Page MenuHomePhabricator
Create Task
Maniphest T408294

Regeneration of Recovery Codes doesn't work properly
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue:
Regenerate Recovery Codes.

What happens?:
The new code is not displayed; instead, the existing code is shown with one element missing.
You need to regenerate 10 times to truly regenerate new codes.

What should have happened instead?:
Fix the bug.

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):
1.45.0-wmf.24 (rMW0b6805d184fb)

Comment:
I notified on jawiki at HERE and HERE.
PLEASE BE CAREFUL WHEN YOU CHANGE THE CODE ABOUT RECOVERY CODES!

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
RecoveryCodeStatusForm: Don't assume there's only one recovery codemediawiki/extensions/OATHAuthwmf/1.45.0-wmf.24+6 -8
RecoveryCodeStatusForm: Don't assume there's only one recovery codemediawiki/extensions/OATHAuthmaster+6 -8
Customize query in gerrit

Related Objects
Search...

Event Timeline

T4NeGMp7P4en created this task.Oct 25 2025, 2:47 PM
nanona15dobato subscribed.Oct 25 2025, 3:04 PM
Reedy removed a project: MW-1.45-notes (1.45.0-wmf.25; 2025-10-28).Oct 25 2025, 3:08 PM
Reedy mentioned this in T408295: Create new recovery codes doesn't work.Oct 25 2025, 3:14 PM
Reedy mentioned this in T408296: Initial display of recovery codes is missing 1.
T4NeGMp7P4en updated the task description. (Show Details)Oct 25 2025, 3:18 PM
Reedy mentioned this in T408297: Recovery codes aren't consumed when encryption is enabled.Oct 25 2025, 3:21 PM
Reedy added a comment.Oct 25 2025, 4:16 PM

Ok, I specifically understand now.

Keep regenerating codes, it doesn't actually regenerate, you lose one at a time until they're all gone...

Reedy triaged this task as High priority.Oct 25 2025, 4:17 PM
Reedy added a comment.Oct 25 2025, 4:54 PM

Right... So when src/HTMLForm/RecoveryCodesStatusForm.php runs, it runs both onSubmit and onSuccess.

onSubmit is presuming you've consumed the first. and if you're regenerating, it'll eat one too..

Which means on the same page load, a var_dump in each function...

image.png (1×915 px, 202 KB)

gerritbot added a comment.Oct 25 2025, 5:12 PM

Change #1198651 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@master] RecoveryCodeStatusForm: Don't assume there's only one recovery code

https://gerrit.wikimedia.org/r/1198651

gerritbot added a project: Patch-For-Review.Oct 25 2025, 5:12 PM
T4NeGMp7P4en added a comment.Oct 25 2025, 5:32 PM
In T408294#11309328, @Reedy wrote:

Ok, I specifically understand now.

Keep regenerating codes, it doesn't actually regenerate, you lose one at a time until they're all gone...

Yeah, that's what I mean. Thank you so much!

gerritbot added a comment.Oct 25 2025, 5:48 PM

Change #1198651 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] RecoveryCodeStatusForm: Don't assume there's only one recovery code

https://gerrit.wikimedia.org/r/1198651

gerritbot added a comment.Oct 25 2025, 5:49 PM

Change #1198656 had a related patch set uploaded (by Reedy; author: Reedy):

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.24] RecoveryCodeStatusForm: Don't assume there's only one recovery code

https://gerrit.wikimedia.org/r/1198656

Reedy merged a task: T408296: Initial display of recovery codes is missing 1.Oct 25 2025, 5:53 PM
Reedy merged a task: T408295: Create new recovery codes doesn't work.
Reedy renamed this task from Regenerate Recovery Codes, it consume to Regeneration of Recovery Codes doesn't work properly.Oct 25 2025, 5:56 PM
gerritbot added a comment.Oct 25 2025, 5:58 PM

Change #1198656 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@wmf/1.45.0-wmf.24] RecoveryCodeStatusForm: Don't assume there's only one recovery code

https://gerrit.wikimedia.org/r/1198656

Reedy mentioned this in T408299: Recovery codes can end up as an object in the database....Oct 25 2025, 5:58 PM
ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.25; 2025-10-28).Oct 25 2025, 6:00 PM
Stashbot added a comment.Oct 25 2025, 6:01 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-25T18:01:01Z] <reedy@deploy2002> Started scap sync-world: Backport for [[gerrit:1198656|RecoveryCodeStatusForm: Don't assume there's only one recovery code (T408294)]]

Stashbot added a comment.Oct 25 2025, 6:05 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-25T18:05:07Z] <reedy@deploy2002> reedy: Backport for [[gerrit:1198656|RecoveryCodeStatusForm: Don't assume there's only one recovery code (T408294)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Stashbot added a comment.Oct 25 2025, 6:18 PM

Mentioned in SAL (#wikimedia-operations) [2025-10-25T18:18:09Z] <reedy@deploy2002> Finished scap sync-world: Backport for [[gerrit:1198656|RecoveryCodeStatusForm: Don't assume there's only one recovery code (T408294)]] (duration: 17m 08s)

Reedy closed this task as Resolved.Oct 25 2025, 6:24 PM
Reedy claimed this task.

Thanks for the report!

I've found numerous other bugs... So many tasks filed off the back of this :(

Maintenance_bot removed a project: Patch-For-Review.Oct 25 2025, 6:31 PM
T4NeGMp7P4en added a comment.Oct 25 2025, 6:38 PM
In T408294#11309423, @Reedy wrote:

Thanks for the report!

I've found numerous other bugs... So many tasks filed off the back of this :(

That's a bad news… . I deeply thank and rely on you.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits