Rocket.Chat Users can't reinitialize there password

Description:

Users can't reinitialize there password

Steps to reproduce:

Logout (if your not);
Go to the login page;
Click on Forgotten password;
Enter my email and click on Reinitialize button;
Waiting couple of seconds to receive the email (less than 30 seconds);
Click on the link in the email to reinitialize my password;
Enter my new password on my RocketCHat website and click on Reinitialize;
RocketChat ask for the TOTP sent by email which I receive within few seconds;
I enter the code received by email;
RocketChat say : "Token expired".

Expected behavior:

Recognized token and continuing the flow of the reset password.

Actual behavior:

Server Setup Information:

Version of Rocket.Chat Server: registry.rocket.chat/rocketchat/rocket.chat:4.8.1
Operating System: Ubuntu 18.04
Deployment Method: CapRover (Docker)
Number of Running Instances: 1
DB Replicaset Oplog: ?
NodeJS Version: v14.18.3
MongoDB Version: bitnami/mongodb:4.4

Client Setup Information

Desktop App or Browser Version: Firefox, maybe others...
Operating System: Linux, maybe others... All clients with there own config are having the same problem.

Additional context

The timezone on the server and the container is UTC and correctly synced. TOTP by email is working correctly without the "password reset" context. The problem can be reproduced with a freshly created test user.

Relevant logs:

2022-07-18T19:05:00.432060264Z {"level":50,"time":"2022-07-18T19:05:00.431Z","pid":1,"hostname":"c66002cdbf00","name":"System","msg":"Exception while invoking method resetPassword 'TOTP Required [totp-required]'"}
2022-07-18T19:05:49.176977717Z {"level":50,"time":"2022-07-18T19:05:49.176Z","pid":1,"hostname":"c66002cdbf00","name":"System","msg":"Exception while invoking method resetPassword 'Token expired [403]'"}

Jul 18 '22 19:07 manuviens

This was producable in 4.0.2 and is still in 4.8.2. Login with 2-Factor works, but not password reset.

Jul 26 '22 13:07 JaroslavHerber

The issue persists in version 5.1, now the password is changed but it brings confusion, the password reset screen does not change and shows the error "Token expired", but user is able to login with new password if he manually goes to the login screen.

Screenshot for error:

Console Logs:

{"level":50,"time":"2022-09-07T14:53:48.534Z","pid":1,"hostname":"80690c487c74","name":"System","msg":"Exception while invoking method resetPassword 'Token expired [403]'"}

{"level":50,"time":"2022-09-07T14:54:28.772Z","pid":1,"hostname":"80690c487c74","name":"System","msg":"Exception while invoking method saveSettings 'TOTP Required [totp-required]'"}

Server Setup Information: Version of Rocket.Chat Server: registry.rocket.chat/rocketchat/rocket.chat:5.1.0 Operating System: Ubuntu 22.04 Deployment Method: Docker Compose Number of Running Instances: 1 Rocket.Chat Version: 5.1.0 NodeJS Version: 14.19.3 MongoDB Version: 5.0.11 MongoDB Engine: wiredTiger

Sep 07 '22 15:09 pablomenino

Такая проблена обнаружилась и у нас, но даже при ошибке "Token expired" пароль применяется, и можно авторизоваться с новым паролем.

Server Setup Information: Operating System: Debian 11.3 Deployment Method: manual installation Rocket.Chat Version: 4.5.5 NodeJS Version: 14.19.1 MongoDB Version: 5.0.6 MongoDB Engine: wiredTiger

Dec 02 '22 06:12 alexhaiduk

Таже самая проблема на версии 5.3.0. Может логи помогут решить данную ошибку(домен и remoteip заменены, не влияют на ошибку): {"level":30,"time":"2022-12-02T11:02:54.301Z","pid":1354,"hostname":"tst-chat4","name":"System","msg":"Failed login detected - Username[unknown] ClientAddress[xxx.xxx.xxx.xxx] ForwardedFor[xxx.xxx.xxx.xxx] XRealIp[undefined] UserAgent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0]"} {"level":50,"time":"2022-12-02T11:02:54.335Z","pid":1354,"hostname":"tst-chat4","name":"System","msg":"Exception while invoking method resetPassword 'TOTP Required [totp-required]'"} Exception while invoking method resetPassword errorClass [Error]: TOTP Required [totp-required] at checkCodeForUser (app/2fa/server/code/index.ts:194:9) at app/2fa/server/loginHandler.ts:44:3 at Callbacks.runOne (lib/callbacks.ts:262:11) at lib/callbacks.ts:274:17 at lib/callbacks.ts:282:5 at lib/callbacks.ts:290:12 at Callbacks.run (lib/callbacks.ts:402:10) at app/authentication/server/startup/index.js:355:20 at packages/callback-hook/hook.js:141:18 at packages/accounts-base/accounts_server.js:225:15 at Hook.forEach (packages/callback-hook/hook.js:110:15) at AccountsServer._validateLogin (packages/accounts-base/accounts_server.js:222:29) at AccountsServer._attemptLogin (packages/accounts-base/accounts_server.js:472:10) at AccountsServer._loginMethod (packages/accounts-base/accounts_server.js:504:17) at MethodInvocation.resetPassword (packages/accounts-password/password_server.js:566:19) at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1885:12) at packages/ddp-server/livedata_server.js:1803:15 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12) at packages/ddp-server/livedata_server.js:1801:36 at new Promise (<anonymous>) at Server.applyAsync (packages/ddp-server/livedata_server.js:1800:12) at Server.apply (packages/ddp-server/livedata_server.js:1739:26) => awaited here: at Promise.await (/opt/rocket.chat-latest/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12) at Server.apply (packages/ddp-server/livedata_server.js:1752:22) at Server.call (packages/ddp-server/livedata_server.js:1721:17) at Object.post (app/api/server/v1/misc.ts:613:27) at app/api/server/api.js:463:96 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12) at Object._internalRouteActionHandler [as action] (app/api/server/api.js:463:39) at Route._callEndpoint (packages/rocketchat_restivus/lib/route.coffee:150:32) at packages/rocketchat_restivus/lib/route.coffee:59:33 at packages/simple_json-routes.js:100:9 { isClientSafe: true, error: 'totp-required', reason: 'TOTP Required', details: { method: 'email', codeGenerated: true, emailOrUsername: 'username', availableMethods: [ 'email' ] }, errorType: 'Meteor.Error' } {"level":35,"time":"2022-12-02T11:02:54.337Z","pid":1354,"hostname":"tst-chat4","name":"API","method":"POST","url":"/api/v1/method.callAnon/resetPassword","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0","length":"155","host":"localhost:3000","referer":"https://tst-chat4.domain.com/reset-password/c5gGkZo4IA4LDEsTX5ifpMnrQM1cN_QSMM6vZPzOj8c","remoteIP":"xxx.xxx.xxx.xxx","status":200,"responseTime":422} {"level":30,"time":"2022-12-02T11:03:20.512Z","pid":1354,"hostname":"tst-chat4","name":"System","msg":"Failed login detected - Username[unknown] ClientAddress[xxx.xxx.xxx.xxx] ForwardedFor[xxx.xxx.xxx.xxx] XRealIp[undefined] UserAgent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0]"} {"level":50,"time":"2022-12-02T11:03:20.523Z","pid":1354,"hostname":"tst-chat4","name":"System","msg":"Exception while invoking method resetPassword 'Token expired [403]'"} Exception while invoking method resetPassword errorClass [Error]: Token expired [403] at packages/accounts-password/password_server.js:598:15 at tryLoginMethod (packages/accounts-base/accounts_server.js:1518:14) at AccountsServer._loginMethod (packages/accounts-base/accounts_server.js:508:7) at MethodInvocation.resetPassword (packages/accounts-password/password_server.js:566:19) at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1885:12) at packages/ddp-server/livedata_server.js:1803:15 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12) at packages/ddp-server/livedata_server.js:1801:36 at new Promise (<anonymous>) at Server.applyAsync (packages/ddp-server/livedata_server.js:1800:12) at Server.apply (packages/ddp-server/livedata_server.js:1739:26) at Server.call (packages/ddp-server/livedata_server.js:1721:17) at Object.post (app/api/server/v1/misc.ts:613:27) at app/api/server/api.js:463:96 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12) at Object._internalRouteActionHandler [as action] (app/api/server/api.js:463:39) at Route._callEndpoint (packages/rocketchat_restivus/lib/route.coffee:150:32) at packages/rocketchat_restivus/lib/route.coffee:59:33 at packages/simple_json-routes.js:100:9 => awaited here: at Promise.await (/opt/rocket.chat-latest/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12) at Server.apply (packages/ddp-server/livedata_server.js:1752:22) at Server.call (packages/ddp-server/livedata_server.js:1721:17) at Object.post (app/api/server/v1/misc.ts:613:27) at app/api/server/api.js:463:96 at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12) at Object._internalRouteActionHandler [as action] (app/api/server/api.js:463:39) at Route._callEndpoint (packages/rocketchat_restivus/lib/route.coffee:150:32) at packages/rocketchat_restivus/lib/route.coffee:59:33 at packages/simple_json-routes.js:100:9 { isClientSafe: true, error: 403, reason: 'Token expired', details: undefined, errorType: 'Meteor.Error' } {"level":35,"time":"2022-12-02T11:03:20.525Z","pid":1354,"hostname":"tst-chat4","name":"API","method":"POST","url":"/api/v1/method.callAnon/resetPassword","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:107.0) Gecko/20100101 Firefox/107.0","length":"217","host":"localhost:3000","referer":"https://tst-chat4.domain.com/reset-password/c5gGkZo4IA4LDEsTX5ifpMnrQM1cN_QSMM6vZPzOj8c","remoteIP":"xxx.xxx.xxx.xxx","status":200,"responseTime":44} {"level":30,"time":"2022-12-02T11:04:00.288Z","pid":1354,"hostname":"tst-chat4","name":"SyncedCron","msg":"Starting \"Generate download files for user data\"."}

Dec 02 '22 11:12 alexhaiduk

Still seeing this in 5.4.0

Server Setup Information

Version of Rocket.Chat Server: 5.4.0
Operating System: Ubuntu server 22.04 LTS
Deployment Method: snap
NodeJS Version: v14.19.3
MongoDB Version: 4.4.15 / wiredTiger (oplog Enabled)
Proxy: caddy

Relevant log entry:

{
    "level": 50,
    "time": "2023-01-20T20:42:35.212Z",
    "pid": 1091,
    "hostname": "*redacted*",
    "name": "System",
    "msg": "Exception while invoking method resetPassword",
    "err": {
        "type": "errorClass",
        "message": "Token expired [403]",
        "stack": "Error: Token expired [403]... (see below for reformatted output)",
        "isClientSafe": true,
        "error": 403,
        "reason": "Token expired",
        "errorType": "Meteor.Error"
    },
    "msg": "Token expired [403]"
}

Reformatted stack trace from log entry:

Error: Token expired [403]
    at packages/accounts-password/password_server.js:598:15
    at tryLoginMethod (packages/accounts-base/accounts_server.js:1518:14)
    at AccountsServer._loginMethod (packages/accounts-base/accounts_server.js:508:7)
    at MethodInvocation.resetPassword (packages/accounts-password/password_server.js:566:19)
    at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1885:12)
    at packages/ddp-server/livedata_server.js:1803:15
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12)
    at packages/ddp-server/livedata_server.js:1801:36
    at new Promise (<anonymous>)
    at Server.applyAsync (packages/ddp-server/livedata_server.js:1800:12)
    at Server.apply (packages/ddp-server/livedata_server.js:1739:26)
    at Server.call (packages/ddp-server/livedata_server.js:1721:17)
    at Object.post (app/api/server/v1/misc.ts:612:27)
    at app/api/server/api.js:463:96
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12)
    at Object._internalRouteActionHandler [as action] (app/api/server/api.js:463:39)
    at Route._callEndpoint (packages/rocketchat_restivus/lib/route.coffee:150:32)
    at packages/rocketchat_restivus/lib/route.coffee:59:33
    at packages/simple_json-routes.js:100:9
 => awaited here:
    at Promise.await (/snap/rocketchat-server/1536/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12)
    at Server.apply (packages/ddp-server/livedata_server.js:1752:22)
    at Server.call (packages/ddp-server/livedata_server.js:1721:17)
    at Object.post (app/api/server/v1/misc.ts:612:27)
    at app/api/server/api.js:463:96
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1257:12)
    at Object._internalRouteActionHandler [as action] (app/api/server/api.js:463:39)
    at Route._callEndpoint (packages/rocketchat_restivus/lib/route.coffee:150:32)
    at packages/rocketchat_restivus/lib/route.coffee:59:33
    at packages/simple_json-routes.js:100:9

Jan 21 '23 11:01 joshburnett

This issue still exists in 5.4.2.

Feb 09 '23 07:02 Napsty

Same on version 6.0.0

Mar 30 '23 08:03 Kyri304

Thank you all for the detailed reports! This has been fixed in #28938 Please reopen this issue if it persists

Apr 18 '23 11:04 matheusbsilva137