Create Task
Maniphest T414114

Wiki Education Dashboard being rate-limited for OAuth login and token fetching
Closed, ResolvedPublicBUG REPORT
Actions

Description

Since yesterday (2026-01-07), Wiki Education Dashboard (dashboard.wikiedu.org) has started seeing 429 errors during the OAuth login flow and when fetching tokens to make edits on behalf of OAuth users.

Here's an example server response from trying to initiate OAuth login:

Request served via cp4044 cp4044, Varnish XID 735497657<br>Upstream caches: cp4044 int<br>Error: 429, Too many requests (f061ab2) at Thu, 08 Jan 2026 17:11:08 GMT<br><details><summary>Sensitive client information</summary>IP address: 2600:[ip]</details>

We aren't sending significantly different traffic patterns for OAuth than we have in the past, so I assume something related to the rate-limiting configuration has changed.

Our IPs for this are:

  • 45.79.106.114
  • 2600:3c01::f03c:93ff:fe24:db1b

Related Objects

Event Timeline

Ragesoss created this task.Jan 8 2026, 5:25 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 8 2026, 5:25 PM
ssingh added projects: SRE, Traffic.Jan 8 2026, 5:32 PM
Joe subscribed.Jan 8 2026, 6:08 PM

@Ragesoss what is the User-Agent you use when making those requests?

Joe added a comment.Jan 8 2026, 6:15 PM

@Ragesoss as far as I can tell, the problem is you are not honoring the wikimedia User-Agent policy, and we have recently started to enforce stricter rate limits for bots that dont' respect the policy, hence you are being blocked.

Once you change it to a proper User Agent that identifies you, you should not experience the same problem. If you will still see 429s then, we can create an exception for you.

ssingh subscribed.Jan 8 2026, 6:16 PM

Hi @Ragesoss: We looked through the logs and it seems like requests originating from your end are not respecting our UA policy, documented at https://foundation.wikimedia.org/wiki/Policy:Wikimedia_Foundation_User-Agent_Policy and further explained in https://phabricator.wikimedia.org/T400119. Once you update that and set a custom UA, please let us know and we can look into it again.

CDanis subscribed.Jan 8 2026, 6:30 PM
Ragesoss added a comment.Jan 8 2026, 6:58 PM

Thanks! Unfortunately, the OAuth library we use doesn't support setting the User Agent, so I'm going to have to figure out how to monkey patch it. :-(

Ragesoss added a comment.Jan 8 2026, 10:20 PM

@ssingh I've just deployed an update that should fix it. Now the user agent is Wiki Education Dashboard/1.0 (dashboard.wikiedu.org; sage@wikiedu.org).

Joe added a comment.Jan 9 2026, 6:23 AM

@Ragesoss I see you still get blocked from time to time; I will add an exception, per https://wikitech.wikimedia.org/wiki/Robot_policy#What_to_do_if_these_limits_are_too_strict_for_me?, using the IPs that you just provided.

In case you want to be able to automatically update the IPs, you will need to implement the actions outlined here: https://wikitech.wikimedia.org/wiki/Bot_traffic#How_to_ensure_your_bot_is_identified

Joe closed this task as Resolved.Jan 9 2026, 7:03 AM
Joe claimed this task.
Joe triaged this task as High priority.

Exception added. I allowed a generous amount of requests; please let us know if you still run into problems.

Ragesoss added a comment.Jan 12 2026, 6:27 PM

@Joe checking my Sentry logs, I see we're still getting 429 for some types of queries, including Commons API queries and fetching page content (but not the OAuth login flow). Are there requests we're still making that don't meet the UA policy requirement? (We have several different libraries involved for requests, and I think I addressed these ones, which go through the mediawiki_api Ruby gem, but it's possible that I missed something.)

Joe added a comment.Jan 13 2026, 10:28 AM

Hi, I still see a lot of requests from your IPs with user-agent Faraday v2.14.0.

These are calls to //w/api.php, /w/api.php, /w/index.php in most cases. If these requests are not authenticated with OAuth2 or with a proper login session, they will be rate-limited.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits