Page MenuHomePhabricator
Create Task
Maniphest T422218

Marking cross-wiki notifications as read doesn't work
Closed, ResolvedPublicBUG REPORT
Actions

Assigned To
matmarex
Authored By
Quiddity
Thu, Apr 2, 10:46 PM
Tags
Referenced Files
F75316237: After.mp4
Wed, Apr 8, 10:50 AM
F75316204: Before.mp4
Wed, Apr 8, 10:50 AM
F74855125: simplescreenrecorder-2026-04-02_15.41.40.webm
Thu, Apr 2, 10:46 PM
F74855039: simplescreenrecorder-2026-04-02_15.39.50.mp4
Thu, Apr 2, 10:46 PM
F74854987: simplescreenrecorder-2026-04-02_15.38.30.ogg
Thu, Apr 2, 10:46 PM
Subscribers
A_smart_kitten
Aklapper
ClaudineChionh
DAlangi_WMF
Dragoniez
Hakimi97
IKhitron
View All 19 Subscribers

Description

Steps to replicate the issue:

  • Have an unread notification at a wiki.
  • Go to another SUL wiki
  • Try to mark the cross-wiki notification as read.

What happens?:

  • The notification is not marked as read (unless we do so at the originating wiki)

Other information:
Screencast,

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
ForeignWikiRequest: Pass session to internal 'centralauthtoken' requestmediawiki/extensions/EchoREL1_43+2 -1
ForeignWikiRequest: Pass session to internal 'centralauthtoken' requestmediawiki/extensions/EchoREL1_45+2 -1
ForeignWikiRequest: Pass session to internal 'centralauthtoken' requestmediawiki/extensions/EchoREL1_44+2 -1
ForeignWikiRequest: Pass session to internal 'centralauthtoken' requestmediawiki/extensions/Echomaster+2 -1
ForeignWikiRequest: Pass session to internal 'centralauthtoken' requestmediawiki/extensions/Echowmf/1.46.0-wmf.23+2 -1
ForeignWikiRequest: Pass session to internal 'centralauthtoken' requestmediawiki/extensions/Echowmf/1.46.0-wmf.22+2 -1
Customize query in gerrit

Related Objects

Event Timeline

Quiddity created this task.Thu, Apr 2, 10:46 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptThu, Apr 2, 10:46 PM
Quiddity updated the task description. (Show Details)Thu, Apr 2, 11:56 PM
Johannnes89 subscribed.Fri, Apr 3, 6:34 AM
Urbanecm_WMF subscribed.Fri, Apr 3, 10:18 AM

I can reproduce this. This is what I see in the network tab:

{
    "query": {
        "echomarkread": {
            "result": "success",
            "errors": {
                "enwiki": {
                    "code": "badtoken",
                    "info": "Invalid CSRF token.",
                    "*": "See https://en.wikipedia.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/postorius/lists/mediawiki-api-announce.lists.wikimedia.org/> for notice of API deprecations and breaking changes."
                }
            },
            "alert": {
                "rawcount": 17,
                "count": "17"
            },
            "message": {
                "rawcount": 3,
                "count": "3"
            },
            "rawcount": 20,
            "count": "20"
        }
    }
}
Urbanecm_WMF added a comment.Fri, Apr 3, 10:51 AM

Echo handles cross-wiki actions by issuing API requests. Authentication is done through centralauthtoken (which is a JWT token that can be requested via action=centralauthtoken, and it can be passed as an API parameter to any wiki in the farm, and it will be considered authenticated). This is what I did to replicate what Echo does internally:

  1. When logged in to my staff account, I visited https://test.wikipedia.org/wiki/Special:ApiSandbox and submitted action=centralauthtoken as an API call
  2. In an inkognito window (logged OUT), I visited https://en.wikipedia.org/wiki/Special:ApiSandbox and requested a CSRF token (action=query&meta=tokens&type=csrf&centralauthtoken=(REDACTED) (using the actual JWT token from step 1)
  3. I copied the resulting csrftoken and closed the inkognito window
  4. I repeated step 1 to generate a fresh JWT token (it is valid for a single request only)
  5. In a fresh inkognito window, I visited https://en.wikipedia.org/wiki/Special:ApiSandbox and marked my notifications as read (action=echomarkread&list=344509906&wikis=enwiki&token=(REDACTED))
  6. API call succeeded

I tried separate variations of the above steps. The only way I was able to get a CSRF failure was when the enwiki request to echomarkread was logged in (rather than authenticated via centralauthtoken).

This makes me think the underlying process works, and Echo is not passing something somewhere correctly (either the centralauthtoken, or the CSRF token).

Urbanecm_WMF added a comment.Fri, Apr 3, 3:02 PM

From Echo's perspective, everything seems to be done correctly. I've inspected the individual API calls, and the flow makes sense:

  • all of the requests are authenticated (using the centralauth token),
  • tokens are passed on correctly (what Echo gets is what it passes on to the foreign wikis),
  • but for some reason, the token is refused

I'm not sure what requirements tokens have. It might be useful having MediaWiki-Engineering a look as well.

Urbanecm_WMF added a comment.Fri, Apr 3, 3:03 PM

@Quiddity Do you know when this started (approximately)?

Urbanecm_WMF triaged this task as High priority.Fri, Apr 3, 3:04 PM
A_smart_kitten added a project: Regression.Fri, Apr 3, 5:42 PM
A_smart_kitten subscribed.
matmarex subscribed.Fri, Apr 3, 6:18 PM
Quiddity added a comment.Fri, Apr 3, 7:47 PM
In T422218#11785736, @Urbanecm_WMF wrote:

@Quiddity Do you know when this started (approximately)?

It definitely started this week. I'd guess it started on Thursday, as I interact with cross-wiki notifications a lot, and I only noticed it on Thursday.

IKhitron awarded a token.Fri, Apr 3, 10:19 PM
IKhitron subscribed.
Minorax subscribed.Sat, Apr 4, 5:45 AM
Mbch331 subscribed.Sat, Apr 4, 9:28 AM
Johannnes89 mentioned this in T422297: Echo fails to fetch notifications for temporary accounts.Sat, Apr 4, 4:15 PM
Dragoniez subscribed.Sat, Apr 4, 4:17 PM
Hakimi97 subscribed.Sat, Apr 4, 11:25 PM
matmarex added a comment.EditedSun, Apr 5, 1:07 AM

This is probably not related to the problems with notifications caused by the security patch on T420154, although I won't say that with certainty until we fix those problems and this one remains unfixed.

The recent changes to centralauthtoken (T420280) are probably also not related. It seems that these tokens are working correctly, it's the csrf tokens that don't work.

csrf tokens are tied to sessions. But until this bug, they have worked when passing them between two centralauthtoken-authenticated sessions, and they still work when I make basically the same chain of requests in my browser:

mw.ForeignApi.prototype.checkForeignLogin = () => $.Deferred().reject(); // ensure you don't hit an optimization that skips 'centralauthtoken' if third-party cookies work
await new mw.ForeignApi('https://de.wikipedia.org/w/api.php').postWithToken('csrf', {action: 'checktoken', type: 'csrf'}) // => result: "valid", ...

This could be a "stale read" issue. We're now back to a multi-DC configuration after the datacenter switchover, and sessions are synced between datacenters (and also between multiple instances in each datacenter, I think). Maybe this syncing now takes a tiny bit longer, and the code trying to read the session is accessing a different instance then the code writing it, and getting an old result that doesn't have the token?

I'm not sure about this hypothesis, but you could check it quickly by adding a sleep( 1 ); in Echo's getCentralAuthToken() method after $api->execute();. If that makes it work, we should ask a session store expert from SRE for advice on how to resolve the problem in a better way.

Nemoralis subscribed.Sun, Apr 5, 3:48 AM
Novem_Linguae subscribed.Sun, Apr 5, 8:24 AM
Novem_Linguae added a comment.Sun, Apr 5, 8:29 AM

I encountered the problem a couple times a couple days ago. Almost filed a ticket, but then I wasn't able to reproduce. Seems intermittent.

This is a similar symptom to my 2024 ticket T369451: Intermittent empty and un-dismissible cross-wiki notifications, but surely a different root cause since that one's been fixed for awhile.

Tenshi_Hinanawi subscribed.Sun, Apr 5, 9:17 PM
matmarex mentioned this in T421168: Increased rate of badtoken errors / session store issues due to datacenter switchover?.Mon, Apr 6, 5:41 PM
Urbanecm_WMF added a comment.EditedMon, Apr 6, 9:09 PM
In T422218#11787912, @matmarex wrote:

This is probably not related to the problems with notifications caused by the security patch on T420154, although I won't say that with certainty until we fix those problems and this one remains unfixed.

I've finished backporting and I can still reproduce this issue, unfortunately.

The recent changes to centralauthtoken (T420280) are probably also not related. It seems that these tokens are working correctly, it's the csrf tokens that don't work.

Agreed.

This could be a "stale read" issue. We're now back to a multi-DC configuration after the datacenter switchover, and sessions are synced between datacenters (and also between multiple instances in each datacenter, I think). Maybe this syncing now takes a tiny bit longer, and the code trying to read the session is accessing a different instance then the code writing it, and getting an old result that doesn't have the token?

I'm not sure about this hypothesis, but you could check it quickly by adding a sleep( 1 ); in Echo's getCentralAuthToken() method after $api->execute();. If that makes it work, we should ask a session store expert from SRE for advice on how to resolve the problem in a better way.

I added sleep( 2 ); at line 102 of ForeignWikiRequest in Echo at mw-experimental. That didn't fix the issue :-/.

Urbanecm_WMF added a comment.EditedMon, Apr 6, 9:12 PM

While testing using mw-experimental, I decided to try this with wmf.21 applied. I was unable to reproduce this with wmf.21. This means that:

As far as I understand things, this also means the centralauthtoken changes are not causing this (as they were backported to wmf.21 as well).

Urbanecm_WMF added a comment.Mon, Apr 6, 9:54 PM

I collected two verbose logs, one with wmf.22 (issue reproduced) and other with wmf.21 (issue not reproduced):

  • wmf.21 (reqId:"97dc89a6-1727-4e96-8edd-082c1615f681"), Logstash
  • wmf.22 (reqId:"8683fe43-09f8-48a6-8065-6dfe1d277f64"), Logstash
A_smart_kitten merged a task: T422477: Notifications from other projects are not marked as read.Tue, Apr 7, 10:51 AM
A_smart_kitten added a subscriber: Nux.
Ponor subscribed.Tue, Apr 7, 1:36 PM
Joy subscribed.Tue, Apr 7, 3:08 PM
matmarex claimed this task.Tue, Apr 7, 5:44 PM
matmarex added a project: MediaWiki-Platform-Team.

This is caused by 1261439 Add ApiCentralAuthTokenTest. I was able to reproduce locally after setting up cross-wiki notifications. We changed SessionManager::getGlobalSession() to $this->getRequest()->getSession() in order to make the code easier to test, expecting this to be a no-op change, but it turns out that this reveals a bug in the Echo code, which does not pass the correct session when constructing the FauxRequest for the internal API call (here).

Thanks for the testing @Urbanecm_WMF, that really helped narrow it down. I guess it's our problem now :)

gerritbot added a comment.Tue, Apr 7, 6:01 PM

Change #1268613 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/Echo@master] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1268613

gerritbot added a project: Patch-For-Review.Tue, Apr 7, 6:01 PM
gerritbot added a comment.Tue, Apr 7, 6:45 PM

Change #1268633 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/Echo@wmf/1.46.0-wmf.22] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1268633

gerritbot added a comment.Tue, Apr 7, 6:45 PM

Change #1268634 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/Echo@wmf/1.46.0-wmf.23] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1268634

gerritbot added a comment.Tue, Apr 7, 9:08 PM

Change #1268633 merged by jenkins-bot:

[mediawiki/extensions/Echo@wmf/1.46.0-wmf.22] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1268633

Stashbot mentioned this in T421629: TOC missing with Parsoid on some wikis (except for Vector 2022).Tue, Apr 7, 9:09 PM
Stashbot mentioned this in T422512: Remove Navigation Menu Link Instrumentation.

Mentioned in SAL (#wikimedia-operations) [2026-04-07T21:09:01Z] <cscott@deploy1003> Started scap sync-world: Backport for [[gerrit:1268600|Ensure RevisionOutputCache uses post-processing options where appropriate (T421629)]], [[gerrit:1268625|Remove Navigation Menu Link Instrumentation on Personal Dashboard (T422512)]], [[gerrit:1268633|ForeignWikiRequest: Pass session to internal 'centralauthtoken' request (T422218)]], [[gerrit:1268651|PHP SDK: Handle experiment config missing or

Stashbot added a comment.Tue, Apr 7, 9:10 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-07T21:10:51Z] <cscott@deploy1003> cscott, kgraessle, sfaci, matmarex: Backport for [[gerrit:1268600|Ensure RevisionOutputCache uses post-processing options where appropriate (T421629)]], [[gerrit:1268625|Remove Navigation Menu Link Instrumentation on Personal Dashboard (T422512)]], [[gerrit:1268633|ForeignWikiRequest: Pass session to internal 'centralauthtoken' request (T422218)]], [[gerrit:1268651|PHP SDK: Handle experiment config

Stashbot added a comment.Tue, Apr 7, 9:17 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-07T21:17:54Z] <cscott@deploy1003> Finished scap sync-world: Backport for [[gerrit:1268600|Ensure RevisionOutputCache uses post-processing options where appropriate (T421629)]], [[gerrit:1268625|Remove Navigation Menu Link Instrumentation on Personal Dashboard (T422512)]], [[gerrit:1268633|ForeignWikiRequest: Pass session to internal 'centralauthtoken' request (T422218)]], [[gerrit:1268651|PHP SDK: Handle experiment config missing or

gerritbot added a comment.Tue, Apr 7, 9:21 PM

Change #1268634 merged by jenkins-bot:

[mediawiki/extensions/Echo@wmf/1.46.0-wmf.23] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1268634

ClaudineChionh subscribed.Tue, Apr 7, 9:30 PM
Stashbot mentioned this in T422112: PHP Warning: Trying to access array offset on null.Tue, Apr 7, 9:31 PM
Stashbot mentioned this in T422394: CTT tasks week of 2026-04-03.

Mentioned in SAL (#wikimedia-operations) [2026-04-07T21:31:06Z] <cscott@deploy1003> Started scap sync-world: Backport for [[gerrit:1268654|PHP SDK: Handle experiment config missing or malformed (T422112)]], [[gerrit:1268634|ForeignWikiRequest: Pass session to internal 'centralauthtoken' request (T422218)]], [[gerrit:1268653|Remove Navigation Menu Link Instrumentation on Personal Dashboard (T422512)]], [[gerrit:1268648|Bump wikimedia/parsoid to 0.23.0-a26 (T422394)]], [[gerrit:12686

Stashbot added a comment.Tue, Apr 7, 9:33 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-07T21:32:55Z] <cscott@deploy1003> matmarex, sfaci, cscott, kgraessle: Backport for [[gerrit:1268654|PHP SDK: Handle experiment config missing or malformed (T422112)]], [[gerrit:1268634|ForeignWikiRequest: Pass session to internal 'centralauthtoken' request (T422218)]], [[gerrit:1268653|Remove Navigation Menu Link Instrumentation on Personal Dashboard (T422512)]], [[gerrit:1268648|Bump wikimedia/parsoid to 0.23.0-a26 (T422394)]], [[g

Stashbot added a comment.Tue, Apr 7, 9:39 PM

Mentioned in SAL (#wikimedia-operations) [2026-04-07T21:39:25Z] <cscott@deploy1003> Finished scap sync-world: Backport for [[gerrit:1268654|PHP SDK: Handle experiment config missing or malformed (T422112)]], [[gerrit:1268634|ForeignWikiRequest: Pass session to internal 'centralauthtoken' request (T422218)]], [[gerrit:1268653|Remove Navigation Menu Link Instrumentation on Personal Dashboard (T422512)]], [[gerrit:1268648|Bump wikimedia/parsoid to 0.23.0-a26 (T422394)]], [[gerrit:1268

ReleaseTaggerBot added a project: MW-1.46-notes (1.46.0-wmf.23; 2026-04-07).Tue, Apr 7, 10:00 PM
matmarex moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.Tue, Apr 7, 10:08 PM
matmarex edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.

This is fixed on Wikimedia wikis now.

DAlangi_WMF subscribed.Wed, Apr 8, 10:50 AM
In T422218#11796870, @matmarex wrote:

This is fixed on Wikimedia wikis now.

Thanks for fixing this issue @matmarex. I tested it locally and it seems to work

beforeafter
gerritbot added a comment.Wed, Apr 8, 11:03 AM

Change #1268613 merged by jenkins-bot:

[mediawiki/extensions/Echo@master] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1268613

Maintenance_bot removed a project: Patch-For-Review.Wed, Apr 8, 11:31 AM
ReleaseTaggerBot edited projects, added MW-1.46-notes (1.46.0-wmf.24; 2026-04-14); removed MW-1.46-notes (1.46.0-wmf.23; 2026-04-07).Wed, Apr 8, 12:00 PM
matmarex closed this task as Resolved.Wed, Apr 8, 3:10 PM
gerritbot added a comment.Thu, Apr 9, 6:28 PM

Change #1269556 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/Echo@REL1_45] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1269556

gerritbot added a project: Patch-For-Review.Thu, Apr 9, 6:28 PM

Change #1269557 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/Echo@REL1_44] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1269557

gerritbot added a comment.Thu, Apr 9, 6:32 PM

Change #1269558 had a related patch set uploaded (by Reedy; author: Bartosz Dziewoński):

[mediawiki/extensions/Echo@REL1_43] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1269558

gerritbot added a comment.Thu, Apr 9, 6:36 PM

Change #1269557 merged by jenkins-bot:

[mediawiki/extensions/Echo@REL1_44] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1269557

gerritbot added a comment.Thu, Apr 9, 6:36 PM

Change #1269556 merged by jenkins-bot:

[mediawiki/extensions/Echo@REL1_45] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1269556

gerritbot added a comment.Thu, Apr 9, 6:40 PM

Change #1269558 merged by jenkins-bot:

[mediawiki/extensions/Echo@REL1_43] ForeignWikiRequest: Pass session to internal 'centralauthtoken' request

https://gerrit.wikimedia.org/r/1269558

Maintenance_bot removed a project: Patch-For-Review.Thu, Apr 9, 7:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits