Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix!: api login should not suggest which credential is wrong #32086

Merged
merged 3 commits into from
Mar 28, 2024
Merged

fix!: api login should not suggest which credential is wrong #32086

merged 3 commits into from
Mar 28, 2024
+33 −26

Conversation

ggazzo
Copy link
Member

@ggazzo ggazzo commented Mar 27, 2024
edited
Loading

Proposed changes (including videos or screenshots)

Apparently at some point the _runLoginHandlers function became asynchronous, thwarting our efforts to obfuscate what the reason for the login rejection was.

Instead of returning Incorrect Password its going to return Unauthorized as expected

Issue(s)

Steps to test or reproduce

Further comments

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Mar 27, 2024
edited
Loading

🦋 Changeset detected

Latest commit: a236e2a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 32 packages
Name Type
@rocket.chat/meteor Major
@rocket.chat/core-typings Major
@rocket.chat/rest-typings Major
@rocket.chat/apps Patch
@rocket.chat/core-services Patch
@rocket.chat/cron Patch
@rocket.chat/gazzodown Major
@rocket.chat/livechat Patch
@rocket.chat/model-typings Patch
@rocket.chat/ui-contexts Major
@rocket.chat/account-service Patch
@rocket.chat/authorization-service Patch
@rocket.chat/ddp-streamer Patch
@rocket.chat/omnichannel-transcript Patch
@rocket.chat/presence-service Patch
@rocket.chat/queue-worker Patch
@rocket.chat/stream-hub-service Patch
@rocket.chat/api-client Patch
@rocket.chat/license Patch
@rocket.chat/omnichannel-services Patch
@rocket.chat/pdf-worker Patch
@rocket.chat/presence Patch
rocketchat-services Patch
@rocket.chat/ddp-client Patch
@rocket.chat/fuselage-ui-kit Major
@rocket.chat/models Patch
@rocket.chat/ui-avatar Major
@rocket.chat/ui-client Major
@rocket.chat/ui-video-conf Major
@rocket.chat/uikit-playground Patch
@rocket.chat/web-ui-registration Major
@rocket.chat/instance-status Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@ggazzo ggazzo added this to the 7.0 milestone Mar 27, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 27, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 54.73%. Comparing base (5b7623d) to head (a236e2a).

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##           develop   #32086      +/-   ##
===========================================
- Coverage    54.77%   54.73%   -0.05%     
===========================================
  Files         2298     2296       -2     
  Lines        50708    50704       -4     
  Branches     10374    10373       -1     
===========================================
- Hits         27775    27752      -23     
- Misses       20440    20463      +23     
+ Partials      2493     2489       -4
Flag Coverage Δ
e2e 53.74% <ø> (-0.07%) ⬇️
e2e-api 40.05% <ø> (-0.02%) ⬇️
unit 75.81% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

@ggazzo ggazzo changed the title fix!: api login should not suggest which credential is wrong fix: api login should not suggest which credential is wrong Mar 27, 2024
@ggazzo ggazzo marked this pull request as ready for review March 27, 2024 19:41
@ggazzo ggazzo requested review from a team as code owners March 27, 2024 19:41
KevLehman
KevLehman reviewed Mar 27, 2024
View reviewed changes
Copy link
Contributor

@KevLehman KevLehman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You think that change from Incorrect pass to Unauthorized could be viewed as a breaking change?

@ggazzo
Copy link
Member Author

ggazzo commented Mar 27, 2024
edited
Loading

You think that change from Incorrect pass to Unauthorized could be viewed as a breaking change?

it could be and we could discuss hours about. there is no way to fix it without changing the payload, so there is no other way to patch. so far its planned to be released only at 7.0 (already a major).

so the discussion if its or not a break is a bit subjective. until now, being released only on 7.0 its a break. if someone decides to patch this, restoring the old behavior, so its a regular patch, at least the changeset will not complain about it

It is worth mentioning that this was once the default behavior, and unintentionally changed.

https://github.com/RocketChat/Rocket.Chat/pull/32086/files#diff-03734ecf6efce3500f90677eeab12dd40c5097e9625e08264048b3aa3922eab5L1

look the original file comment

Do not disclose if user exists when password is invalid

KevLehman
KevLehman previously approved these changes Mar 27, 2024
View reviewed changes
@ggazzo ggazzo changed the title fix: api login should not suggest which credential is wrong fix!: api login should not suggest which credential is wrong Mar 27, 2024
@dionisio-bot dionisio-bot bot added stat: ready to merge PR tested and approved waiting for merge and removed stat: needs QA labels Mar 28, 2024
@ggazzo ggazzo merged commit 65324bc into develop Mar 28, 2024
47 checks passed
@ggazzo ggazzo deleted the fix/api-login branch March 28, 2024 18:29
gabriellsh added a commit that referenced this pull request Apr 4, 2024
@gabriellsh
Merge branch 'develop' into attachmentMessage
dc83009 
* develop: (71 commits)
  fix: search room not reactive after room name changes (#32123)
  test: fix `should edit name of targetChannel` flaky test (#32121)
  fix: UI allowing to mark room as favorite despite room was not a `default` room (#32063)
  chore: Remove duplicated `ChannelDeletionTable` (#32114)
  test(livechat): fix Department flaky test (#32102)
  test(livechat): File upload settings (#32060)
  test: contact center after hook calling wrong endpoint (#32094)
  fix(livechat): registering guest multiple times cause message loss (#32069)
  test: allow csp for livechat tests (#32116)
  chore: Move portals to the portals folder (#32090)
  test: `InitialData.insertAdminUserFromEnv` (#32066)
  fix: `CSP` error right after `setInlineScriptsAllowed` (#32108)
  chore: Create/Edit room consistency (#31960)
  chore: Remove references to EE code from the app events (#31926)
  test(Livechat): Clean up after registerGuest() test (#32092)
  test: make presence api tests fully independent (#31782)
  test: make roles fully independent (#31783)
  chore: bump version to 7.0.0-develop
  test: make login api tests fully independent (#31786)
  fix!: api login should not suggest which credential is wrong (#32086)
  ...
ggazzo added a commit that referenced this pull request Apr 9, 2024
@ggazzo
Revert "fix!: api login should not suggest which credential is wrong (#…
3535407 
…32086)"

This reverts commit 65324bc.
@ggazzo ggazzo mentioned this pull request Apr 9, 2024
Merged
@ggazzo ggazzo restored the fix/api-login branch April 9, 2024 16:43
@ggazzo ggazzo deleted the fix/api-login branch April 9, 2024 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiagoevanp tiagoevanp tiagoevanp left review comments

@MarcosSpessatto MarcosSpessatto MarcosSpessatto left review comments

@sampaiodiego sampaiodiego sampaiodiego approved these changes

@KevLehman KevLehman KevLehman left review comments

Assignees
No one assigned
Labels
stat: QA skipped stat: ready to merge PR tested and approved waiting for merge
Projects
None yet
Milestone
7.0
Development

Successfully merging this pull request may close these issues.
5 participants
@ggazzo @sampaiodiego @KevLehman @MarcosSpessatto @tiagoevanp