problem with local users (both usermanagement variants are active - local / OIDC)

luckow

App Title and Version Rocket.Chat 7.7.1
Package Version chat.rocket.cloudronapp@2.70.1
Installed At 03/17/2020

A customer reports a problem with a local user. He can no longer log in. Changing the password does not help.

I have tried this on an instance on which I have admin rights. This instance is configured to use OIDC and local user management. So I created a local user. The activation mail works. The moment the dummy/test user has clicked on the link in “Your temporary password ...”, it is possible to “log in”. “Log in” means: The next step in the workflow is “Change password”.

Password change is not allowed!

Curiosity: The admin view in the user administration shows “Pending” before clicking on the activation mail. After clicking, the status changes to “Active”.

Question: is there a hidden switch that we need to configure to have both variants of user management?

james

The issue was reproduced somewhat.
A fresh RocketChat installation with user management left to Cloudron, so OIDC is working.
Creating a new manual User.
The User gets the mail and the temporary password.
When login in with the temporary password, you get the Reset password view.
Setting the password to anything and pressing Reset looks like it does nothing.
But the browser console and network inspector reveals it all.
When pressing Reset a POST is sent to /api/v1/method.call/setUserPassword with the data:

{
    "message": "{\"msg\":\"method\",\"id\":\"16\",\"method\":\"setUserPassword\",\"params\":[\"PLACEHOLDER\"]}"
}

The response is status code 200 and data:

{
    "message": "{\"msg\":\"result\",\"id\":\"16\",\"result\":{\"acknowledged\":true,\"modifiedCount\":1,\"upsertedId\":null,\"upsertedCount\":0,\"matchedCount\":1}}",
    "success": true
}

So the password was updated.
When you now press Reset again, you get the Not allowed view.

A simple tab reload reveals that I was logged in and could work as the new user.
Also, the password was changed correctly which I confirmed in a new browser session.

Could you please retry with what I've written in mind and report if you truly can't work with that user after pressing Reset and reloading the tab?

james

Hello @luckow
Thanks for reporting. I am looking into it.

james

The issue was reproduced somewhat.
A fresh RocketChat installation with user management left to Cloudron, so OIDC is working.
Creating a new manual User.
The User gets the mail and the temporary password.
When login in with the temporary password, you get the Reset password view.
Setting the password to anything and pressing Reset looks like it does nothing.
But the browser console and network inspector reveals it all.
When pressing Reset a POST is sent to /api/v1/method.call/setUserPassword with the data:

{
    "message": "{\"msg\":\"method\",\"id\":\"16\",\"method\":\"setUserPassword\",\"params\":[\"PLACEHOLDER\"]}"
}

The response is status code 200 and data:

{
    "message": "{\"msg\":\"result\",\"id\":\"16\",\"result\":{\"acknowledged\":true,\"modifiedCount\":1,\"upsertedId\":null,\"upsertedCount\":0,\"matchedCount\":1}}",
    "success": true
}

So the password was updated.
When you now press Reset again, you get the Not allowed view.

A simple tab reload reveals that I was logged in and could work as the new user.
Also, the password was changed correctly which I confirmed in a new browser session.

Could you please retry with what I've written in mind and report if you truly can't work with that user after pressing Reset and reloading the tab?

luckow

You are right. It's far from intuitive, but it works.

james

This might be an oversight upstream.
Since you found it, would you like to report it to get the credit?

luckow

It's not about the credits, but that “open source” works like this
I will post this upstream.