Page MenuHomePhabricator
Create Task
Maniphest T57580

Redirecting client to Special:MWOAuth/authorize more than once results in database error
Closed, ResolvedPublic
Actions

Description

If a user is sent to https://www.mediawiki.org/wiki/Special:MWOAuth/authorize?oauth_token=...&oauth_consumer_key=... while there still is an active authorization, the user is presented with

Hi Valhallasw,
Gerrit Patch Uploader would like to have basic access on your behalf on media.wikipedia.org.
[Cancel] [Allow]

Clicking Allow results in

Database error
A database query error has occurred. This may indicate a bug in the software.
Function: MWOAuthDAO::save
Error: 1062 Duplicate entry '5005-4-mediawiki' for key 'oaac_user_consumer_wiki' (10.64.16.8)

Expected behavior would be a redirect back to the application, as the application is still authorized.

Version: master
Severity: normal

Details

Reference
bz55580

Event Timeline

bzimport raised the priority of this task from to Needs Triage.Nov 22 2014, 2:25 AM
bzimport added a project: MediaWiki-extensions-OAuth.
bzimport set Reference to bz55580.
bzimport added a subscriber: Unknown Object (MLST).
valhallasw created this task.Oct 10 2013, 6:40 PM
valhallasw added a comment.Oct 10 2013, 6:41 PM

Oh, workaround: remove the application from https://www.mediawiki.org/wiki/Special:MWOAuthManageMyGrants

Anomie added a comment.Oct 10 2013, 7:15 PM

I see two problems going on here.

First, WikiMap::getWikiName( 'mediawiki' ) will happily return a reference to "media.wikipedia.org" rather than returning null because that wiki doesn't actually exist. Fun. Your client is created for that non-existent wiki rather than for mediawikiwiki. I suppose in our validation for the input we could try wfGetDB() instead, does that seem sane?

Second, Special:MWOAuth needs to either reject if someone tries to hit it for a client where $cmr->get( 'wiki' ) !== '*' and !== wfWikiId() or the call to $oauthServer->getCurrentAuthorization() needs to return the authorization for $cmr->get( 'wiki' ) rather than wfWikiId(). I'm not sure what the intended design is. Chris or Aaron?

gerritbot added a comment.Oct 10 2013, 7:41 PM

Change 89101 had a related patch set uploaded by Aaron Schulz:
Improve wiki ID field validation due to SiteConfiguration oddness

https://gerrit.wikimedia.org/r/89101

gerritbot added a comment.Oct 10 2013, 7:52 PM

Change 89101 merged by jenkins-bot:
Improve wiki ID field validation due to SiteConfiguration oddness

https://gerrit.wikimedia.org/r/89101

Anomie added a comment.Oct 10 2013, 7:53 PM

First problem solved, marking as new because the second problem remains.

gerritbot added a comment.Oct 10 2013, 8:46 PM

Change 89107 had a related patch set uploaded by Aaron Schulz:
Avoid duplicate key error on /authorize page

https://gerrit.wikimedia.org/r/89107

gerritbot added a comment.Oct 18 2013, 10:49 PM

Change 89107 merged by jenkins-bot:
Avoid duplicate key error on /authorize page

https://gerrit.wikimedia.org/r/89107

bd808 moved this task from Backlog to Archive on the MediaWiki-extensions-OAuth board.Mar 6 2015, 12:59 AM
Aklapper removed subscribers: Anomie, wikibugs-l-list.Oct 16 2020, 5:40 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL