#7934 Scripted edit of staging wiki fails with CSRF token error
Closed: Fixed 5 months ago by kevin. Opened 6 months ago by adamwill.

When one of the fedora-messaging consumers I have running on openqa-stg01.qa.fedoraproject.org tries to edit the wiki, to file a result or create a validation event, it fails. The problem seems to be this:

DEBUG:urllib3.connectionpool:https://stg.fedoraproject.org:443 "POST /w/api.php HTTP/1.1" 200 226
Unhandled error writing pages!
Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/mwclient/page.py", line 218, in save
    result = do_edit()
  File "/usr/lib/python3.7/site-packages/mwclient/page.py", line 213, in do_edit
    **data)
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 244, in post
    return self.api(action, 'POST', *args, **kwargs)
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 287, in api
    if self.handle_api_result(info, sleeper=sleeper):
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 328, in handle_api_result
    info['error']['info'], info['error']['*'])
mwclient.errors.APIError: ('badtoken', 'Invalid CSRF token.', 'See https://stg.fedoraproject.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at <https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce> for notice of API deprecations and breaking changes.')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/relval", line 11, in <module>
    load_entry_point('relval==2.4.2', 'console_scripts', 'relval')()
  File "/usr/lib/python3.7/site-packages/relval/cli.py", line 523, in main
    args.func(args, site)
  File "/usr/lib/python3.7/site-packages/relval/cli.py", line 320, in create_compose
    testtypes=testtypes, force=args.force, current=current)
  File "/usr/lib/python3.7/site-packages/wikitcms/event.py", line 249, in create
    _handle_existing(err)
  File "/usr/lib/python3.7/site-packages/wikitcms/event.py", line 241, in _handle_existing
    raise err
  File "/usr/lib/python3.7/site-packages/wikitcms/event.py", line 247, in create
    pag.write(createonly=createonly)
  File "/usr/lib/python3.7/site-packages/wikitcms/page.py", line 121, in write
    self.save(seedtext, summary, createonly=createonly)
  File "/usr/lib/python3.7/site-packages/wikitcms/page.py", line 140, in save
    ret = super(Page, self).save(*args, **kwargs)
  File "/usr/lib/python3.7/site-packages/mwclient/page.py", line 226, in save
    self.handle_edit_error(e, summary)
  File "/usr/lib/python3.7/site-packages/mwclient/page.py", line 250, in handle_edit_error
    raise e
  File "/usr/lib/python3.7/site-packages/mwclient/page.py", line 224, in save
    result = do_edit()
  File "/usr/lib/python3.7/site-packages/mwclient/page.py", line 213, in do_edit
    **data)
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 244, in post
    return self.api(action, 'POST', *args, **kwargs)
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 287, in api
    if self.handle_api_result(info, sleeper=sleeper):
  File "/usr/lib/python3.7/site-packages/mwclient/client.py", line 328, in handle_api_result
    info['error']['info'], info['error']['*'])
mwclient.errors.APIError: ('badtoken', 'Invalid CSRF token.', 'See https://stg.fedoraproject.org/w/api.php for API usage. Subscribe to the mediawiki-api-announce mailing list at &lt;https://lists.wikimedia.org/mailman/listinfo/mediawiki-api-announce&gt; for notice of API deprecations and breaking changes.')

basically mediawiki is returning a 'badtoken' error. mwclient is set to retry once when this happens, and if it fails again, it just dies. That's what happens here (the first traceback is the initial attempt, the second is the retry).

@puiterwijk says:

<puiterwijk> So, that means the API auth extension no longer matches the mediawiki code.
<puiterwijk> It's using some... hacky internals in order to make sure the CSRF tokens aren't an issue
<puiterwijk> adamw: could you open an infra ticket on that one? I'll ask Alan to look at it


Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

6 months ago

Ugh. For some reason I misread this and didn't think it was as serious as it is... and I went and updated production mediawiki. Sorry. ;(

So, we will need to figure this out sooner rather than later...

Oh. Ah. Now I see what you were saying. Yes, this is a serious problem. The whole release validation process relies on automated wiki edits.

Metadata Update from @puiterwijk:
- Issue assigned to puiterwijk

6 months ago

Turns out this was hotfixed in the previous setup, and the package never got updated to mediawiki-OpenIDConnectAPI v0.3, which had the fix for this.

Metadata Update from @puiterwijk:
- Assignee reset

6 months ago

ok. I have updated to that version on all wikis.

@adamwill can you please test and confirm it's fixed?

Metadata Update from @kevin:
- Issue assigned to kevin
- Issue tagged with: authentication

6 months ago

Our savior coconut is posting again, so I think this is all fixed..

Please re-open if it's not.

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 months ago

yeah, if coconut is posting that means this is fixed.

Login to comment on this ticket.

Metadata