Description

Error

mwversion: 1.44.0-wmf.19
reqId: 443ead3a-df44-43fa-b101-1087183fa974
Find reqId in Logstash

normalized_message

[{reqId}] {exception_url}   LogicException: CentralAuthReturnRequest not found

Frame	Location	Call
from	/srv/mediawiki/php-1.44.0-wmf.19/extensions/CentralAuth/includes/CentralAuthRedirectingPrimaryAuthenticationProvider.php(149)
#0	/srv/mediawiki/php-1.44.0-wmf.19/includes/auth/AuthManager.php(638)	MediaWiki\Extension\CentralAuth\CentralAuthRedirectingPrimaryAuthenticationProvider->continuePrimaryAuthentication(array)
#1	/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/AuthManagerSpecialPage.php(401)	MediaWiki\Auth\AuthManager->continueAuthentication(array)
#2	/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/AuthManagerSpecialPage.php(533)	MediaWiki\SpecialPage\AuthManagerSpecialPage->performAuthenticationStep(string, array)
#3	/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/AuthManagerSpecialPage.php(511)	MediaWiki\SpecialPage\AuthManagerSpecialPage->handleFormSubmit(array)
#4	/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/LoginSignupSpecialPage.php(404)	MediaWiki\SpecialPage\AuthManagerSpecialPage->trySubmit()
#5	/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/SpecialPage.php(729)	MediaWiki\SpecialPage\LoginSignupSpecialPage->execute(null)
#6	/srv/mediawiki/php-1.44.0-wmf.19/includes/specialpage/SpecialPageFactory.php(1737)	MediaWiki\SpecialPage\SpecialPage->run(null)
#7	/srv/mediawiki/php-1.44.0-wmf.19/includes/actions/ActionEntryPoint.php(503)	MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, MediaWiki\Context\RequestContext)
#8	/srv/mediawiki/php-1.44.0-wmf.19/includes/actions/ActionEntryPoint.php(145)	MediaWiki\Actions\ActionEntryPoint->performRequest()
#9	/srv/mediawiki/php-1.44.0-wmf.19/includes/MediaWikiEntryPoint.php(202)	MediaWiki\Actions\ActionEntryPoint->execute()
#10	/srv/mediawiki/php-1.44.0-wmf.19/index.php(58)	MediaWiki\MediaWikiEntryPoint->run()
#11	/srv/mediawiki/w/index.php(3)	require(string)
#12	{main}

Impact

Notes

Details

Request URL: https://commons.wikimedia.org/wiki/Special:UserLogin

Subject Repo Branch Lines +/-

authmanager: Use an URL parameter to keep track of returns

Reedy created this task.Fri, Mar 7, 4:07 PM

Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFri, Mar 7, 4:07 PM

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

This seems weird - the URL is /wiki/Special:UserLogin and it must be a POST request since otherwise the code path that leads to continuePrimaryAuthentication() wouldn't be active, but the referrer is https://commons.m.wikimedia.org/wiki/Special:ConfirmEmail/517c09033f0a5ce67a12cdeacc68acc1. How is that even possible?

CentralAuthRedirectingPrimaryAuthenticationProvider::beginPrimaryAuthentication() returns a response with a CentralAuthReturnRequest object in it, in theory that means the following continuePrimaryAuthentication() call should also have that object. But maybe if the corresponding GET/POST parameter is missing, we automatically skip adding the object? I thought that would only happen to AuthenticationRequest objects where $required is set to OPTIONAL, but maybe I'm misremembering.

So I suspect this is some kind of manual request tampering, but in theory the LogicException should not be reachable, and if it is reachable, we need a proper StatusValue-based error instead.

This seems really weird, vaguely following the Special:ConfirmEmail code, I see that it sometimes call Special:UserLogin as a GET request. I think maybe this is when we some weird behavior when cookies on shared domain are set but not on local domain (when continueAuthentication is called) - maybe some timeout(?). Then that throws the logic error but I wonder why/when that should ever happen.

But nevertheless, I'll try to reproduce it and see.

I guess what's happening is:

login or signup succeeds on the shared domain and redirects the user to Special:UserLogin/return on the local domain
AuthManagerSpecialPage::handleReturnBeforeExecute() sets the session key for handling this request as a POST, and redirects to Special:UserLogin
for some reason that redirect doesn't work, or maybe there is just a race between it and the user using another browser tab
the user clicks on the link in the confirmation email, gets sent to the login page, but since they still have the session cookie and the session has the special key, AuthManagerSpecialPage thinks this is the last step of remote authentication, and should be interpreted as a form submit. But the URL parameter that would be used for CentralAuthReturnRequest is not actually there.

We should probably use a query parameter to ensure that the special /return processing only happens on the same redirect chain, and not in an unrelated browser window.

Change #1128039 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@master] authmanager: Use an URL parameter to keep track of returns

Change #1128039 merged by jenkins-bot:

[mediawiki/core@master] authmanager: Use an URL parameter to keep track of returns

Change #1130320 had a related patch set uploaded (by Gergő Tisza; author: Gergő Tisza):

[mediawiki/core@wmf/1.44.0-wmf.21] authmanager: Use an URL parameter to keep track of returns

Change #1130320 merged by jenkins-bot:

[mediawiki/core@wmf/1.44.0-wmf.21] authmanager: Use an URL parameter to keep track of returns

Errors are gone:

Validation error on return	LogicException: CentralAuthReturnRequest not found

Doesn't seem to have been replaced by new errors either.

	F58910868: Screenshot Capture - 2025-03-24 - 18-56-59.png
	Mon, Mar 24, 6:00 PM

	F58910870: Screenshot Capture - 2025-03-24 - 18-58-12.png
	Mon, Mar 24, 6:00 PM