Page MenuHomePhabricator
Create Task
Maniphest T74500

Flow: clicking watch star in topic titlebar doesn't handle badtoken timeout
Closed, ResolvedPublic
Actions

Description

Version: master
Severity: normal

Details

Reference
bz72500

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:49 AM
bzimport added a project: StructuredDiscussions.
bzimport set Reference to bz72500.
Spage created this task.Oct 24 2014, 10:39 PM
Spage added a comment.Oct 24 2014, 10:58 PM

I returned to a Flow board in my browser after an hour or so of inactivity. Clicking the watch star in any topic titlebar failed with "Invalid token" in a pink errorbox, and in the browser console Net tab the API post returns error.code='badtoken'.

My understanding is the API postWithToken() call should automatically request a new token. I clicked the skin's watch star at the top of the Flow board and its initial request also failed with badtoken, but as expected it issued a get for token, retried, and succeeded.

Clicking Reply on a post did the same fail, get token, retry dance ending in success. The API response included warnings below, but it worked.

"warnings": {
  "main":{
    "*":"Unrecognized parameter: '_'"},
   "tokens":{"*":"action=tokens has been deprecated. Please use action=query&meta=tokens instead."}
 },

Even after these successfully API requests, clicking a titlebar watch star continues to fail with "Invalid token" because Flow continues to make API post requests with the old wrong watch token.

The workaround for a user is to reload the Flow board.

Spage added a comment.Oct 24 2014, 11:48 PM

The problem is FlowBoardComponentApiEventsMixin.UI.events.apiPreHandlers.watchItem() sets the request up with

token: mw.user.tokens.get( 'watchToken' );

This is a static assignment, it doesn't check if the token is still good.

as a result flowApiCall does a plain mwApi.post with this token, rather than a mwApi.postWithToken( 'watch', params ) which would correctly fetch a new token.

The logic needs to be changed. E.g. the apiPreHandler can supply a tokenName: 'watch' rather than the static value of a token, and flowApiCall() always invokes mwApi.postWithToken passing tokenName or the default 'edit'. Or perhaps Flow could invoke mediawiki.api.watch's watch()/unwatch() instead of calling the API itself.

DannyH added a comment.Oct 28 2014, 11:06 PM

added to backlog: https://trello.com/c/WZibCplx

bzimport added a comment.Nov 12 2014, 5:18 AM

gerritadmin wrote:

Change 172668 had a related patch set uploaded by Mattflaschen:
Use core's postWithToken for watching, which handles badtoken

https://gerrit.wikimedia.org/r/172668

bzimport added a comment.Nov 18 2014, 12:13 AM

gerritadmin wrote:

Change 172668 merged by jenkins-bot:
Use core's postWithToken for watching, which handles badtoken

https://gerrit.wikimedia.org/r/172668

Quiddity removed a subscriber: Maryana.Dec 19 2014, 1:39 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL