EBernhardson added a comment.
I've tracked down one source of 500 errors, unclear if the original report
here is for same thing.
Reproduction:
curl -XPOST https://commons-query.wikimedia.org/any-url-doesnt-matter -d
'foo=bar'
Reason:
This request includes a `Content-Length` header which nginx ends up passing
along to the /oauth/check_auth endpoint. Jetty (hosting the endpoint) sees the
Content-Length header and starts waiting for the content to arrive, which never
does. After 30s jetty times out the request. This most likely means all
request's with the query in the content, rather than a url query string,
receive this 500 error.
Resolution:
Whitelist the set of headers that will be passed along to the /oauth/*
endpoints to only include the Host and Cookies headers.
Caveats:
While this will fix the timeout, i suspect it will simply fail the request at
a different part of the request. At least in my reproduction case the reason
the UI is issuing a POST request with the query in the body is that the GET
request was rejected due to attempting to re-auth during an XHR and the browser
refused to show the response to the javascript. The UI javascript interprets
this as the request having never been sent and re-issues the same request over
POST. Once this timeout issue is fixed that POST request will have the same
CORS problems and it's unlikely we will be able to change mediawiki's
Special:OAuth CORS headers for this use case.
Possible Solutions:
Gergo suggested perhaps we can store an oauth1 related token in the cookies.
When the JWT expires after 2 hours and requires a re-auth we might be able to
re-validate the previously stored oauth1 token, rather than going through the
full redirect-bounce which has CORS issues. Will require more investigation
and review of oauth 1 flows to determine if this is viable.
TASK DETAIL
https://phabricator.wikimedia.org/T306899
EMAIL PREFERENCES
https://phabricator.wikimedia.org/settings/panel/emailpreferences/
To: EBernhardson
Cc: MPhamWMF, DAbad, RKemper, EBernhardson, FRomeo_WMF, GFontenelle_WMF, Gehel,
Fuzheado, Aklapper, Dominicbm, Astuthiodit_1, AWesterinen, karapayneWMDE,
Invadibot, maantietaja, CBogen, ItamarWMDE, Akuckartz, Nandana, Namenlos314,
Lahi, Gq86, Lucas_Werkmeister_WMDE, GoranSMilovanovic, QZanden, EBjune, merbst,
LawExplorer, _jensen, rosalieper, Scott_WUaS, Jonas, Xmlizer, jkroll,
Wikidata-bugs, Jdouglas, aude, Tobias1984, Manybubbles, Mbch331
_______________________________________________
Wikidata-bugs mailing list -- [email protected]
To unsubscribe send an email to [email protected]
