Open haael opened 3 years ago
First of all:
even when the client violates protocol.
We can't guarantee that things work well if user violates the specification...
ad rem: could you share more details? 1) which exact tigase-server version do you use? 2) is it your deployment or some public server? 3) could you share complete configuration file (obfuscated)? 4) do you receive any error during registration? 5) what do you mean by "inconsistent state"?
- We can't guarantee that things work well if user violates the specification...
The server still has to return the right error code and maintain the database in the right state.
- which exact tigase-server version do you use?
8.0.0
- is it your deployment or some public server?
My private deployment.
- could you share complete configuration file (obfuscated)?
admins = [
'admin@localhost'
]
'config-type' = 'default'
debug = [ 'server' ]
'default-virtual-host' = 'localhost'
dataSource () {
default () {
uri = 'jdbc:postgresql://localhost/tigase?user=tigase&password=2938hkjd230scvsd&useSSL=false&autoCreateUser=true'
}
}
'ext-man' () {}
http () {}
pubsub () {
trusted = [ 'http@{clusterNode}' ]
}
s2s (active: false) {}
'sess-man' () {
'presence-offline' () {}
}
socks5 () {}
upload () {}
I also tried the database url without autoCreateUser=true
.
- do you receive any error during registration?
Without the autoCreateUser=true
option:
2021-03-22 13:11:36.167 [jabber:iq:register Queue Worker 1] RepositoryAccess.setRegistration() WARNING: Problem accessing reposiotry:
tigase.db.UserNotFoundException: User does not exist: ziom_3@localnet
at tigase.db.jdbc.JDBCRepository.getUserUID(JDBCRepository.java:1174)
at tigase.db.jdbc.JDBCRepository.setData(JDBCRepository.java:587)
at tigase.db.jdbc.JDBCRepository.setData(JDBCRepository.java:637)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at tigase.stats.StatisticsInvocationHandler.invoke(StatisticsInvocationHandler.java:75)
at com.sun.proxy.$Proxy35.setData(Unknown Source)
at tigase.db.UserRepositoryMDImpl.setData(UserRepositoryMDImpl.java:320)
at tigase.xmpp.RepositoryAccess.setRegistration(RepositoryAccess.java:721)
at tigase.xmpp.impl.JabberIqRegister.doRegisterNewAccount(JabberIqRegister.java:686)
at tigase.xmpp.impl.JabberIqRegister.process(JabberIqRegister.java:339)
at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2587)
at tigase.util.processing.WorkerThread.run(WorkerThread.java:68)
- what do you mean by "inconsistent state"?
If I add the autoCreateUser=true
option:
Upon the first attempt of registration there is a user entry created in the table tig_users
, but no corresponding password entry in the table tig_user_credentials
.
After the second registration attempt the credentials get created, probably because it is interpreted as password change request.
After user unregistration the entries from tig_user_credentials
are deleted, but the entry in tig_users
stays there. Consequently, another attempt at registration works, because it is interpreted as password change.
I believe the problem lies in the check session.isAuthorized()
, because it returns true
even when the password check failed.
Thank you for all the details. Could you try reproduce it with the latest stable: 8.1.x?
The last version uses data forms instead of plain fields, so please give me some time to write the test.
I can confirm the bug is present in the last version. The server returns the success response but the user is not created. No error is printed on the console.
Expected behavior: user is created and the server returns success, or user is not created and the server returns error.
Describe the bug
A client may leave the server database in inconsistent state.
If the database url doesn't have 'autoCreateUser=true', in-band creation will not work at all, but the server still returns a success response.
If the database url has 'autoCreateUser=true', the behaviour is as follows:
tig_users
, but password will be unsetThe server returns a success response in every case.
To Reproduce
Expected behavior
In-band registration works in a single step, the database stays consistent even when the client violates protocol.
Details (please complete the following information):
Additional context
I believe the problem lays in the file
JabberIqRegister.java
line 689:The server treats the first registration as password change, not account creation.
Proposed workaround: