Page MenuHomePhabricator

Flow: clicking watch star in topic titlebar doesn't handle badtoken timeout
Closed, ResolvedPublic

Description


Version: master
Severity: normal

Details

Reference
bz72500

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:49 AM
bzimport set Reference to bz72500.

I returned to a Flow board in my browser after an hour or so of inactivity. Clicking the watch star in any topic titlebar failed with "Invalid token" in a pink errorbox, and in the browser console Net tab the API post returns error.code='badtoken'.

My understanding is the API postWithToken() call should automatically request a new token. I clicked the skin's watch star at the top of the Flow board and its initial request also failed with badtoken, but as expected it issued a get for token, retried, and succeeded.

Clicking Reply on a post did the same fail, get token, retry dance ending in success. The API response included warnings below, but it worked.

"warnings": {
  "main":{
    "*":"Unrecognized parameter: '_'"},
   "tokens":{"*":"action=tokens has been deprecated. Please use action=query&meta=tokens instead."}
 },

Even after these successfully API requests, clicking a titlebar watch star continues to fail with "Invalid token" because Flow continues to make API post requests with the old wrong watch token.

The workaround for a user is to reload the Flow board.

The problem is FlowBoardComponentApiEventsMixin.UI.events.apiPreHandlers.watchItem() sets the request up with

token: mw.user.tokens.get( 'watchToken' );

This is a static assignment, it doesn't check if the token is still good.

as a result flowApiCall does a plain mwApi.post with this token, rather than a mwApi.postWithToken( 'watch', params ) which would correctly fetch a new token.

The logic needs to be changed. E.g. the apiPreHandler can supply a tokenName: 'watch' rather than the static value of a token, and flowApiCall() always invokes mwApi.postWithToken passing tokenName or the default 'edit'. Or perhaps Flow could invoke mediawiki.api.watch's watch()/unwatch() instead of calling the API itself.

gerritadmin wrote:

Change 172668 had a related patch set uploaded by Mattflaschen:
Use core's postWithToken for watching, which handles badtoken

https://gerrit.wikimedia.org/r/172668

gerritadmin wrote:

Change 172668 merged by jenkins-bot:
Use core's postWithToken for watching, which handles badtoken

https://gerrit.wikimedia.org/r/172668

Quiddity removed a subscriber: Maryana.Dec 19 2014, 1:39 AM