lowcoder icon indicating copy to clipboard operation
lowcoder copied to clipboard
verified publisher icon lowcoder-org

[Bug]: currentuser ANONYMOUS for logged in user.

Open placidic opened this issue 4 months ago • 3 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

When using an oAuth IDP using the Generic provider option, The authenticated users IDP properties are available for viewing and access within the currentuser > extras property.

Upon upgrading to the latest version 2.7.4, It appears that there is a 500 error on the underlying call to retrieve the /currentuser information from the API, resulting in the currentuser object being populated as an ANONYMOUS user.

This is a major bug for any applications that utilize the currentuser information directly within their app.

Expected Behavior

The /currentuser call to return successfully with the extended IDP information for the logged in user.

Steps to reproduce

  1. Start version 2.6.5 lowcoder
  2. Set up IDP Generic oAuth
  3. Log in and verify currentUser Response
  4. Upgrade to tag 2.7.4
  5. Log in and see that currentuser call fails and ANONYMOUS is returned

Environment

Lowcoder 2.7.4 multi

Additional Information

Tested on the latest 'dev' image as well to same outcome. Did not test on versions 2.7.0 - 2.7.3

placidic avatar Sep 13 '25 23:09 placidic

After additional testing, it appears to have started with v2.7.0

placidic avatar Sep 14 '25 02:09 placidic

Hmm... So I spun up a separate blank instance running 2.6.5 and upgraded to 2.7.4 and it works as intended.

It just seems to be affecting my one instance with the data, so probably not a bug, but something local or corrupted...

placidic avatar Sep 15 '25 20:09 placidic

I've discovered the root cause for this issue.

When using an oAuth IDP provider, if a user selects from the userProfile menu, to "Bind to Email Address", a second connection is inserted into the user record with type EMAIL with the email address that is bound.

When both providers alhave connections on the same user, it causes the currentUser endpoint to fail with a 500 error.

I manually edited the users profile in MongoDB, and removed the EMAIL provider connections (as there's no way to "unbind" from the UI), and the currentUser endpoint instantly began returning the proper data.

I believe this is a bug as binding to email when using a GENERIC oAuth provider shouldnt cause the users endpoint to fail without gracefully handling the error.

placidic avatar Sep 17 '25 02:09 placidic

@adnanqaops - Any update on this? Since LowCoder doesn't allow blocking users from accessing the LowCoder dashboard and subsequently binding their email, there needs to be a fix implemented as soon as possible as this is a serious issue for work spaces using oAuth and utlize the currentUser obejct within their apps.

KrzysztofKiser avatar Nov 23 '25 21:11 KrzysztofKiser