[INVESTIGATE] Rocket.Chat iOS client accepting blank password field

[xxxdebug]

Description:

We use RocketChat with our AD servers for LDAP authentication. But we experience some strange behaviour on iOS devices as our users can authenticate without giving a password (read: empty field).

As far as we can see the Android, Windows and webclient do work as expected, seems like the iOS device has no check whether the authentication is correct.

We have got anonymous binding only open for RootDSE as designed and adviced by Microsoft (microsoft.png). When connecting to the OU of the users they're in this is absolutely not possible with anonymous binding.

---

Server Setup Information:

• Version of Rocket.Chat Server: 0.64.1
• Version of Rocket.Chat iOS client: 2.2.0
• Operating System: linux 4.4.0-98-generic
• Deployment Method(snap/docker/tar/etc): snap
• Number of Running Instances: 1
• Node Version: v8.11.1

Steps to Reproduce:

1. Open the iOS app (step1.png)
2. Fill in the username && blank password field (step2.png)
3. Logged in without a password (step3.png)

Expected behavior:

I would expect the system to give an error that the users haven't entered their passwords and cannot login

Actual behavior:

The user is logged in on an iOS device, without entering a password

Relevant logs:

When I try to reproduce the LDAP query with my serviceaccount in AD (ldapsearch) and try to search and/or bind the user I cannot bind or search without entering a password in the particular OU, it is only accepting anonymous bindings on RootDSE. Probably the the iOS client is not checking this or whatsoever.

Also see ldapsearch1.png & ldapsearch2.png

[rafaelks]

@xxmoC Thanks for the investigation! Here's the API request we do on the app to authenticate the user:

curl "https://open.rocket.chat/api/v1/login" -H "Content-Type: application/json" -d '{"ldap": true, "username": "YOUR_USERNAME", "ldapPass": "YOUR_PASSWORD", "ldapOptions": []}'

Can you try with your values and an empty value for password and let me know the result? The iOS app would not be allowed to enter in the server if the API didn't provide us the token.

[xxxdebug]

With password:

$ curl "https://rocketchat.xxx.nl/api/v1/login" -H "Content-Type: application/json" -d '{"ldap": true, "username": "firstname.lastname@domain.com", "ldapPass": "Password", "ldapOptions": []}' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 216 0 116 100 100 265 228 --:--:-- --:--:-- --:--:-- 494{"status":"success","data":{"userId":"xxxxxxxxx","authToken":"xxxxxxxx"}}

Without password:

$ curl "https://rocketchat.xxx.nl/api/v1/login" -H "Content-Type: application/json" -d '{"ldap": true, "username": "firstname.lastname@domain.com", "ldapPass": "", "ldapOptions": []}' % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 223 0 136 100 87 108 69 0:00:01 0:00:01 --:--:-- 178{"status":"error","error":"LDAP-login-error","message":"LDAP Authentication failed with (2) provided username [firstname.lastname@domain.com]"}

So strange right, seems to be working correctly through the API 👍

Any other ways of troubleshooting this?

[rafaelks]

@xxmoC Please, contact me at rafael.kellermann in https://open.rocket.chat. 👍

[xxxdebug]

I'll drop a message @rafaelks

[VareliyK]

epic fail (((

[VareliyK]

Client Version 2.4.1 (176) - the same problem

[rafaelks]

@xxmoC @VareliyK We already discussed the problem... the API is returning the login token even when the password is empty. I asked @xxmoC to open an issue, did you open? Thanks!

[xxxdebug]

Jep, here: RocketChat/Rocket.Chat#11017. I'll close this one down.

[VareliyK]

@xxmoC why did you close this issue for iOS ?

[rafaelks]

@VareliyK The issue is on the API: https://github.com/RocketChat/Rocket.Chat#11017

[VareliyK]

@rafaelks thank's