Last modified: 2014-11-18 23:42:46 UTC
I returned to a Flow board in my browser after an hour or so of inactivity. Clicking the watch star in any topic titlebar failed with "Invalid token" in a pink errorbox, and in the browser console Net tab the API post returns error.code='badtoken'. My understanding is the API postWithToken() call should automatically request a new token. I clicked the skin's watch star at the top of the Flow board and its initial request also failed with badtoken, but as expected it issued a get for token, retried, and succeeded. Clicking Reply on a post did the same fail, get token, retry dance ending in success. The API response included warnings below, but it worked. "warnings": { "main":{ "*":"Unrecognized parameter: '_'"}, "tokens":{"*":"action=tokens has been deprecated. Please use action=query&meta=tokens instead."} }, Even after these successfully API requests, clicking a titlebar watch star continues to fail with "Invalid token" because Flow continues to make API post requests with the old wrong watch token. The workaround for a user is to reload the Flow board.
The problem is FlowBoardComponentApiEventsMixin.UI.events.apiPreHandlers.watchItem() sets the request up with token: mw.user.tokens.get( 'watchToken' ); This is a static assignment, it doesn't check if the token is still good. as a result flowApiCall does a plain mwApi.post with this token, rather than a mwApi.postWithToken( 'watch', params ) which would correctly fetch a new token. The logic needs to be changed. E.g. the apiPreHandler can supply a tokenName: 'watch' rather than the static value of a token, and flowApiCall() always invokes mwApi.postWithToken passing tokenName or the default 'edit'. Or perhaps Flow could invoke mediawiki.api.watch's watch()/unwatch() instead of calling the API itself.
added to backlog: https://trello.com/c/WZibCplx
Change 172668 had a related patch set uploaded by Mattflaschen: Use core's postWithToken for watching, which handles badtoken https://gerrit.wikimedia.org/r/172668
Change 172668 merged by jenkins-bot: Use core's postWithToken for watching, which handles badtoken https://gerrit.wikimedia.org/r/172668