Page MenuHomePhabricator
Create Task
Maniphest T427837

High volume of error logs: "User [name] cannot authenticate"
Closed, ResolvedPublic
Actions

Description

Following-up from a Slack thread. (https://wikimedia.slack.com/archives/C08TRVDR6BA/p1779894931841269)

https://gerrit.wikimedia.org/g/mediawiki/extensions/OATHAuth/+/34cc3f73cc40de0216b54c23e0f827bf07e0d1d0/src/WebAuthnAuthenticator.php#119
https://logstash.wikimedia.org/goto/9ec32a154998352a074a022107a9f925

image.png (1,535×256 px, 29 KB)

On an aside, IIUIC this is logged every time you log in and don't have any WebAuth keys. Could be made less loud.

Putting it down to info? Or remove it completely?

That looks like a regression from passwordless login, that code path wasn't previously executed for users without WebAuthn keys
I think we should just drop it

I agree we should reduce severity, this is not an error.

For what it's worth, I wasn't able to reproduce it locally, despite trying various combinations of 2FA methods – if you know how to reproduce it, it'd be helpful to document.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
WebAuthnAuthenticator: Reduce log severity and clarifymediawiki/extensions/OATHAuthmaster+8 -8
Customize query in gerrit

Event Timeline

matmarex created this task.Mon, Jun 1, 6:01 PM
Restricted Application added a project: Product Safety and Integrity. · View Herald TranscriptMon, Jun 1, 6:01 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Mon, Jun 1, 6:01 PM

Change #1295985 had a related patch set uploaded (by Bartosz Dziewoński; author: Bartosz Dziewoński):

[mediawiki/extensions/OATHAuth@master] WebAuthnAuthenticator: Reduce log severity and clarify

https://gerrit.wikimedia.org/r/1295985

gerritbot added a project: Patch-For-Review.Mon, Jun 1, 6:01 PM
matmarex claimed this task.Mon, Jun 1, 6:02 PM
Tgr added a comment.Mon, Jun 1, 6:05 PM

I think you can trigger it just by using TOTP rather than WebAuthn? It seems to be a different message though as these ones are all normalized and the message that we see in production a lot hardcodes the username.

gerritbot added a comment.Mon, Jun 1, 6:30 PM

Change #1295985 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] WebAuthnAuthenticator: Reduce log severity and clarify

https://gerrit.wikimedia.org/r/1295985

Maintenance_bot removed a project: Patch-For-Review.Mon, Jun 1, 6:30 PM
matmarex closed this task as Resolved.Tue, Jun 2, 9:55 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits