Apparently we are setting https://meta.wikimedia.org in one place and https://meta.wikimedia.org/ in another place. That needs to be consistent.
We also need B/C logic for the change (hopefully this doesn't affect non-owner-only consumers and then we only need it for 4 hours) since otherwise changing the issuer would break all existing tokens.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T399291 Epic: API Rate Limiting Architecture | |||
| Open | None | T412585 Epic: Enforce API rate limits (WE5.1.3c) | |||
| Open | None | T417779 rest gateway: enforce rate limits (stage two) | |||
| Resolved | daniel | T417778 rest gateway: enforce rate limits (stage one) | |||
| Resolved | DAlangi_WMF | T415007 Login with `action=login` and bot password does not create a JWT session cookie | |||
| Resolved | • Tgr | T418999 Remove trailing slash in issuer for bot password JWT cookies |
The trailing slash is from $wgJwtSessionCookieIssuer. So:
We have a bunch of other urgent problems so let's go with option 1 and deal with the B/C support if too many bots turn out to ignore expiry for us to just reach out directly.
Change #1248000 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[operations/mediawiki-config@master] Revert "Enable JWT session cookie for bot passwords (all wikis) (attempt #2)"
Change #1248007 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[operations/mediawiki-config@master] Fix $wgJwtSessionCookieIssuer
Change #1248000 merged by jenkins-bot:
[operations/mediawiki-config@master] Revert "Enable JWT session cookie for bot passwords (all wikis) (attempt #2)"
Mentioned in SAL (#wikimedia-operations) [2026-03-04T14:19:04Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1248000|Revert "Enable JWT session cookie for bot passwords (all wikis) (attempt #2)" (T415007 T418999)]]
Mentioned in SAL (#wikimedia-operations) [2026-03-04T14:21:18Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1248000|Revert "Enable JWT session cookie for bot passwords (all wikis) (attempt #2)" (T415007 T418999)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.
Change #1248012 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):
[operations/mediawiki-config@master] Enable JWT session cookie for bot passwords (all wikis) (attempt #3)
Mentioned in SAL (#wikimedia-operations) [2026-03-04T14:26:24Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1248000|Revert "Enable JWT session cookie for bot passwords (all wikis) (attempt #2)" (T415007 T418999)]] (duration: 07m 19s)
Hi! I was looking into this task and noticed that several patches were already deployed in operations/mediawiki-config related to $wgJwtSessionCookieIssuer.
Is there any remaining work needed here, or can this task be considered resolved?
Change #1248007 merged by jenkins-bot:
[operations/mediawiki-config@master] Fix $wgJwtSessionCookieIssuer
Mentioned in SAL (#wikimedia-operations) [2026-03-04T20:57:33Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1248007|Fix $wgJwtSessionCookieIssuer (T415007 T418999)]]
Mentioned in SAL (#wikimedia-operations) [2026-03-04T20:59:38Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1248007|Fix $wgJwtSessionCookieIssuer (T415007 T418999)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.
Mentioned in SAL (#wikimedia-operations) [2026-03-04T21:07:28Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1248007|Fix $wgJwtSessionCookieIssuer (T415007 T418999)]] (duration: 09m 55s)
Change #1248012 merged by jenkins-bot:
[operations/mediawiki-config@master] Enable JWT session cookie for bot passwords (all wikis) (attempt #3)
Mentioned in SAL (#wikimedia-operations) [2026-03-04T21:40:52Z] <tgr@deploy2002> Started scap sync-world: Backport for [[gerrit:1248012|Enable JWT session cookie for bot passwords (all wikis) (attempt #3) (T415007 T418999)]]
Mentioned in SAL (#wikimedia-operations) [2026-03-04T21:43:00Z] <tgr@deploy2002> tgr: Backport for [[gerrit:1248012|Enable JWT session cookie for bot passwords (all wikis) (attempt #3) (T415007 T418999)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.
Mentioned in SAL (#wikimedia-operations) [2026-03-04T21:47:56Z] <tgr@deploy2002> Finished scap sync-world: Backport for [[gerrit:1248012|Enable JWT session cookie for bot passwords (all wikis) (attempt #3) (T415007 T418999)]] (duration: 07m 05s)
@Mounil2005 done now, and in any case it's pretty involved and not a new task for a new contributor. Unfortunately we don't have a great way to suggest good tasks, outside the pretty limited good first task project. You could look at our Patches welcome column, but 1) some of the tasks in it are very complex or very large, 2) just because we aren't working on it, another team might (you can usually figure it out from the project tags but the exact convention changes from team to team).
Disabled bot password JWTs at 14:26 UTC, reenabled with the correct issuer at 21:48 UTC.
Thanks for catching the issue @DAlangi_WMF.