Page MenuHomePhabricator

Tgr (Gergő Tisza)
Software Engineer, WMF

Projects (42)

Today

  • Clear sailing ahead.

Tomorrow

  • Clear sailing ahead.

Thursday

  • Clear sailing ahead.

User Details

User Since
Sep 19 2014, 4:55 PM (538 w, 3 d)
Availability
Available
IRC Nick
tgr
LDAP User
Gergő Tisza
MediaWiki User
Tgr (WMF) [ Global Accounts ]

Things my team is working on: MediaWiki-Platform-Team
Side projects I am working on (or planning to, eventually): User-Tgr
You can find more info about me on my user page.

Recent Activity

Yesterday

Tgr added a subtask for T379986: Testing and verification of MediaWiki on PHP 8.1 in mwdebug-next: T383633: Test MediaWiki authentication on PHP 8.1 in mwdebug-next.
Mon, Jan 13, 10:20 PM · MediaWiki-Platform-Team (Radar), Content-Transform-Team, MW-Interfaces-Team, Web-Team, OKR-Work, MediaWiki-Engineering, serviceops
Tgr added a parent task for T383633: Test MediaWiki authentication on PHP 8.1 in mwdebug-next: T379986: Testing and verification of MediaWiki on PHP 8.1 in mwdebug-next.
Mon, Jan 13, 10:20 PM · MediaWiki-Platform-Team
Tgr moved T383633: Test MediaWiki authentication on PHP 8.1 in mwdebug-next from Inbox, needs triage to Current Sprint on the MediaWiki-Platform-Team board.
Mon, Jan 13, 10:20 PM · MediaWiki-Platform-Team
Tgr created T383633: Test MediaWiki authentication on PHP 8.1 in mwdebug-next.
Mon, Jan 13, 10:20 PM · MediaWiki-Platform-Team
Tgr added a comment to T377714: SpecialCentralAuthTest::testViewForLocallyBlockedGlobalAccount failure on TheWikipediaLibrary patches.

I think the more reliable solution would be to add a hook to MediaWikiIntegrationTestCase::resetNonServiceCaches() so that extensions can reset their own caches.
(Or we could just create a CentralAuthUserFactory service and move the cache there, of course.)

Mon, Jan 13, 10:12 PM · MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)), MediaWiki-Platform-Team (Radar), Trust and Safety Product Team, Moderator-Tools-Team, MW-1.43-notes (1.43.0-wmf.28; 2024-10-22), GlobalBlocking, ci-test-error (WMF-deployed Build Failure), The-Wikipedia-Library, MediaWiki-extensions-CentralAuth
Tgr closed T383513: Cannot log in or perform any actions on Beta Cluster wikis as Resolved.

Optimistically closing, maybe Cassandra just needs a reboot every couple months or something. We'll see whether it repeats.

Mon, Jan 13, 8:17 PM · SRE, MediaWiki-User-login-and-signup, MediaWiki-Platform-Team, Beta-Cluster-Infrastructure
Tgr closed T383513: Cannot log in or perform any actions on Beta Cluster wikis, a subtask of T382363: 1.44.0-wmf.12 deployment blockers, as Resolved.
Mon, Jan 13, 8:17 PM · User-brennen, Release-Engineering-Team (Priority Backlog 📥), Release, Train Deployments
Tgr added a comment to T383513: Cannot log in or perform any actions on Beta Cluster wikis.

systemctl says

Jan 11 08:09:58 deployment-sessionstore06 systemd[1]: cassandra.service: Main process exited, code=killed, status=9/KILL
Jan 11 08:10:07 deployment-sessionstore06 nodetool[922509]: nodetool: Found unexpected parameters: [disablethrift]
Jan 11 08:10:07 deployment-sessionstore06 nodetool[922509]: See 'nodetool help' or 'nodetool help <command>'.
Jan 11 08:10:09 deployment-sessionstore06 nodetool[923332]: nodetool: Failed to connect to '127.0.0.1:7199' - ConnectException: 'Connection refused (Connection refused)'.
Jan 11 08:10:10 deployment-sessionstore06 nodetool[923396]: nodetool: Failed to connect to '127.0.0.1:7199' - ConnectException: 'Connection refused (Connection refused)'.
Jan 11 08:10:12 deployment-sessionstore06 nodetool[923458]: nodetool: Failed to connect to '127.0.0.1:7199' - ConnectException: 'Connection refused (Connection refused)'.
Jan 11 08:10:13 deployment-sessionstore06 nodetool[923520]: nodetool: Failed to connect to '127.0.0.1:7199' - ConnectException: 'Connection refused (Connection refused)'.
Jan 11 08:10:13 deployment-sessionstore06 systemd[1]: cassandra.service: Control process exited, code=exited, status=1/FAILURE
Jan 11 08:10:13 deployment-sessionstore06 systemd[1]: cassandra.service: Failed with result 'oom-kill'.
Jan 11 08:10:13 deployment-sessionstore06 systemd[1]: cassandra.service: Consumed 3min 8.148s CPU time.

free says there's almost 1.5G available, which seems decent. A restart seems to work, with some complaints about free space (but seems to be about disk rather than memory):

Jan 13 19:57:36 deployment-sessionstore06 cassandra[1055000]: WARN  [main] 2025-01-13 19:57:36,983 DatabaseDescriptor.java:1034 - Small commitlog volume detected at '/var/lib/cassandra/commitlog'; setting commitlog_total_space to 4997.  You can override this in cassandra.yaml
Jan 13 19:57:36 deployment-sessionstore06 cassandra[1055000]: WARN  [main] 2025-01-13 19:57:36,987 DatabaseDescriptor.java:650 - Only 13.541GiB free across all data volumes. Consider adding more capacity to your cluster or removing obsolete snapshots
Jan 13 19:57:39 deployment-sessionstore06 cassandra[1055000]: WARN  [main] 2025-01-13 19:57:39,176 StartupChecks.java:257 - JMX is not enabled to receive remote connections. Please see cassandra-env.sh for more info.
Jan 13 19:57:39 deployment-sessionstore06 cassandra[1055000]: WARN  [main] 2025-01-13 19:57:39,211 SigarLibrary.java:172 - Cassandra server running in degraded mode. Is swap disabled? : true,  Address space adequate? : true,  nofile limit adequate? : true, nproc limit adequate? : false

No idea if that's bad.

Mon, Jan 13, 8:00 PM · SRE, MediaWiki-User-login-and-signup, MediaWiki-Platform-Team, Beta-Cluster-Infrastructure
Tgr added a comment to T383513: Cannot log in or perform any actions on Beta Cluster wikis.

Beta cluster Logstash data says that object cache has been unhappy since 11 January.

Mon, Jan 13, 7:46 PM · SRE, MediaWiki-User-login-and-signup, MediaWiki-Platform-Team, Beta-Cluster-Infrastructure
Tgr added a comment to T383318: SpecialImport fails with "AuthManager::autoCreateUser: {username} failed with exception".

Lock wait timeout means the process was waiting for a lock held by another process for more than something like 3s, right? So it's not obvious to me how import being a long-running process would cause this. Or rather, it could cause lock wait timeouts in some other process, if it holds locks, but not in its own process, no?

Mon, Jan 13, 7:37 PM · MediaWiki-Core-Snapshots, MediaWiki-Platform-Team, MediaWiki-extensions-CentralAuth, Wikimedia-production-error
Tgr updated subscribers of T377187: Set up auth.wikimedia.org.

Notes from @elukey on IRC:

17:12 < elukey> IIUC the config needs to run on the deployment servers via puppet run, so the correspondent yaml files for helmfile are updated
17:13 < elukey> and after that, a deploy would need to be kicked off to refresh the httpd config

Mon, Jan 13, 3:01 PM · Patch-For-Review, Traffic, SRE, DNS, MediaWiki-Platform-Team, SUL3
Tgr moved T377187: Set up auth.wikimedia.org from Soon to Current Sprint on the MediaWiki-Platform-Team board.
Mon, Jan 13, 2:57 PM · Patch-For-Review, Traffic, SRE, DNS, MediaWiki-Platform-Team, SUL3
Tgr claimed T377187: Set up auth.wikimedia.org.
Mon, Jan 13, 2:57 PM · Patch-For-Review, Traffic, SRE, DNS, MediaWiki-Platform-Team, SUL3
Tgr closed T372702: editors are repeatedly getting logged out (August 2024) as Resolved.

I think that proves my suspicion that there were two unrelated errors: the one described in T379254 (introduced around August 10 and fixed around November 20) which reduced session lifetime to 24 hours under certain fairly common circumstances, and resulted in a big increase in top-level autologins; and another one which affects fewer people, and can cause multiple logouts on the same wiki within 24 hours.

Mon, Jan 13, 2:52 PM · Trust and Safety Product Team, MW-1.44-notes (1.44.0-wmf.4; 2024-11-19), MW-1.43-notes (1.43.0-wmf.28; 2024-10-22), Temporary accounts, MediaWiki-Platform-Team, Wikidata, MediaWiki-User-login-and-signup
Tgr renamed T383566: Some editors are frequently getting logged out (multiple times a day) from Some editors are frequently getting logged out to Some editors are frequently getting logged out (multiple times a day).
Mon, Jan 13, 2:45 PM · MediaWiki-Platform-Team, MediaWiki-Core-AuthManager
Tgr created T383566: Some editors are frequently getting logged out (multiple times a day).
Mon, Jan 13, 2:44 PM · MediaWiki-Platform-Team, MediaWiki-Core-AuthManager

Sun, Jan 12

Tgr added a subtask for T227447: Librarize i18n-related PHP classes in MediaWiki: T296353: Create composer library for includes/libs/Message.
Sun, Jan 12, 5:26 PM · Patch-For-Review, Librarization, I18n, MediaWiki-Internationalization
Tgr added a parent task for T296353: Create composer library for includes/libs/Message: T227447: Librarize i18n-related PHP classes in MediaWiki.
Sun, Jan 12, 5:26 PM · Librarization, Parsoid-Read-Views (Phase 2 - testwiki Main namespace support), Parsoid
Tgr placed T374184: Using two accounts can lead to login failure with "Session ID/User mismatch" up for grabs.

I'll deprioritize this because it doesn't seem to affect many people and probably only happens in an edge case (switching between multiple accounts). Also I don't have much idea what could be done here, short of someone being able to reproduce and inspect in detail what's happening with the cookies. None of us could reproduce it, and looking through the relevant code didn't surface anything suspect (as far as I can see from the code this behavior should be impossible without manual cookie tampering, which means I'm probably missing something, but just knowing that isn't much help).

Sun, Jan 12, 4:05 PM · MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), Regression, MediaWiki-Platform-Team, MediaWiki-User-login-and-signup, MediaWiki-extensions-CentralAuth

Fri, Jan 10

Tgr added a comment to T382161: Deploy a self-hosted public Matrix server instance.

More specifically, what we want is probably

Fri, Jan 10, 5:43 PM · ERC
Tgr added a comment to T382164: Bridge Matrix to IRC.

The most official bridge is matrix-appservice-irc which seemed fine from a user perspective, but Libera kicked out the official matrix.org bridge because it caused problems at scale. They didn't ban use of matrix-appservice-irc so probably still the way to go.

Fri, Jan 10, 5:23 PM · ERC
Tgr added a comment to T382163: Bridge Matrix to Slack.

Our experience with the "official" matrix-appservice-slack bridge has been pretty disappointing on the WMF internal Matrix instance. There is an Automattic fork which supposedly fixes most of the problems with the bridge, but isn't actively maintained. There are a bunch of alternative bridges but those seem to be meant for users, not admins (ie. every user would have to set it up separately? I might be misunderstanding how it works).

Fri, Jan 10, 5:20 PM · ERC
Tgr moved T380574: Add SUL3 authentication domain to deploy canary checks from Blocked/waiting to Current Sprint on the MediaWiki-Platform-Team board.
Fri, Jan 10, 2:04 PM · Patch-For-Review, MediaWiki-Platform-Team, Scap, SUL3
Tgr added a comment to T382139: "sub" claim of oauth json web token should be a string.

Please confirm if it is accurate to write this? -- "For tool and extension developers who use the OAuth system: [...]"

Fri, Jan 10, 11:50 AM · User-notice, MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), MediaWiki-Platform-Team, MediaWiki-extensions-OAuth

Thu, Jan 9

Tgr added a comment to T383362: Provide special page to show warning to users clicking on external links.

Should be straightforward technically via the LinkerMakeExternalLink hook, but yes it would raise all kinds of SEO and usability and tool B/C issues, and on Wikimedia sites it would increase the amount of user tracking (currently we don't learn about a user clicking a link, I think it would be hard to avoid that data getting at least into the webrequest table).

Thu, Jan 9, 11:50 PM · MediaWiki-Parser, MediaWiki-Special-pages
Tgr renamed T374184: Using two accounts can lead to login failure with "Session ID/User mismatch" from Logging in on testwiki without the "keep me logged in" tick box is broken to Using two accounts can lead to login failure with "Session ID/User mismatch".
Thu, Jan 9, 7:27 PM · MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), Regression, MediaWiki-Platform-Team, MediaWiki-User-login-and-signup, MediaWiki-extensions-CentralAuth
Tgr placed T374757: Login errors related to session hijacking up for grabs.

Moving to radar until we get more details.

Thu, Jan 9, 7:24 PM · MediaWiki-Platform-Team (Radar), MediaWiki-Core-AuthManager, MediaWiki-User-login-and-signup
Tgr added a comment to T306844: iOS and Firefox think Special:CentralAuth is a login form.

Firefox apparently considers the field not username if it has a class like search. We could use that as a workaround but eww.

Thu, Jan 9, 2:45 PM · Browser-Support-Firefox, Browser-Support-Apple-Safari, Stewards-and-global-tools, MediaWiki-extensions-CentralAuth

Wed, Jan 8

Tgr added a comment to T378157: SUL Integration for eventyay (Wikimania virtual event platform).

Consumer keys are public identifiers.

Wed, Jan 8, 4:08 PM · MediaWiki-Platform-Team (Radar), SecTeam-Processed, Security

Tue, Jan 7

Tgr added a comment to T378157: SUL Integration for eventyay (Wikimania virtual event platform).

@MarioB if they are still not approved, can you provide the app IDs? It's hard to find apps by name.

Tue, Jan 7, 10:41 PM · MediaWiki-Platform-Team (Radar), SecTeam-Processed, Security
Tgr added a comment to T383136: [SUL3] Make edge-login to work for temporary accounts.

Edge login doesn't create accounts on wikis where the user doesn't have them yet, so for temporary accounts at the time of creation it's a no-op. (Which also means there is not much point in triggering it... although figuring out whether we are right after an account creation might be more hassle than worth it.)

Tue, Jan 7, 10:38 PM · Trust and Safety Product Sprint (Sprint Chimes (Dec. 9 - Jan. 17)), Temporary accounts, MediaWiki-extensions-CentralAuth, Trust and Safety Product Team, MediaWiki-Platform-Team, SUL3
Tgr added a comment to T234674: Delete OAuth 2.0 access tokens on password change.

Possible although a bit ugly. There are two core mechanisms for removing authentication methods, invalidateSessionsForUser() which we are already calling for credential changes, and preventSessionsForUser() which is intended to be permanent (used for account usurpation by a system account). AuthManager::changeAuthenticationData() which handles credential changes does not handle multiple form fragments like login/signup does. This doesn't fit any of those generic mechanisms, so it would have to be a one-off - modify the form generation logic in SpecialChangeCredentials to add the checkbox, add a new hook to SpecialChangeCredentials::success() (and I suppose changePassword.php) that gets called when the option is checked, and add a hook handler to the OAuth extension that removes the access tokens. And maybe add some way for hook handlers to return a message, so e.g. OAuth can advise the user on how to reset owner-only keys.

Tue, Jan 7, 10:34 PM · Security, MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T230278: CLI interface needed for bot passwords.

This was done in rMW8c8654cce0af: Add a maintenance script to create bot passwords. a while ago (although only for creation).

Tue, Jan 7, 10:01 PM · MediaWiki-Core-AuthManager

Mon, Jan 6

Tgr claimed T380755: Enabling session.use_trans_sid INI setting is deprecated.
Mon, Jan 6, 9:36 PM · MW-1.39-notes, MW-1.43-notes, MW-1.42-notes, MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), MediaWiki-Platform-Team, MediaWiki-Core-AuthManager, PHP 8.4 support, MediaWiki-Core-Tests
Tgr added a comment to T380969: MediaWiki\Extension\CentralAuth\Special\SpecialCentralAutoLogin::execute: Bad token: bad token.

T383049: No central session found is similar, but with the session store instead of the token store. (Although the session store is Kask and the token store is the microstash so there is not much infrastructure overlap there.)

Mon, Jan 6, 9:20 PM · MediaWiki-Platform-Team, MediaWiki-extensions-CentralAuth, Wikimedia-production-error
Tgr claimed T381223: useragent-clienthints API does not work on the SUL3 authentication domain.
Mon, Jan 6, 9:18 PM · Trust and Safety Product Team, http-client-hints, MediaWiki-Platform-Team, SUL3, MediaWiki-extensions-CentralAuth, CheckUser
Tgr added a comment to T382292: 'global_user_editcount' variable consistently returning 0 for the 'MediaWiki message delivery' account.

Possibly caused by T380500: CentralAuthUser returning outdated data after user creation? It seems like the only way for this to happen is for CentralAuthUser::exists() or CentralAuthUser::isAttached() to return false.

Mon, Jan 6, 9:17 PM · MassMessage, MediaWiki-extensions-CentralAuth, MediaWiki-Platform-Team, AbuseFilter
Tgr updated the task description for T377187: Set up auth.wikimedia.org.
Mon, Jan 6, 9:12 PM · Patch-For-Review, Traffic, SRE, DNS, MediaWiki-Platform-Team, SUL3
Tgr added a project to T377187: Set up auth.wikimedia.org: DNS.
Mon, Jan 6, 9:12 PM · Patch-For-Review, Traffic, SRE, DNS, MediaWiki-Platform-Team, SUL3
Tgr added a comment to T382432: CentralAuth on SQLite is prone to deadlocks when using a separate database.

Added a note to the install instructions about lack of SQLite support.

Mon, Jan 6, 8:33 PM · MediaWiki-Platform-Team (Radar), Patch-For-Review, MediaWiki-libs-Rdbms, SQLite, MediaWiki-extensions-CentralAuth
Tgr added a comment to T383049: No central session found.

Seems to be affecting temporary accounts mostly.

Mon, Jan 6, 8:28 PM · Trust and Safety Product Team, Temporary accounts, MediaWiki-extensions-CentralAuth, MediaWiki-Platform-Team, Wikimedia-production-error
Tgr moved T373506: Update MediaWiki Platform team Logstash dashboard from Current Sprint to Soon on the MediaWiki-Platform-Team board.
Mon, Jan 6, 3:27 PM · MediaWiki-Platform-Team
Tgr added a comment to T383050: CAS update failed on gu_cas_token for user ID '{globalId}' (read from {from}); the version of the user to be saved is older than the current version..

Doesn't seem to have gotten more frequent in the last 90 days; I think this is just normal DB noise, like the various deadlock errors.

Mon, Jan 6, 2:57 PM · MediaWiki-extensions-CentralAuth, Wikimedia-production-error, MediaWiki-Platform-Team
Tgr added a comment to T383047: Could not send confirmation email: Unknown error in PHP's mail() function..

Happens a few hundred times per week, and has been going on for at least the 90 days Logstash can remember. Not sure about the k8s connection, this is a fairly generic error message.

Mon, Jan 6, 2:54 PM · MW-1.44-notes (1.44.0-wmf.13; 2025-01-21), Mail, Infrastructure-Foundations, MediaWiki-Platform-Team, MediaWiki-User-login-and-signup, Wikimedia-production-error

Sun, Jan 5

Tgr added a comment to T383011: Create an equivalent of ApiCheckCanExecute for the REST API.

See also T275508: Convert ApiCheckCanExecute hook to Authority.

Sun, Jan 5, 5:02 PM · MediaWiki-REST-API
Tgr added a subtask for T381223: useragent-clienthints API does not work on the SUL3 authentication domain: T383011: Create an equivalent of ApiCheckCanExecute for the REST API.
Sun, Jan 5, 5:01 PM · Trust and Safety Product Team, http-client-hints, MediaWiki-Platform-Team, SUL3, MediaWiki-extensions-CentralAuth, CheckUser
Tgr added a parent task for T383011: Create an equivalent of ApiCheckCanExecute for the REST API: T381223: useragent-clienthints API does not work on the SUL3 authentication domain.
Sun, Jan 5, 5:01 PM · MediaWiki-REST-API
Tgr created T383011: Create an equivalent of ApiCheckCanExecute for the REST API.
Sun, Jan 5, 5:01 PM · MediaWiki-REST-API
Tgr added a comment to T265148: Support "Login with Wikipedia" over OAuth 2.0 on other tools and websites.

Since it kinda-sorta already works, the low-hanging fruit would be to just write clear documentation on how you can use it currently.

Sun, Jan 5, 4:59 PM · MediaWiki-Platform-Team, Documentation, MediaWiki-Engineering, Platform Engineering Roadmap Decision Making

Fri, Jan 3

Tgr added a comment to T381223: useragent-clienthints API does not work on the SUL3 authentication domain.

It depends on whether this shared authentication domain would ever have CheckUser checks performed.

Fri, Jan 3, 7:05 PM · Trust and Safety Product Team, http-client-hints, MediaWiki-Platform-Team, SUL3, MediaWiki-extensions-CentralAuth, CheckUser
Tgr added a comment to T382910: Ensure code under includes/libs does not depend on MediaWiki code.

(Ideally, of course, we would not have two separate HTTP components, just one that's librarized and uses a PSR standard. That's T110022: Move HTTP-related code from MW to its own library.)

Fri, Jan 3, 6:57 PM · MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), Patch-For-Review, MediaWiki-Platform-Team, Librarization
Tgr added a comment to T382910: Ensure code under includes/libs does not depend on MediaWiki code.

T296433: MultiHttpClient is in includes/libs/ but uses MediaWiki components is the older task for MultiHttpClient.

Fri, Jan 3, 6:55 PM · MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), Patch-For-Review, MediaWiki-Platform-Team, Librarization
Tgr added a comment to T202352: Convert MultiHttpClient to use Guzzle.

From a very superficial glance at the Guzzle code, it does not seem to support custom curl_multi options at all.

Fri, Jan 3, 6:53 PM · MediaWiki-libs-HTTP, Platform Engineering (Icebox), MW-1.33-notes (1.33.0-wmf.21; 2019-03-12)
Tgr added a comment to T319066: It should be cheap to rename skins.

The task description explicitly says that the skin name is already localizable but it would be confusing to change the localized name but not change the internal identifier. Are you asking for another of level of mapping (internal identifier -> publicly exposed identifier -> localized string)? It seems like a lot of potential complexity for dubious value - the disparity would still be confusing (e.g. technical documentation would still use the internal identifier, since that's the one that's the same on all wikis), it would add one more problem to copying gadget code between wikis, and the internal identifier would still have to be publicly exposed (because e.g. JS code in source control can't account for how a site might set up its mapping). Just changing skinname-vector-2022 seems like a strictly less bad option at that point.

Fri, Jan 3, 6:47 PM · MediaWiki-General, MediaWiki-Core-Skin-Architecture

Thu, Jan 2

Tgr added a comment to T234679: Support browser-based API clients with OAuth 2.0 client IDs.

(See T323867: Clarify use of non-confidential OAuth 2.0 clients for some limitations which currently make JS apps hard to use.)

Thu, Jan 2, 8:06 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T379353: CreateAccount API call does not set the 'Email' field.

Oh, right, I missed that this is a publicly available wiki.

Thu, Jan 2, 7:35 PM · MediaWiki-Platform-Team (Radar), MediaWiki-Core-AuthManager, MediaWiki-User-login-and-signup, MediaWiki-Action-API
Tgr merged T234679: Support browser-based API clients with OAuth 2.0 client IDs into T229501: Add OAuth 2.0 support to MediaWiki for use by web-based clients.
Thu, Jan 2, 7:30 PM · MW-1.35-notes (1.35.0-wmf.15; 2020-01-14), Epic, Platform Team Workboards (Epics), Core Platform Team Initiatives (OAuth 2.0)
Tgr merged task T234679: Support browser-based API clients with OAuth 2.0 client IDs into T229501: Add OAuth 2.0 support to MediaWiki for use by web-based clients.
Thu, Jan 2, 7:30 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr merged T234666: Use OAuth 2.0 With Client Developer's Authorization into T229501: Add OAuth 2.0 support to MediaWiki for use by web-based clients.
Thu, Jan 2, 7:29 PM · MW-1.35-notes (1.35.0-wmf.15; 2020-01-14), Epic, Platform Team Workboards (Epics), Core Platform Team Initiatives (OAuth 2.0)
Tgr merged task T234666: Use OAuth 2.0 With Client Developer's Authorization into T229501: Add OAuth 2.0 support to MediaWiki for use by web-based clients.
Thu, Jan 2, 7:29 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T234667: OAuth 2.0 Access Token for Authorization.

Stretch goal: access_token query parameter.

Thu, Jan 2, 7:27 PM · MediaWiki-extensions-OAuth, MediaWiki-Platform-Team, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Platform Team Workboards (User Stories), Story
Tgr merged T234667: OAuth 2.0 Access Token for Authorization into T229501: Add OAuth 2.0 support to MediaWiki for use by web-based clients.
Thu, Jan 2, 7:25 PM · MW-1.35-notes (1.35.0-wmf.15; 2020-01-14), Epic, Platform Team Workboards (Epics), Core Platform Team Initiatives (OAuth 2.0)
Tgr merged task T234667: OAuth 2.0 Access Token for Authorization into T229501: Add OAuth 2.0 support to MediaWiki for use by web-based clients.
Thu, Jan 2, 7:25 PM · MediaWiki-extensions-OAuth, MediaWiki-Platform-Team, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Platform Team Workboards (User Stories), Story
Tgr changed the status of T234669: List OAuth 2.0 client IDs, a subtask of T234665: Add OAuth 2.0 support to MediaWiki REST API, from Invalid to Resolved.
Thu, Jan 2, 7:24 PM · Core Platform Team Initiatives (MW REST API in PHP), Epic, Platform Team Workboards (Epics)
Tgr changed the status of T234669: List OAuth 2.0 client IDs from Invalid to Resolved.

It says

Probably a Web UI?

so I don't think so.

Thu, Jan 2, 7:24 PM · MediaWiki-extensions-OAuth, MediaWiki-Platform-Team, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr merged T234668: Request new OAuth 2.0 client ID into T229505: Admin adds new client.
Thu, Jan 2, 7:19 PM · Platform Team Workboards (S&F Workboard), Core Platform Team Initiatives (OAuth 2.0)
Tgr merged task T234668: Request new OAuth 2.0 client ID into T229505: Admin adds new client.
Thu, Jan 2, 7:19 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T234668: Request new OAuth 2.0 client ID.

Or rather this is a duplicate of T229505: Admin adds new client since that form didn't support OAuth 2 yet at the time of writing this task.

Thu, Jan 2, 7:19 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr closed T234668: Request new OAuth 2.0 client ID, a subtask of T234665: Add OAuth 2.0 support to MediaWiki REST API, as Invalid.
Thu, Jan 2, 7:15 PM · Core Platform Team Initiatives (MW REST API in PHP), Epic, Platform Team Workboards (Epics)
Tgr closed T234668: Request new OAuth 2.0 client ID as Invalid.

If you think something other than https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/propose/oauth2 is needed, please clarify and reopen.

Thu, Jan 2, 7:15 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr closed T382692: Policy check functions must be callable. 'MinimalPasswordLength' isn't callable. (Error on login) as Resolved.

I'd say the best practice is never to change $wgPasswordPolicy['checks'] (you can of course append your own). Added a warning to that effect to the documentation page.

Thu, Jan 2, 6:12 PM · MediaWiki-Platform-Team, MediaWiki-Core-AuthManager, MW-1.43-release
Tgr closed T234669: List OAuth 2.0 client IDs, a subtask of T234665: Add OAuth 2.0 support to MediaWiki REST API, as Invalid.
Thu, Jan 2, 5:52 PM · Core Platform Team Initiatives (MW REST API in PHP), Epic, Platform Team Workboards (Epics)
Tgr closed T234669: List OAuth 2.0 client IDs as Invalid.
Thu, Jan 2, 5:52 PM · MediaWiki-extensions-OAuth, MediaWiki-Platform-Team, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T234669: List OAuth 2.0 client IDs.

This has existed since the beginning: https://meta.wikimedia.org/wiki/Special:OAuthConsumerRegistration/list
Admittedly the UX is terrible; that's T104078: Update OAuth consumer list table styles.

Thu, Jan 2, 5:52 PM · MediaWiki-extensions-OAuth, MediaWiki-Platform-Team, MediaWiki-REST-API, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T234670: Delete OAuth 2.0 client ID.

Duplicate of T254190: Allow a user to disable an OAuth client, I think.

Thu, Jan 2, 5:49 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T234673: Delete all OAuth 2.0 access tokens.

Seems essentially a duplicate of T234674: Delete OAuth 2.0 access tokens on password change? We could provide a separate button if that's useful, of course.

Thu, Jan 2, 5:48 PM · MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a project to T234674: Delete OAuth 2.0 access tokens on password change: Security.

We'd have to delete accepted consumers in the OAuth session provider's invalidateSessionsForUser() callback, much like we already do for preventSessionsForUser(). That would be run every time the user is force-logged out (e.g. password change, 2FA change, user rename, steward lock, invalidateUserSessions.php). Code-wise a trivial change, not 100% sure of the implications but seems reasonable. (Maybe a bit disruptive for owner-only consumers, where the user would have to go to each such app's Special:OAuthComsumerRegistration subpage and do a token reset. Not much security value if we don't disable owner-only consumers, though.)
@sbassett maybe the Security team has an opinion on this?

Thu, Jan 2, 5:46 PM · Security, MediaWiki-Platform-Team, MediaWiki-extensions-OAuth, Core Platform Team Initiatives (MW REST API in PHP), Story, Platform Team Workboards (User Stories)
Tgr added a comment to T350248: Api error for account creation has numerical error codes when there are multiple errors.

It's unfortunate but I'm not sure what would be a more reasonable behavior. Just take the message key of the first error and use it as the error code, ignoring all others?

Thu, Jan 2, 5:31 PM · MW-Interfaces-Team, MediaWiki-User-login-and-signup, MediaWiki-Core-AuthManager, MediaWiki-Action-API
Tgr added a comment to T379353: CreateAccount API call does not set the 'Email' field.

Can you copy the output from api.php?action=query&format=json&meta=authmanagerinfo&formatversion=2&amirequestsfor=create&amimergerequestfields=1?

Thu, Jan 2, 5:29 PM · MediaWiki-Platform-Team (Radar), MediaWiki-Core-AuthManager, MediaWiki-User-login-and-signup, MediaWiki-Action-API
Tgr renamed T382910: Ensure code under includes/libs does not depend on MediaWiki code from Ensure code under includes/libs does not depen on MediaWiki code to Ensure code under includes/libs does not depend on MediaWiki code.
Thu, Jan 2, 5:22 PM · MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), Patch-For-Review, MediaWiki-Platform-Team, Librarization

Mon, Dec 23

Tgr added a project to T382139: "sub" claim of oauth json web token should be a string: User-notice.

Suggested Tech News text:

The identity endpoint used for OAuth 1 and OAuth 2 returned a JSON object with an integer in its sub field, which was incorrect (the field must always be a string). This has been fixed; the fix will be deployed to Wikimedia wikis on the week of January 13.

Mon, Dec 23, 1:30 PM · User-notice, MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), MediaWiki-Platform-Team, MediaWiki-extensions-OAuth
Tgr added a comment to T382139: "sub" claim of oauth json web token should be a string.

I guess the likely fallout from pyJWT is larger. Let's make sure the change is well-announced then.

Mon, Dec 23, 1:22 PM · User-notice, MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), MediaWiki-Platform-Team, MediaWiki-extensions-OAuth
Tgr added a comment to T382139: "sub" claim of oauth json web token should be a string.

@Reedy not sure about the backports... a similar change in T283456: OAuth identfy endpoint should not expose unconfirmed email address broke lots of things. A breaking API change should probably not go into minor releases?

Mon, Dec 23, 1:18 PM · User-notice, MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), MediaWiki-Platform-Team, MediaWiki-extensions-OAuth

Thu, Dec 19

Tgr closed T369180: Ensure no AuthenticationRequests are added to the local login flow in SUL3 mode, a subtask of T362713: Implement the new login process which redirects to the central login wiki for showing the login/signup form, as Resolved.
Thu, Dec 19, 11:15 PM · MW-1.43-notes (1.43.0-wmf.13; 2024-07-09), SUL3, MediaWiki-Core-AuthManager, MediaWiki-Platform-Team, MediaWiki-extensions-CentralAuth
Tgr closed T369180: Ensure no AuthenticationRequests are added to the local login flow in SUL3 mode as Resolved.
Thu, Dec 19, 11:15 PM · MW-1.44-notes (1.44.0-wmf.8; 2024-12-17), MediaWiki-extensions-CentralAuth, MW-1.43-notes (1.43.0-wmf.21; 2024-09-03), MediaWiki-Platform-Team, SUL3
Tgr removed a project from T382139: "sub" claim of oauth json web token should be a string: User-notice.

(We don't have Developer-notice anymore, that would be the appropriate tag here.)

Thu, Dec 19, 10:08 PM · User-notice, MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), MediaWiki-Platform-Team, MediaWiki-extensions-OAuth
Tgr added a project to T382139: "sub" claim of oauth json web token should be a string: User-notice.
Thu, Dec 19, 10:07 PM · User-notice, MW-1.44-notes (1.44.0-wmf.12; 2025-01-14), MediaWiki-Platform-Team, MediaWiki-extensions-OAuth
Tgr closed T124797: UnexpectedValueException from line 230 of SessionManager.php - Can neither load the session nor create an empty session as Declined.
Thu, Dec 19, 10:04 PM · MediaWiki-Platform-Team, TestMe, MediaWiki-Core-AuthManager
Tgr added a comment to T124797: UnexpectedValueException from line 230 of SessionManager.php - Can neither load the session nor create an empty session.

The session ID gets reset during password change, apparently something went wrong with that and it tried to reuse the old session ID to create a new session. Since the report is very old, not worth looking into IMO - please reopen if it's still happening.

Thu, Dec 19, 10:03 PM · MediaWiki-Platform-Team, TestMe, MediaWiki-Core-AuthManager
Tgr added a comment to T382341: Proposal: Introduce ParserInput object.

I'd generally try to avoid classes which are neither services (stateless) nor value objects (pure state). A PreviewParserInput that mixes page content with some DB access logic seems unwieldy. Since (AFAIK) we only ever use one speculative rev / page ID mechanism, we just need to track whether 1) the parse is actually associated with a real page / revision 2) whether it already has a page / rev id, and have a service do the speculating. I don't think either the ParserInput or ParserOptions needs to depend on that service.

Thu, Dec 19, 9:56 PM · Content-Transform-Team-WIP, MediaWiki-Platform-Team (Radar), MediaWiki-Parser
Tgr added a comment to T382292: 'global_user_editcount' variable consistently returning 0 for the 'MediaWiki message delivery' account.

The CentralAuth part seems fine - the editcount is tracked in the DB, the account is attached.

Thu, Dec 19, 9:06 PM · MassMessage, MediaWiki-extensions-CentralAuth, MediaWiki-Platform-Team, AbuseFilter
Tgr added a comment to T382432: CentralAuth on SQLite is prone to deadlocks when using a separate database.

Not sure what could be done about this at the RDBMS or CentralAuth level. What could be done is having a DB connection pool of one, so when using SQLite requests involving the DB in any way just have to wait until the previous request has been served.

Thu, Dec 19, 8:45 PM · MediaWiki-Platform-Team (Radar), Patch-For-Review, MediaWiki-libs-Rdbms, SQLite, MediaWiki-extensions-CentralAuth
Tgr added a comment to T265148: Support "Login with Wikipedia" over OAuth 2.0 on other tools and websites.

the fact that our resource/profile endpoint required an HTTP Authorization header (as opposed to an access token) was a brief stumbling-block.

Thu, Dec 19, 8:40 PM · MediaWiki-Platform-Team, Documentation, MediaWiki-Engineering, Platform Engineering Roadmap Decision Making
Tgr added a comment to T369180: Ensure no AuthenticationRequests are added to the local login flow in SUL3 mode.

The private part is in commit 95517e85 in PrivateSettings. I'll apply that at the same time when the two patches above get deployed, to minimize disruption.

Thu, Dec 19, 3:07 PM · MW-1.44-notes (1.44.0-wmf.8; 2024-12-17), MediaWiki-extensions-CentralAuth, MW-1.43-notes (1.43.0-wmf.21; 2024-09-03), MediaWiki-Platform-Team, SUL3

Wed, Dec 18

Tgr added a comment to T382341: Proposal: Introduce ParserInput object.

So maybe this could be used to get rid of speculativePageIdCallback and speculativeRevIdCallback.

Wed, Dec 18, 3:20 PM · Content-Transform-Team-WIP, MediaWiki-Platform-Team (Radar), MediaWiki-Parser
Tgr removed a subtask for T328922: Drop PHP 8.0 support from MediaWiki: T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support.
Wed, Dec 18, 3:14 PM · PHP 8.0 support, Epic, MediaWiki-General
Tgr edited parent tasks for T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support, added: T360995: Migrate Wikimedia production from PHP 8.1 to PHP 8.3; removed: T328922: Drop PHP 8.0 support from MediaWiki.
Wed, Dec 18, 3:13 PM · PHP 8.4 support, PHP 8.3 support, MediaWiki-Platform-Team, PHP 8.2 support, Patch-For-Review, MediaWiki-extensions-OATHAuth
Tgr added a subtask for T360995: Migrate Wikimedia production from PHP 8.1 to PHP 8.3: T363639: web-auth/webauthn-lib must be upgraded to 4+ for PHP 8.2+ support.
Wed, Dec 18, 3:13 PM · Epic, MediaWiki-Platform-Team, serviceops

Tue, Dec 17

Tgr moved T380574: Add SUL3 authentication domain to deploy canary checks from Current Sprint to Blocked/waiting on the MediaWiki-Platform-Team board.
Tue, Dec 17, 9:33 PM · Patch-For-Review, MediaWiki-Platform-Team, Scap, SUL3
Tgr closed T381095: Enable SUL3 by default on some beta wikis as Resolved.

This was done a while ago, I forgot to close it.

Tue, Dec 17, 9:32 PM · MediaWiki-Platform-Team, SUL3