Closed txau closed 3 months ago
The issue is that the backend is "successfully" logging in with an empty password, and by that I mean it returns a 200
.
The login process returns a false
but not an error so after that, passport (the auth library) serializes a non-existing user, and every subsequently request goes through passport again to recover the user here:
https://github.com/huridocs/uwazi/blob/fcd81957f2a2f34367ceb01ec7651144f01b3e1c/app/api/auth/passport_conf.js#L29-L41
This calls users.getById
with an undefined
id, and that's when Mongo throws the error because undefined
is not a valid ObjectId
I think the critical solution should be not to allow login with those credentials.
Attempting to login into Uwazi with a blank password AND hitting the enter key (not hitting the login button with the mouse) will brick the instance for that particular user due to something related with the cookie. It will display this error:
And attempting to reload the instance will show how it is bricked.
Clearing the cookies for this instance will resolve the problem.