Details
-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
None
-
None
-
Severity 2 - Major
Description
Summary
By default, the Require user to reset their password feature only exists for Internal users.
There are cases where admins accidentally deactivated the external users - Directory user will switch to become internal user if admin deactivates and reactivates the account directly within HipChat Server - and after performing a full synchronization, the user gets locked out from the instance even after using the correct credentials.
Environment
- HipChat Server 2.1.3
- HipChat Server 2.2.4
Steps to Reproduce
- The admin deactivates user supremebot@example.com from the web interface and confirmed that we run into the Directory user will switch to become internal user if admin deactivates and reactivates the account directly within HipChat Server issue
- Reactivated the user again to verify that it is now an internal user and the option Require user to reset their password appears on the web interface
- Enabled the Require user to reset their password and verified that the "require_pw_reset":true flag appears under the metadata column of the user
admin@danial213:~$ DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat -e "SELECT * FROM users WHERE email='supremebot@example.com'\G" *************************** 1. row *************************** id: 212 version: 3D2BEB20 external_id: NULL name: Supreme nickname: NULL mention_name: Supreme email: supremebot@example.com password: title: photo_url: NULL confirmed: 0 created: 2017-07-04 23:27:45 is_deleted: 0 is_enabled: 1 is_guest: 0 timezone: UTC metadata: {"activation_token":"ih8i66DoGY","require_pw_reset":true}
- Ran a full synchronization by disabling and reenabling the directory again to ensure that the user gets synced properly again from the external directory
Expected Results
The user should be able to log in using the correct credentials after the full synchronization gets completed
Actual Results
- When trying to log in using the correct credentials, the user only gets redirected to the log in screen with the following URL - https://<FQDN>/login_password?d=%2Fhome
- The /var/log/hipchat/atlassian-crowd.log shows that the log in was successful:
2017-07-04 23:42:27,624 http-bio-8095-exec-2 INFO [hipchat.server.rest.HipChatCrowdAuthenticateResource] [JLx4imw0] Initiating authentication for user 'supremebot@example.com' 2017-07-04 23:42:27,756 http-bio-8095-exec-2 INFO [hipchat.server.rest.HipChatCrowdAuthenticateResource] [JLx4imw0] Authentication for 'supremebot@example.com' successful
- Verified that the "require_pw_reset": true still exists in the metadata column.
admin@danial213:~$ DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat -e "SELECT * FROM users WHERE email='supremebot@example.com'\G" *************************** 1. row *************************** id: 212 version: 3D2BEB20 external_id: {hcs}supreme.1 name: Supreme nickname: NULL mention_name: Supreme email: supremebot@example.com password: title: photo_url: NULL confirmed: 0 created: 2017-07-04 23:27:45 is_deleted: 0 is_enabled: 1 is_guest: 0 timezone: UTC metadata: {"require_pw_reset": true, "activation_token": "ih8i66DoGY"}
- The require_pw_reset flag does not get cleared automatically after the synchronization
Workaround
- Obtain access to the hipchat database:
DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat
- Get a sample confirmation_unix_time of the other external users that were synchronized to HipChat Server:
SELECT metadata FROM users WHERE external_id LIKE '%hcs%'\G
- Update the metadata column with the correct data:
UPDATE users SET metadata = '{"confirmation_unix_time":<confirmation_unix_time>}' WHERE id = <user_id>;
- Ensure that the user is confirmed by running the command below
UPDATE users SET confirmed=1 WHERE id=<user_id>;
- Verify that the users information is updated correctly and For example:
admin@danial:~$ DBPASS=$(awk '/"pass"/ {gsub(/[",]/,"");print $2}' /hipchat/config/site.json) && mysql -uroot -p$DBPASS hipchat -e "SELECT * FROM users WHERE id=214\G" *************************** 1. row *************************** id: 214 version: 1BE8A39F external_id: {hcs}supreme.1 name: Supreme nickname: NULL mention_name: Supreme email: supremebot@example.com password: title: photo_url: NULL confirmed: 1 created: 2017-07-04 23:31:21 is_deleted: 0 is_enabled: 1 is_guest: 0 timezone: UTC metadata: {"confirmation_unix_time":1498088204}
- Confirm that the external user can log in as per normal.
Attachments
Issue Links
- is related to
-
HCPUB-86 HipChat Server: 'Require password reset on next sign-in' locks user out of account if they were synchronised over from external directory.
- Closed