrit:1145455|Use anonymous user when creating named account from temp account (T393628)]] (duration: 19m 51s)

Maintenance_bot removed a project: Patch-For-Review.May 14 2025, 7:30 AM
ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.1; 2025-05-13); removed MW-1.45-notes (1.45.0-wmf.2; 2025-05-20).May 14 2025, 8:01 AM
kostajh moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)) board.May 14 2025, 12:01 PM
Dreamy_Jazz moved this task from Inbox to Engineering on the Trust and Safety Product Team board.May 14 2025, 8:43 PM
Dreamy_Jazz moved this task from Inbox to In progress on the Temporary accounts board.May 21 2025, 10:49 AM
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)); removed Trust and Safety Product Sprint (Sprint Key Lime Pie (May 5 - May 23)).May 25 2025, 6:53 PM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)) board.
gerritbot added a comment.May 29 2025, 12:05 PM

Change #1152050 had a related patch set uploaded (by Dreamy Jazz; author: Kosta Harlan):

[mediawiki/core@REL1_44] Use anonymous user when creating named account from temp account

https://gerrit.wikimedia.org/r/1152050

gerritbot added a project: Patch-For-Review.May 29 2025, 12:06 PM

Change #1152051 had a related patch set uploaded (by Dreamy Jazz; author: Kosta Harlan):

[mediawiki/core@REL1_43] Use anonymous user when creating named account from temp account

https://gerrit.wikimedia.org/r/1152051

gerritbot added a comment.May 29 2025, 12:23 PM

Change #1152050 merged by jenkins-bot:

[mediawiki/core@REL1_44] Use anonymous user when creating named account from temp account

https://gerrit.wikimedia.org/r/1152050

gerritbot added a comment.May 29 2025, 12:24 PM

Change #1152051 merged by jenkins-bot:

[mediawiki/core@REL1_43] Use anonymous user when creating named account from temp account

https://gerrit.wikimedia.org/r/1152051

Maintenance_bot removed a project: Patch-For-Review.May 29 2025, 12:30 PM
ReleaseTaggerBot added projects: MW-1.44-notes, MW-1.43-notes.May 29 2025, 1:00 PM
dom_walden subscribed.Jun 5 2025, 10:39 AM

@kostajh A couple of observations:

  • When a temp user creates a named account, CheckUser attributes this to the IP not the temp account. Is this OK?
  • When a temp user creates a named account via the API (sandbox), they have their session cookies cleared. On refresh, they are (sometimes) automatically logged in as the temporary user again but without a <wiki>_Token (so the session is lost when they close their browser). I see the below warning in the log:
[session] Session "[50]CentralAuthSessionProvider<+:19103:~2025-2596>3ho7t5cld6j2fsar03d2gb7il5cbb2i8": Metadata merge failed: [Exception MediaWiki\Session\MetadataMergeException( /var/www/html/w/includes/session/SessionProvider.php:260) Key "CentralAuthSource" changed]
#0 /var/www/html/w/includes/session/SessionManager.php(649): MediaWiki\Session\SessionProvider->mergeMetadata()
#1 /var/www/html/w/includes/session/SessionManager.php(511): MediaWiki\Session\SessionManager->loadSessionInfoFromStore()
#2 /var/www/html/w/includes/session/SessionManager.php(198): MediaWiki\Session\SessionManager->getSessionInfoForRequest()
#3 /var/www/html/w/includes/Request/WebRequest.php(870): MediaWiki\Session\SessionManager->getSessionForRequest()
#4 /var/www/html/w/includes/session/SessionManager.php(149): MediaWiki\Request\WebRequest->getSession()
#5 /var/www/html/w/includes/Setup.php(514): MediaWiki\Session\SessionManager::getGlobalSession()
#6 /var/www/html/w/includes/WebStart.php(86): require_once(string)
#7 /var/www/html/w/index.php(50): require(string)
#8 {main}
[session] Failed to load session, unpersisting
  • On a wikifarm (I am using SUL3), I create a temp account on one of my content wikis, then create an account on my central/login wiki. I am logged in as the new user on the login wiki but still as the temp user on the content wiki.
kostajh mentioned this in T386532: Temp account event data validation.Jun 10 2025, 9:24 AM
kostajh added subscribers: DAlangi_WMF, Tgr.Jun 10 2025, 11:02 AM
In T393628#10887166, @dom_walden wrote:

@kostajh A couple of observations:

  • When a temp user creates a named account, CheckUser attributes this to the IP not the temp account. Is this OK?

Yes, this is desired per T335508: Connect temporary and permanent account during signup in Special:CheckUser / Special:Investigate

  • When a temp user creates a named account via the API (sandbox), they have their session cookies cleared. On refresh, they are (sometimes) automatically logged in as the temporary user again but without a <wiki>_Token (so the session is lost when they close their browser). I see the below warning in the log:
[session] Session "[50]CentralAuthSessionProvider<+:19103:~2025-2596>3ho7t5cld6j2fsar03d2gb7il5cbb2i8": Metadata merge failed: [Exception MediaWiki\Session\MetadataMergeException( /var/www/html/w/includes/session/SessionProvider.php:260) Key "CentralAuthSource" changed]
#0 /var/www/html/w/includes/session/SessionManager.php(649): MediaWiki\Session\SessionProvider->mergeMetadata()
#1 /var/www/html/w/includes/session/SessionManager.php(511): MediaWiki\Session\SessionManager->loadSessionInfoFromStore()
#2 /var/www/html/w/includes/session/SessionManager.php(198): MediaWiki\Session\SessionManager->getSessionInfoForRequest()
#3 /var/www/html/w/includes/Request/WebRequest.php(870): MediaWiki\Session\SessionManager->getSessionForRequest()
#4 /var/www/html/w/includes/session/SessionManager.php(149): MediaWiki\Request\WebRequest->getSession()
#5 /var/www/html/w/includes/Setup.php(514): MediaWiki\Session\SessionManager::getGlobalSession()
#6 /var/www/html/w/includes/WebStart.php(86): require_once(string)
#7 /var/www/html/w/index.php(50): require(string)
#8 {main}
[session] Failed to load session, unpersisting

@Tgr @DAlangi_WMF does this sound like an issue that we need to fix?

  • On a wikifarm (I am using SUL3), I create a temp account on one of my content wikis, then create an account on my central/login wiki. I am logged in as the new user on the login wiki but still as the temp user on the content wiki.

@Tgr @DAlangi_WMF do you think we need to do anything about this, and if so, what should we do?

DAlangi_WMF added a comment.Jun 10 2025, 11:34 AM
  • When a temp user creates a named account via the API (sandbox), they have their session cookies cleared. On refresh, they are (sometimes) automatically logged in as the temporary user again but without a <wiki>_Token (so the session is lost when they close their browser). I see the below warning in the log:
[session] Session "[50]CentralAuthSessionProvider<+:19103:~2025-2596>3ho7t5cld6j2fsar03d2gb7il5cbb2i8": Metadata merge failed: [Exception MediaWiki\Session\MetadataMergeException( /var/www/html/w/includes/session/SessionProvider.php:260) Key "CentralAuthSource" changed]
#0 /var/www/html/w/includes/session/SessionManager.php(649): MediaWiki\Session\SessionProvider->mergeMetadata()
#1 /var/www/html/w/includes/session/SessionManager.php(511): MediaWiki\Session\SessionManager->loadSessionInfoFromStore()
#2 /var/www/html/w/includes/session/SessionManager.php(198): MediaWiki\Session\SessionManager->getSessionInfoForRequest()
#3 /var/www/html/w/includes/Request/WebRequest.php(870): MediaWiki\Session\SessionManager->getSessionForRequest()
#4 /var/www/html/w/includes/session/SessionManager.php(149): MediaWiki\Request\WebRequest->getSession()
#5 /var/www/html/w/includes/Setup.php(514): MediaWiki\Session\SessionManager::getGlobalSession()
#6 /var/www/html/w/includes/WebStart.php(86): require_once(string)
#7 /var/www/html/w/index.php(50): require(string)
#8 {main}
[session] Failed to load session, unpersisting

@Tgr @DAlangi_WMF does this sound like an issue that we need to fix?

This issue sounds similar to T158365: Session "{session}": Metadata merge failed: {exception} (which is quite old), but we need to fix at some point, yes. But normally, when a temp account transitions to a named account, the named account should take over normally. I remember we fixed this in T384523: [BUG] Failure to login to pilot wiki after temp account creation. Also, testing locally, this works as expected (the named account takes over). @dom_walden, can you confirm that the failure only happens when the metadata exception is thrown?

  • On a wikifarm (I am using SUL3), I create a temp account on one of my content wikis, then create an account on my central/login wiki. I am logged in as the new user on the login wiki but still as the temp user on the content wiki.

@Tgr @DAlangi_WMF do you think we need to do anything about this, and if so, what should we do?

I think this is expected. @dom_walden, what happens when you click on the "Login" button on the content/local wiki? Your named account should take over the temporary one since you're already logged in centrally?

dom_walden added a comment.Jun 11 2025, 3:14 PM
In T393628#10899201, @DAlangi_WMF wrote:

This issue sounds similar to T158365: Session "{session}": Metadata merge failed: {exception} (which is quite old), but we need to fix at some point, yes. But normally, when a temp account transitions to a named account, the named account should take over normally. I remember we fixed this in T384523: [BUG] Failure to login to pilot wiki after temp account creation. Also, testing locally, this works as expected (the named account takes over). @dom_walden, can you confirm that the failure only happens when the metadata exception is thrown?

I have tried to reproduce the failure many times and, so far, I have always seen the metadata exception.

I think this is expected. @dom_walden, what happens when you click on the "Login" button on the content/local wiki? Your named account should take over the temporary one since you're already logged in centrally?

The named account does take over in this case.

Tgr added a comment.Jun 11 2025, 5:50 PM

There is no way to update session cookies across domains, so we'll need to invalidate the temp user's sessions on signup.

Tgr added a comment.Jun 11 2025, 5:54 PM

The metadata merge error is weird, but hard to say more without knowing exactly when and where it happens and what CentralAuthSource changed from/to (that should be included in the PSR-3 log context). It results in clearing session cookies, so it's not really related to being logged in with the wrong account, at least not directly (I guess clearing the local session will result in an autologin, and if the central wiki has the wrong session, that will be spread to the local wiki).

Bugreporter added a comment.Jun 11 2025, 6:34 PM

invalidate the temp user's sessions on signup

This should just happen if a user account is successfully created (not "Log the temporary account user out upon visiting Special:CreateAccount" as described in task description). The temporary account and session should remain when:

  • user quitted Special:CreateAccount without creating an account
  • user do not load account creation form (due to block or rate limit)
  • user failed to create an account (due to block, rate limit, invalid username/password or abuse filter)
kostajh edited projects, added Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)); removed Trust and Safety Product Sprint (Sprint Carrot Cake (May 26 - June 13)).Jun 16 2025, 6:12 AM
kostajh moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.
dom_walden moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)) board.Jun 17 2025, 6:21 AM
kostajh closed this task as Resolved.Jul 7 2025, 9:41 AM
DAlangi_WMF added a comment.Jul 7 2025, 12:02 PM

@kostajh, the "Acceptance Criteria" section was not updated yet. Is there anything to do there now that this is resolved? Can we check the box? :)

Tgr added a comment.Jul 7 2025, 5:21 PM
In T393628#10906020, @Tgr wrote:

There is no way to update session cookies across domains, so we'll need to invalidate the temp user's sessions on signup.

Note that this wasn't done. I still think it's a good idea. Otherwise the user can end up being logged in with the new username on some domains and the temp username on others, and that's at a minimum confusing, and it's probably not too hard to accidentally reveal the association between the accounts in that scenario.

gerritbot added a comment.Jul 11 2025, 5:20 PM

Change #1168224 had a related patch set uploaded (by Tchanders; author: Tchanders):

[mediawiki/core@master] Invalidate temp user's sessions when creating a permanent account

https://gerrit.wikimedia.org/r/1168224

gerritbot added a project: Patch-For-Review.Jul 11 2025, 5:20 PM
Tchanders reopened this task as Open.Jul 11 2025, 5:21 PM
Tchanders edited projects, added Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)); removed Trust and Safety Product Sprint (Sprint Baklava (June 16 - July 4)).
Tchanders moved this task from Priority Backlog to Needs Review on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.
Tchanders moved this task from In progress to Update MediaWiki Core to introduce temp accounts on the Temporary accounts board.Jul 15 2025, 5:14 PM
Tchanders edited projects, added Temporary accounts (Update MediaWiki Core to introduce temp accounts); removed Temporary accounts.
Tchanders edited projects, added Temporary accounts (Global wiki rollout); removed Temporary accounts (Update MediaWiki Core to introduce temp accounts).
Tchanders moved this task from To triage to In progress on the Temporary accounts (Global wiki rollout) board.Jul 15 2025, 5:21 PM
gerritbot added a comment.Jul 16 2025, 11:45 AM

Change #1168224 merged by jenkins-bot:

[mediawiki/core@master] Invalidate temp user's sessions when creating a permanent account

https://gerrit.wikimedia.org/r/1168224

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.11; 2025-07-22); removed MW-1.45-notes (1.45.0-wmf.1; 2025-05-13).Jul 16 2025, 12:01 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 16 2025, 12:31 PM
kostajh moved this task from Needs Review to Needs QA on the Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)) board.Jul 16 2025, 1:58 PM
kostajh updated Other Assignee, added: Tchanders.
kostajh mentioned this in T398270: Temp Account persists after logging in and out.Jul 21 2025, 9:49 AM
kostajh added a comment.Jul 21 2025, 10:25 AM

See also T398270: Temp Account persists after logging in and out for the login path equivalent of this task.

OKryva-WMF edited projects, added Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)); removed Trust and Safety Product Sprint (Sprint Cannoli (July 7 - July 25)).Jul 25 2025, 1:56 PM
OKryva-WMF moved this task from Priority Backlog to Needs QA on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
Tchanders closed this task as Resolved.Jul 30 2025, 3:29 PM
Tchanders moved this task from Needs QA to Done on the Trust and Safety Product Sprint (Sprint Rum baba (July 28 - August 15)) board.
Tchanders subscribed.

I think we can re-resolve this - the additional change was small and similar to what we've done elsewhere.

OKryva-WMF added a project: OKR-Work.Oct 3 2025, 3:50 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits