[15:12:48] <Reedy>	 _808db: about?
[16:03:24] <legoktm>	 Reedy: he's on vacation
[16:03:39] <Reedy>	 He's breaking the rules!
[16:04:50] <hoo>	 legoktm: ping
[16:04:59] <legoktm>	 hoo: hi
[16:05:22] <hoo>	 legoktm: Did you ever test the centralauth part of mw.ForeignApi in production?
[16:05:54] <legoktm>	 no, just on my test wiki
[16:05:55] <hoo>	 I see it requesting a CentralAuth token... and using it
[16:06:02] <legoktm>	 yes...
[16:06:06] <hoo>	 but wikidata's API says that the token is invalid
[16:06:14] <legoktm>	 errr
[16:06:25] <legoktm>	 example request you're making?
[16:08:18] <hoo>	 mh... now it works, but it also no longer includes the CA tokens
[16:09:44] <legoktm>	 I'm getting the invalid token error...
[16:09:57] <legoktm>	 if you're logged in on wikidata it won't use the token
[16:10:01] <hoo>	 ah ok, so it checks whether one is logged in
[16:10:04] <hoo>	 I see, yes
[16:10:07] <hoo>	 that's smart
[16:10:22] <legoktm>	 MatmaRex: ^^
[16:10:50] <MatmaRex>	 hm
[16:11:04] <legoktm>	 we also recently changed the backend store for the tokens
[16:11:16] <hoo>	 the client seems to get this all right... I guess somethings not quite right on the backend
[16:11:21] <hoo>	 yeah
[16:11:27] <legoktm>	 I deleted my wikidata.org cookies, and running (new mw.ForeignApi('https://www.wikidata.org/w/api.php')).get({action: 'query', meta:'userinfo'}).done(function(data){console.log(data)}); fails from en.wp
[16:11:31] <hoo>	 is it maybe being partitioned?
[16:11:48] <hoo>	 So that WD can't see the token from enwiki?
[16:12:31] <MatmaRex>	 huh
[16:13:01] <MatmaRex>	 hoo: legoktm: i can reproduce. the same thing works with commons.wikimedia.org though
[16:13:27] <MatmaRex>	 looks backendy to me. and i have no idea how the backend for this works
[16:14:00] <hoo>	 I presume that there are different redis shards involved, thus the tokens aren't really shared cluster wide anymore
[16:14:03] <legoktm>	 if I delete my commons cookies, it fails there too
[16:14:16] <legoktm>	 hoo: but we don't fragment the cache by wiki...
[16:14:22] <legoktm>	 AaronSchulz: ^
[16:14:32] <hoo>	 But maybe by some kind of user dbname combination?
[16:14:34] <hoo>	 Or some such
[16:17:32] <legoktm>	 $key = CentralAuthUser::memcKey( 'api-token', $loginToken );
[16:17:40] <legoktm>	 which just prefixes with $wgCentralAuthDatabase
[16:19:42] <hoo>	 mh
[16:22:06] <Reedy>	 https://twitter.com/librariesio
[16:22:15] <Reedy>	 lol, that makes Paladox redundant
[16:23:16] <legoktm>	 Reedy: not until it can upload patches to upgrade the libraries and auto-rebase them!
[16:25:12] <hoo>	 legoktm: CentralAuthUser::getSessionCache
[16:26:59] <hoo>	 So it uses nutcracker... and then I have no idea
[16:27:23] <legoktm>	 I did some eval.php tests and its broken in the backend
[16:28:17] <hoo>	 mediawiki_session_redis_servers in hiera defines the servers to use
[16:28:35] <legoktm>	 is redis's BagOStuff::add() behavior different?
[16:28:55] <legoktm>	 CentralAuthUser::getSessionCache()->add( $key, $data, 60 );
[16:28:59] <legoktm>	 why do we use add there instead of set?
[16:29:55] <legoktm>	 anomie: ^ you wrote this?
[16:37:47] <anomie>	 legoktm: I don't remember why it might use add instead of set.
[16:38:35] <legoktm>	 my eval.php testing shows that add() appears to work fine
[16:38:57] <anomie>	 legoktm: Ah. The data stored shouldn't change, so there's not much point in overwriting it if it's already set.
[16:39:25] <legoktm>	 ok
[16:43:57] <hoo>	 mh... the more I look at it, the less ideas I have
[16:49:34] <hoo>	 legoktm: I have an idea
[16:49:35] <legoktm>	 did it just break today?
[16:49:38] <legoktm>	 oh
[16:49:45] <hoo>	 Look at CentralAuthHooks::onApiCheckCanExecute
[16:49:57] <hoo>	 $centralUser = CentralAuthUser::getInstance( $user );
[16:50:01] <hoo>	 And then it checks the idea
[16:50:03] <hoo>	 * id
[16:50:17] <hoo>	 How should that work?
[16:50:54] <legoktm>	 it checks the ids of the central users...
[16:51:13] <hoo>	 yes, but how should the $centralUser be populated
[16:51:16] <hoo>	 how did that ever work
[16:52:18] <legoktm>	 oh hrm
[16:52:29] <legoktm>	 well....that code hasn't changed since ever
[16:54:31] <anomie>	 legoktm: Hmm. If I hit https://en.wikipedia.org/w/api.php?action=centralauthtoken&format=json&servedby=, then ssh into the server that actually served the request, eval.php it, and var_dump( CentralAuthUser::memcKey( 'api-token', $token ) );, it still doesn't work.
[16:56:40] <legoktm>	 o.O
[16:57:00] <legoktm>	 so redis backend is broken?
[16:57:52] <anomie>	 Well, eval.php tells me that $wgMemc is an instance of MemcachedPeclBagOStuff, not RedisBagOStuff.
[16:58:20] <hoo>	 anomie: Use  CentralAuthUser::getSessionCache();
[16:58:28] <hoo>	 That should be a different object
[16:58:54] <anomie>	 hoo: That's not what's being used for the API centralauthtoken feature.
[16:59:02] <legoktm>	 er, we no longer use $wgMemc
[16:59:12] <legoktm>	 anomie: git pull? ;)
[16:59:37] <legoktm>	 anomie: https://gerrit.wikimedia.org/r/#/c/234839/
[17:00:42] <anomie>	 Ah. Hmm.
[17:04:03] <legoktm>	 also, we did the switchover to redis last week
[17:04:09] <legoktm>	 so why did it start failing today?
[17:06:49] <csteipp>	 logins broken?
[17:07:45] <hoo>	 csteipp: I hope not... but the centralauthtokens for cw api use are
[17:12:28] <anomie>	 legoktm: Ok, I see that ->add() is failing on RedisBagOStuff for some reason. Now to figure out why.
[17:39:10] <hoo>	 MAybe AaronSchulz can help out here?
[17:40:12] * AaronSchulz was reading backscroll
[17:43:43] <anomie>	 legoktm: I'm seeing "read error on connection" coming back from redis.
[17:44:02] <anomie>	 in response to the call to $conn->multi().
[17:44:05] <legoktm>	 nutcracker issue then?
[17:44:35] <legoktm>	 is it a specific backend?
[17:45:24] <anomie>	 Some commands work fine, e.g. ping(). Others do this. Do we have some sort of command whitelist set up in our redis?
[17:50:51] <AaronSchulz>	 no whitelist afaik
[17:54:03] <anomie>	 ->ping() works, ->time() doesn't, ->info() doesn't, ->echo() doesn't. And, critically, ->multi() doesn't.
[17:56:16] <AaronSchulz>	 multi() may be a temproxy bug
[17:56:46] <AaronSchulz>	 for info() it at least makes sense that it doesn't work due to the proxying/hashing
[17:57:19] * AaronSchulz noticed that before
[17:57:58] <AaronSchulz>	 https://github.com/twitter/twemproxy/blob/master/notes/redis.md
[17:59:11] <Reedy>	 Almost sounds like we need an extra MW class a wrapper
[17:59:54] <AaronSchulz>	 multi() is not supported there, so that explains
[18:00:03] <AaronSchulz>	 CA can clearly just use set() for the tokens for now
[18:00:35] <AaronSchulz>	 I'll make a patch for that, maybe core, and poke at cas() later
[18:01:04] <anomie>	 Well, there we go then. RedisBagOStuff doesn't fully work with twemproxy because it doesn't support multi/exec, watch/unwatch, or info.
[18:01:31] <hoo>	 AaronSchulz: Thanks
[22:13:00] <csteipp>	 tgr: I was thinking SpecialMWOAuth::handleAuthorizationForm would just throw an exception if $requestToken==''. Otherwise $oauthServer->getConsumerKey( $requestToken ) isn't really correct either.
[22:38:48] <legoktm>	 AaronSchulz: did the api token stuff get fixed?
[22:44:12] <AaronSchulz>	 in master, I don't think hoo deployed it though
[22:44:33] <AaronSchulz>	 it's really our setup that is broken, but the CA change works around it
[22:44:54] <AaronSchulz>	 https://gerrit.wikimedia.org/r/#/c/238527/ is more complete, but blocked on zend stuff
[23:13:17] <legoktm>	 AaronSchulz: ok, I'm backporting it