Page MenuHomePhabricator

Unverified users get incorrect authentication error during login.
Closed, InvalidPublic

Description

I have been experimenting with verified accounts.

This let to the following situation:

  1. An account was created by the administrator
  2. The verification mail was sent
  3. The account got the unverified state
  4. The user never clicked the verify link
  5. The email verification was turned off.
  6. The user tries to login with his LDAP credentials and gets: "invalid username/password", but actual cause is that the (pre-existing account) account was never verified.
  7. Need to manually resend the user his welcome message from the administrator account.
  8. User verifies his account by clicking the link
  9. User can login with his credentials

This error message is not ideal, the user initially thought he had forgotten his password or locked his account.
Not sure if this is an LDAP auth module specific issue, or a more general problem.

Event Timeline

hartman raised the priority of this task from to Needs Triage.
hartman updated the task description. (Show Details)
hartman added a subscriber: hartman.
epriestley added subscribers: btrahan, epriestley.

@btrahan, can you try to verify this? I can't immediately come up with a reason why things would work like this.

How does the user try to login for step 5? Ostensibly via their LDAP credentials?

Yes, with his LDAP credentials.

If you don't have LDAP set up and can't repro it with username/password, I can take a shot with LDAP (I have it set up and it's enormously painful and complicated to set up, or at least it was for me).

hartman updated the task description. (Show Details)

Actually, I'm even more confused because administrators can not create accounts associated with LDAP accounts.

If you created an account and then the user tried to log in with LDAP credentials, they should be prompted to register a new account (bound to those credentials).

If the user typed their LDAP credentials into the username/password field, it's expected they won't work.

If the administrator created the account via People > Create New User, it's expected that the account won't have any password, so no possible thing the user types in will work. The link in the welcome email should log them in directly and let them set a password.

So I think what happened here was:

  • An administrator created an account (via the web UI?).
  • The system sent the user a welcome email, which they did not click.
  • At this point in time, the account exists but has no password or other linked authentication sources. It is not linked to an LDAP account. There is nothing the user can type into the login screen which will let them access the account. They MUST click the email link.
  • The user typed something into the login screen. This failed because there is nothing valid they can type in to access the account.
  • Various settings were changed, but they're irrelevant.
  • The welcome message was re-sent, and the user clicked it this time.
  • Everything worked correctly.

Is it possible that's what happened?

If so, we could detect username/password attempts to login to accounts with no password set and raise a more tailored message, but the current message is correct in this case. The username/password is invalid, because no username/password pair will allow access to the account.

administrators can not create accounts associated with LDAP accounts.

Technically this isn't entirely true -- we do have an "Import from LDAP" feature. However, it's a buggy mess (see T4137) that I probably should never have accepted into the upstream and that we should just disable. Was that used here?

@hartman - would really appreciate any information you can provide in case epriestley didn't deduce what happened correctly. thanks!

@epriestley - I don't think we should raise a more tailored message in the case where a username exists but has no password set. This leaks the existence of these accounts which gives me the booboojeebees. Well, plus there was this note in the code for PhabricatorPasswordAuthProvider. I also think our security friends might routinely report an issue for that enhancement even if its not so bad on balance.

Yeah, that's reasonable, especially if other users don't hit this. I haven't seen other reports of anything smilar.

I'm going to assume Evan figured out what happened here. Please feel free to reopen with more details! :)