search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.76k stars 10.71k forks source link

SecretUrl Parameter not working on users.register endpoint #26622

Open pranavambre opened 2 years ago

pranavambre commented 2 years ago

Description:

SecretUrl Parameter not working on users.register endpoint.

  1. When we try to pass SecretUrl as a part of users.register endpoint body it throws an error message saying "must NOT have additional properties [invalid-params]

Steps to reproduce:

  1. Send a request with SecretUrl parameter on endpoint '/api/v1/users.register'

Expected behavior:

Screenshot 2022-08-19 at 6 52 24 PM

Actual behavior:

Screenshot 2022-08-19 at 5 15 25 PM

Client Setup Information

urmamb commented 1 year ago

I am also facing the same issue. Will it ever be solve?

Deployment
Version
6.2.2
Apps Engine Version
1.39.1
Node Version
v14.21.2
Database Migration
294 (May 20, 2023 7:18 AM)
MongoDB
5.0.15 / wiredTiger (oplog Enabled)
Commit Details
HEAD: (d2f54e5b8)
Branch: HEAD
PID
19028
julowe commented 1 year ago

Hmm, still broken for me. 

Deployment
Version
6.2.5
Apps Engine Version
1.39.1
Node Version
v14.21.3
Database Migration
294 (June 14, 2023 1:09 PM)
MongoDB
4.4.15 / wiredTiger (oplog Enabled)
Commit Details
HEAD: (8f9668897)
Branch: HEAD

with registration form disabled and I send this command:

curl -H "Content-type:application/json" https://words.servername.tld:443/api/v1/users.register -d '{"name": "test6", "email": "test6@test.com", "pass": "aPassword", "username": "test6"}'

I get the expected error message of 

{"success":false,"error":"User registration is disabled [error-user-registration-disabled]","errorType":"error-user-registration-disabled","details":{"method":"registerUser"}}

after I change the registration form to secreturl and send the same command (expecting failure) I do indeed get a failure message of:

{"success":false,"error":"User registration is only allowed via Secret URL [error-user-registration-secret]","errorType":"error-user-registration-secret","details":{"method":"registerUser"}}

however, when I add secreturl as per manual, sending this command:

curl -H "Content-type:application/json" https://words.servername.tld:443/api/v1/users.register -d '{"name": "test6", "email": "test6@test.com", "pass": "aPassword", "username": "test6", "secretURL": "stringIcopiedFromDashboardAndAlsoBrowserAfterTestingTheFullURL"}'

I get the same error message as above posters:

{"success":false,"error":"must NOT have additional properties [invalid-params]","errorType":"invalid-params"}

and yeah, I checked a few times that the secretURL string is the sane. I copied it directly from the dashboard and it failed. Then I also used the string to create url for a browser (e.g. https://words.servername.tld/register/secretURLstring) and it worked, and then copying just that secretURLstring part of the url string from browser bar into the curl command also it failed (and was the same)...

Using Ubuntu 22.04.03, curl -V gives:

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.16
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

Please let me know if you need any other information to help troubleshoot this.

alinmiron commented 1 year ago

I have the same problem as https://github.com/RocketChat/Rocket.Chat/issues/26622#issuecomment-1705822275