During IP masking rollout to Wikimedia wikis, some pilot wikis will have IP masking enabled while other wikis won't. We want pilot wikis to share the same account and login state, so we need to centrally log the user in. But if we want the user to act as a normal anonymous user on non-pilot wikis, we need to somehow suppress central login state there.
Desired behavior
We want to restrict temporary accounts only to wikis that have IP Masking enabled.
Say wiki A has IP Masking enabled and wiki B does not. Alice first edits on wiki A (as in they create a temporary account on wiki A). Their actions on wiki A will be attributed to the temporary account. Then she wanders off to wiki B and edit there. Since wiki B does not have IP Masking enabled, it should appear as if Alice edited with her IP address there (status quo).
We don't want the community on wiki B to get the impression that we have enabled IP Masking there without their approval. Neither should we be showing them temporary accounts without giving them tools to handle those accounts correctly. This should, hopefully, make for a smoother transition process on the whole.
Plan:
On non-pilot wikis, the temp user prefix will be reserved with $wgAutoCreateTempUser['reservedPattern'], so it will not be possible to manually create a local account which has the same name as a global temp user. This seems prudent and was a design assumption for T307064 which introduced reservedPattern.
Make UserNameUtils::isUsable() return false if isTempReserved() is true but isTemp() is false. So temp user reservations will be analogous to $wgReservedUsernames.
Thus CentralAuthSessionProvider and CentralAuthTokenSessionProvider will reject the global session due to isUsable() returning false.
In AuthManager::autoCreateUser(), where it says that we switched from isCreatable() to isValid() to support temp users, this will be changed again to instead call isUsable(). So auto-creation will be denied for foreign temp users on non-pilot wikis when it is requested by Special:CentralAutoLogin, ApiCreateLocalAccount, etc.
Test plan:
Set up CentralAuth with two pilot wikis and one non-pilot wiki with reservedPattern as described above.
Set up $wgForeignUploadTargets and use it to perform a foreign upload as a new normal user.
Create a temp user on the first pilot wiki.
Verify that it is not possible to act as the temp user on the non-pilot wiki using mw.ForeignApi, by attempting a foreign upload.
Visit the non-pilot wiki and confirm that the global session was rejected.
Verify that ApiCreateLocalAccount fails. Use debug logs to verify that the new logic in AuthManager::autoCreateUser() was reached.
Return to the pilot wiki and confirm that the temp user session is still valid.
Visit the second pilot wiki and confirm that auto-creation still works for central temp users.