Page MenuHomePhabricator
Create Task
Maniphest T420106

rest gateway: assign unauthed-bot class for trust level C without valid token
Closed, ResolvedPublicBUG REPORT
Actions

Description

Currently, the classification code in the REST gateway does not correctly handle the case where there is no valid token, but we still got trust level C. This causes the request to be classified as "anon", even though it has a compliant User-Agent header (and x-ua-contact). In theory, trsut level C should only be assigned if there is a valid token, but apparently the checks in Envoy are more strict than the ones in haproxy. I suspect this happens for requests that have a properly signed but expired token.

The REST gateway should treat requests without a valid token but with trust level C and a x-us-contact header as if it had trust level D.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
rest-gateway: handle trust level C with invalid token.operations/deployment-chartsmaster+25 -3
Customize query in gerrit

Related Objects
Search...

Event Timeline

daniel created this task.Mar 14 2026, 3:18 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2026, 3:18 PM
daniel triaged this task as High priority.Mar 14 2026, 3:18 PM
daniel added a parent task: T412585: Epic: Enforce API rate limits (WE5.1.3c).
daniel mentioned this in T420011: Intermittent rate limiting at hackathon-northwestern-europe-2026.Mar 14 2026, 4:18 PM
daniel updated the task description. (Show Details)
Novem_Linguae subscribed.Mar 14 2026, 8:42 PM
gerritbot added a comment.Mar 15 2026, 4:41 PM

Change #1252658 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest-gateway: handle trust level C with invalid token.

https://gerrit.wikimedia.org/r/1252658

gerritbot added a project: Patch-For-Review.Mar 15 2026, 4:41 PM
OWresch-WMF assigned this task to daniel.Mar 16 2026, 3:25 PM
OWresch-WMF moved this task from Inbox, needs triage to Q3 Kanban Board on the MediaWiki-Platform-Team board.
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.
OWresch-WMF moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
Xqt subscribed.Mar 17 2026, 2:07 AM
gerritbot added a comment.Mar 17 2026, 10:44 AM

Change #1252658 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: handle trust level C with invalid token.

https://gerrit.wikimedia.org/r/1252658

Maintenance_bot removed a project: Patch-For-Review.Mar 17 2026, 11:31 AM
daniel closed this task as Resolved.Mar 20 2026, 2:37 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits