Closed nooblag closed 1 year ago
I am trying to work on this issue, any suggestions on where to begin with?
I have no idea sorry, I'm not a developer, just reporting the bug
After reproducing(without 2FA), this is what I figured out, let's use the enumeration to refer to these checks:
If both of the cases are false, then the server thinks that the user is blocked.
Thus we have some problems:
Clearly something is broken here... Also, forum post about this issue too: https://forums.rocket.chat/t/how-to-unblock-blocked-user/9800 Though they said they are having the same problem regardless of 2FA.
I think some of the issues I explained was the problem faced on the forum.
Now, reproducing with TOTP:
I think that the problem it's simply the block moment not being stored anywhere on the database.
Has this been fixed I wonder?
Hello,
we are experiencing the issue on our instance of Rocket.chat version 3.14.4
. The scenario was exactly the same as @nooblag described: user had 2FA enabled, failed to authenticate 5 times in a row, and got locked up. However, the resolution was different, because disabling 2FA-TOTP and the "Email verified" switch did not solve the issue, no more than disabling 2FA-email (with a MongoDB query, since it is inexplicably not possible within the UI).
For the user to be able to log in again, we had to disable the three switches in the Accounts > Failed Login Attempts section (effectively disabling the anti-bruteforce mechanism for our whole instance), asking the user to authenticate, and then re-enabling the three switches. Since 2FA was disabled for the user during our previous tests, it may have had a role in the resolution. However, we already had re-enabled the "Email verified" switch, so the user was able to authenticate even though his email address was marked as verified: it really was disabling the anti-bruteforce mechanism that worked for us.
Additionally, when monitoring the user attempts using the console available in the Admin UI to see which errors were logged, the user login information was not reported, as well as the IP address. Here is what we saw:
Failed login detected - Username[unknown] ClientAddress[null]
The user was using his email address to authenticate. We began seeing detailed data in the logs when the user was instructed to input his username instead. It doesn't really make sense to me that whatever the user submitted as login is not displayed within the logs (to some extent... with security mechanisms to prevent XSS or anything like that), but it probably is another issue.
Anyway, this blocking issue was first reported 6 months ago by another user on the Rocket.chat forum, and @renancleyson-dev has done a great job of looking through the source code and potentiaIly identifying the root cause. I think it may be time that the devs look into the issue and fix it, or at least officially acknowledge the issue and add it to the next development phase? Pinging at random (well, based on the top contributors): @rodrigok, @sampaiodiego, @engelgabriel. Thank you guys, and good luck.
While you're at it, would it be possible to:
Closing, as gave up on Rocket Chat many years ago.
Description:
I'm an administrator on a Rocket Chat instance and got a user report that they were locked out of their account because they forgot their password and had failed login attempts. I was able to reset the password as admin some time later (hours later after they reported it) but even the next day (more than 24hrs later) and after a reboot of the Rocket Chat server the user reported being still locked out of their account. They were also on another IP address by that time (and after trying on multiple devices). I checked the settings in Administration -> Accounts -> Failed Login Attempts and they are as follows:
So I then tried clicking on the user account in Administration -> Users and clicked "Reset TOTP" and also clicked "Deactivate" and waited a moment, then "Activate" to re-enable the account. Both didn't work.
The only way the user was able to get back into their account was for me to toggle the "verify" button next to their email address so it became unverified. The user then was able to login successfully, change their password, and reverify their email address.
Clearly something is broken here... Also, forum post about this issue too: https://forums.rocket.chat/t/how-to-unblock-blocked-user/9800 Though they said they are having the same problem regardless of 2FA.
Our 2FA settings are these:
Steps to reproduce:
Expected behavior:
Actual behavior:
User account remained locked until email address was switched to "unverified".
Server Setup Information:
Client Setup Information
Additional context
Forum post about this issue: https://forums.rocket.chat/t/how-to-unblock-blocked-user/9800
Relevant logs:
These logs after the server has been reset and more than 24hrs after first report of account locking: