parse-server 2.8.1: Cannot login after changing user password

[nebitrams]

Issue Description

These is error deployment error (see log showing Kerberos compilation error) when I deploy to Heroku. The application works fine in all expects except that I cannot login after changing user password.

Steps to reproduce

1. Change user password using iOS ParseUI and also parse dashboard.
2. Login using App ParseUI Login screen.
3. Failed to login and this is the server error log.

error: Error generating response. ParseError { code: 101, message: 'Invalid username/password.' } code=101, message=Invalid username/password.
error: Invalid username/password. code=101, message=Invalid username/password.

It works after I rollback to previous version in heroku with parse-server 2.7.4

Expected Results

I should be able to login after changing password.

Actual Outcome

I cannot login.

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.8.1
  • Operating System: Heroku stack Cedar-14
  • Hardware: Heroku
  • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): Heroku

• Database

  • MongoDB version: current is 3.2.10 (MMAPv1). Should I switch to mLab latest 3.4.15 (MMAPv1)?
  • Storage engine: mLab
  • Hardware: mLab
  • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): mLab

Logs/Trace

This is the heroku deployment error.

-----> Node.js app detected
-----> Creating runtime environment

   NPM_CONFIG_LOGLEVEL=error
   NODE_VERBOSE=false
   NODE_ENV=production
   NODE_MODULES_CACHE=true

-----> Installing binaries
engines.node (package.json): >=4.3
engines.npm (package.json): unspecified (use default)

   Resolving node version >=4.3...
   Downloading and installing node 10.2.0...
   Using default npm version: 5.6.0

-----> Restoring cache
Skipping cache restore (new-signature)
-----> Building dependencies
Installing node modules (package.json)

   > [email protected] preinstall /tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/parse-image
   > ./install.sh
   
   Cannot install using brew or sudo apt-get
   Please install manually
   
   > [email protected] install /tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/bcrypt
   > node-pre-gyp install --fallback-to-build
   
   [bcrypt] Success: "/tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/bcrypt/lib/binding/bcrypt_lib.node" is installed via remote
   
   > [email protected] install /tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/uws
   > node-gyp rebuild > build_log.txt 2>&1 || exit 0
   
   
   > [email protected] install /tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/kerberos
   > (node-gyp rebuild) || (exit 0)
   
   make: Entering directory `/tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/kerberos/build'
   CXX(target) Release/obj.target/kerberos/lib/kerberos.o
   In file included from ../lib/kerberos.h:4:0,
   from ../lib/kerberos.cc:1:
   /app/.node-gyp/10.2.0/include/node/node.h:53:50: fatal error: core.h: No such file or directory
   #include "core.h"  // NOLINT(build/include_order)
   ^
   compilation terminated.
   make: *** [Release/obj.target/kerberos/lib/kerberos.o] Error 1
   make: Leaving directory `/tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/kerberos/build'
   gyp ERR! build error
   gyp ERR! stack Error: `make` failed with exit code: 2
   gyp ERR! stack     at ChildProcess.onExit (/tmp/build_786e8213e834a7d1022250f222c7b1bb/.heroku/node/lib/node_modules/npm/node_modules/node-gyp/lib/build.js:258:23)
   gyp ERR! stack     at ChildProcess.emit (events.js:182:13)
   gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:237:12)
   gyp ERR! System Linux 4.4.0-1019-aws
   gyp ERR! command "/tmp/build_786e8213e834a7d1022250f222c7b1bb/.heroku/node/bin/node" "/tmp/build_786e8213e834a7d1022250f222c7b1bb/.heroku/node/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
   gyp ERR! cwd /tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/kerberos
   gyp ERR! node -v v10.2.0
   gyp ERR! node-gyp -v v3.6.2
   gyp ERR! not ok
   
   > [email protected] postinstall /tmp/build_786e8213e834a7d1022250f222c7b1bb/node_modules/parse-server

[flovilmart]

Please provide the logs when running with VERBOSE=1 of the whole process of singing up, logging in, changing password etc...

[flovilmart]

Is the old password still valid?

[nebitrams]

I can't try because I could not remember the old password. I test against several other accounts and it seems that this problem affect accounts that are created long ago such as April 2015 (they were migrated from parse.com to ParseServer). The recent accounts is working fine after password reset.

Is this related to the migration of revokable session token (in 2017) or the User.authData and Session data?

I am going to sleep now and will be back online in 8 hours time. Thanks Mr Vilmart for checking on this.

[flovilmart]

Perhaps those account are still on revocable sessions and you’re hitting a nasty bug. Any chance you can get a look at the object in the DB and check if the sessionToken is still an old one ?

[nebitrams]

I used mLab to query the _Session table. I could not find session for the failed to logon users.

This is the _user record for the account that I could not login. Does it contain any clue on the sessionToken type?
{
"_id": "xxx",
"_created_at": {
"$date": "2015-01-26T00:34:23.529Z"
},
"_hashed_password": "hashedXXX",
"_session_token": "xxx",
"_updated_at": {
"$date": "2018-05-26T15:51:12.611Z"
},
"email": "[email protected]",
"username": "Nebi",
"emailVerified": true,
"_email_verify_token": "yyy"
}

[flovilmart]

Legacy session tokens have the token on he user object; this is what you see there.

[nebitrams]

Thanks Florent. Was there any recent deprecation of logic in this area? What are the ways that I can adopt to solve this problem?

[flovilmart]

parse-server never supported old session tokens, further investigation need to be done to reproduce the issue and perhaps find a workaround. I have trouble also understanding why login information would not work after resetting the password.

[nebitrams]

Thanks.

Apparently, for those old user account, session token is never generated for user login. I can help to test/reproduce if you need, just let me know.

May I trouble you to delete the log file that I submitted earlier? I deleted the link in this thread but could not delete the file. I can email you the actual link if you need to link to delete it.

[flovilmart]

I don’t believe I have access to the log file myself. I can see the comment isn’t there anymore.

As for the reproduction, that would be very nice to have an edge to edge test that simulates this password exchange / replacement flow. This may help us understand the issue a bit more in depth.

There are many tests for the ‘reset password’ emails as well as for legacy session tokens. Perhaps there’s something there that’s problematic

[lxknvlk]

I have the same problem, just after updating parse server logging in with my old password returned invalid username/password error. Then i have changed password, logged in. After some time logged out and again i cant login. In all cases the password was the same old password.

[nebitrams]

I work around this problem by manually deleting the old "_User" record and use app GUI to "signup" for new user account.

The new user account is having different data structure and don't have the password reset problem.
{
"_id": "xxx",
"email": "[email protected]",
"username": "Nebi",
"_hashed_password": "hashedXXX",
"emailVerified": true,
"_wperm": [
"xxx"
],
"_rperm": [
"",
"xxx"
],
"_acl": {
"xxx": {
"w": true,
"r": true
},
"": {
"r": true
}
},
"_created_at": {
"$date": "20xx-xx-xxTyy:yy:yy.yyyZ"
},
"_updated_at": {
"$date": "20xx-xx-xxTyy:yy:yy.yyyZ"
}
}

[flovilmart]

Interesting! I’ll be able to investigate from there with the old user data then!

[flovilmart]

The full old user object is the one that was previously posted?

[nebitrams]

Yes, the old user object is the one that I posted with "_created_at" time stamp as 2015-01-26, having sessionToken inside the _user object.

I basically deleted account for username "Nebi" and use the iOS App to sign up a new account for username "Nebi" again. I noticed that the new structure embeds the ACL. Would this make a difference?

[flovilmart]

This is very likely that this is the issues

[alexblack]

Same issue here. We rolled back to fix it.

[flovilmart]

@nebitrams I'll try to work on a fix today, if I have time.

[flovilmart]

@nebitrams @alexblack

The issues originate in the fact that now, we let the masterKey lock the users out. A locked out user is a user where the ACL is either not set or completely empty. Those old users, have the ACL completely empty as seen in the object that @nebitrams shared above.
It seems that for legacy reasons, the original users from the parse API didn't have an ACL, and the API would let them pass anyway.

How many of your users are affected by this issue? You can find out by checking the number of users with neither _rperm nor _wperm nor _acl set on them.

[saulogt]

We have a total of 727995 (legacy) users with no _acl nor _rperm nor _wperm.
About 33k of them have logged in during this month.

[flovilmart]

Ok, good to know, i’ll Push a workaround then so they are not locked out upon re-login. If needed

[nebitrams]

Thanks Florent. I don't have that many legacy users. I do not rollback and can wait for the patch.

[flovilmart]

@nebitrams @alexblack @saulogt the latest branch should be up to date, can you let me know if it fixes the issue for you? You can use in your package.json  "parse-server": "https://github.com/parse-community/parse-server#latest" 

[nebitrams]

I see your instruction now. I will try it in 16 hours time.

My package.json was originally form the parse-server-example. Can I just change the repository.url and do a npm update?

{
"name": "parse-server-example",
"version": "1.4.0",
"description": "An example Parse API server using the parse-server module",
"main": "index.js",
"repository": {
"type": "git",
"url": "https://github.com/ParsePlatform/parse-server-example"
},
"license": "MIT",
"dependencies": {
...
},
"scripts": {
...
},
"engines": {
...
}
}

[flovilmart]

As mentioned above, in your package.json, replace the version with the link pointing to this repository’s latest branch: https://github.com/Parse-community/Parse-server#latest

And run npm install

[dulmanr]

Having the same issues here. Not sure if it is related to users who changed their password, but possible. Rolling back to parse-server 2.7.4 fixed the problem for us.
problematic version - 2.8.1

[nebitrams]

I believe I still have the old code. Sorry about this but need to go now. Resume tomorrow.

line 132 onwards.
if (!isValidPassword) {
throw new _node2.default.Error(_node2.default.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
}
// Ensure the user isn't locked out
// A locked out user won't be able to login
// To lock a user out, just set the ACL to masterKey only ({}).
if (!req.auth.isMaster && (!user.ACL || Object.keys(user.ACL).length == 0)) {
throw new _node2.default.Error(_node2.default.Error.OBJECT_NOT_FOUND, 'Invalid username/password.');
}

[flovilmart]

Yes this is still the old code.

Did you run npm install --save https://github.com/parse-community/parse-server#latest

Also you can delete perhaps the node_modules folder and re-reun npm install.

[dulmanr]

@flovilmart
I get this error when trying to install latest version:
npm ERR! [email protected] postinstall: node -p 'require("./postinstall.js")()'
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] postinstall script 'node -p 'require("./postinstall.js")()''.
npm ERR! Make sure you have the latest version of node.js and npm installed.
npm ERR! If you do, this is most likely a problem with the parse-server package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node -p 'require("./postinstall.js")()'
...

[flovilmart]

what command did you run exactly?

[dulmanr]

The command you put in the last comment:
npm install --save https://github.com/parse-community/parse-server#latest

[flovilmart]

do you have a package-lock.json? In package.json, is the line specifying the parse-server dependency pointing to the one I provided your, if not can you ensure it is? Lastly, you can remove the package-lock.json as well as the node_modules folder and re-run npm install

[nebitrams]

I ran the npm install --save and see many errors too. I also checked that the UserRouter.js file not updated. Can I manually add the new line into UserRouter.js?

[flovilmart]

Can I manually add the new line into UserRouter.js?

You can but I discourage it as besides locally you won't be able to run.

and see many errors too

What version of node are you running? Also you see errors, but the logs you're showing me are not errors at all.

[nebitrams]

npm 5.5.1
nvm v9.3.0

I see package-lock.json. I removed it and trying again.

[flovilmart]

node 9 is unsupported, can you use node 8.10+. while this should work properly with node 9, one is never too sure.

Also, if you believe npm install fails, can you post the whole logs in a gist please?

[nebitrams]

I removed package-lock.json and node_modules folder and re-run "npm install". The npm is successful but the UserRouter.js is still the old file.

Is my package.json correct?

{
"name": "parse-server-example",
"version": "1.4.0",
"description": "An example Parse API server using the parse-server module",
"main": "index.js",
"repository": {
"type": "git",
"url": "https://github.com/parse-community/parse-server#latest"
},
"license": "MIT",
"dependencies": {
"express": "^4.16.3",
"kerberos": "~0.0.x",
"moment": "^2.22.1",
"parse": "^1.11.1",
"parse-image": "~0.2.x",
"parse-server": "^2.8.1"
},
"scripts": {
"start": "node index.js"
},
"engines": {
"node": ">=4.3"
}
}

[flovilmart]

No it isn’t, uou’re pointing parse-server to ^2.8.1, and not the proper URL.

[nebitrams]

I edited UserRouter.js manually and the revised logic works for user records created in 2015.

verbose: REQUEST for [GET] /parse/login: {
"username": "Nebi",
"password": "*""
} method=GET, url=/parse/login, host=....

verbose: RESPONSE from [GET] /parse/login: {
"response": {
"objectId": "id",
"createdAt": "2015-01-26T00:34:23.529Z",
"updatedAt": "2018-06-01T12:23:45.463Z",
"email": "[email protected]",
"username": "Nebi",
"emailVerified": false,
"sessionToken": "r:xxxaaabbb"
}
}

[flovilmart]

@nebitrams ok good to know. But you should not have done that as when you'll deploy to heroku or somewhere else, this won't work anymore.

[nebitrams]

Thanks @flovilmart for fixing this issue.
For production, I will wait for 2.8.2 and not patch it using the parse-server#latest.

[lxknvlk]

This issue still persists in 2.8.2

Logging in causes error invalid username/password for users from previous version.

[flovilmart]

@lxknvlk can you open a new issue please, with providing verbose logs, as well as any relevant information that would help isolating the issue?

[lxknvlk]

@flovilmart ok

[dulmanr]

@flovilmart Why open a new issue if the issue wasn't resolved?
Personally I'm still having issues in installing the new parse-server 2.8.2.

[flovilmart]

It’s been resolved according to the person who opened it. So, I’m not sure what to say, open a new issue please, with filling all required informations.

[artua]

The same problem here.
Parse 2.8.1 on node 6.11.5 authorization failed.

[flovilmart]

Can you try with 2.8.2 on node 8+ please?

[artua]

I will ask my hosting provider (nodechef.com) to get it up and running, because now it crashes then I try to run it on node 8.

[flovilmart]

@artua so please reach out to nodechef support.

[nebitrams]

@flovilmart I tested 2.8.2 in heroku and it works well. I am using these node and npm version.

remote: Downloading and installing node 10.4.0...
remote: Using default npm version: 6.1.0

[flovilmart]

Awesome! Good to hear!