konzz
commented
3 months ago The issue is that the backend is "successfully" logging in with an empty password, and by that I mean it returns a 200.
The login process returns a false but not an error so after that, passport (the auth library) serializes a non-existing user, and every subsequently request goes through passport again to recover the user here:
https://github.com/huridocs/uwazi/blob/fcd81957f2a2f34367ceb01ec7651144f01b3e1c/app/api/auth/passport_conf.js#L29-L41
This calls users.getById with an undefined id, and that's when Mongo throws the error because undefined is not a valid ObjectId
I think the critical solution should be not to allow login with those credentials.
Attempting to login into Uwazi with a blank password AND hitting the enter key (not hitting the login button with the mouse) will brick the instance for that particular user due to something related with the cookie. It will display this error:
And attempting to reload the instance will show how it is bricked.
Clearing the cookies for this instance will resolve the problem.