Skip to content

🔴 CRITICAL: Silent Promise Failures in Authentication Flow #1264

Open
#1267
Open
🔴 CRITICAL: Silent Promise Failures in Authentication Flow#1264
#1267
@Harshit2405-2004

Description

@Harshit2405-2004
Harshit2405-2004
opened on Apr 5, 2026

🔴 CRITICAL Error Handling Bug

Severity: CRITICAL
Type: Error Handling / Authentication Bug
Impact: Authentication Bypass / Data Loss

📍 Affected Files

  • packages/api/src/EmbeddedChatApi.ts (lines 115-118, 145-147)
  • packages/auth/src/RocketChatAuth.ts (lines 199-201)

🔥 Problem Description

Promise catch blocks log errors but do not return or throw them, causing functions to return undefined instead of error objects. This leads to silent failures where callers cannot detect or handle errors.

Vulnerable Code Examples:

// Example 1: googleSSOLogin - Error not returned
async googleSSOLogin(token) {
  try {
    const response = await this.auth.googleSSOLogin(token);
    return { status: 'success', me: response };
  } catch (err) {
    console.error(err);  // ERROR: Logged but not returned
  }  // Function returns undefined
}

// Example 2: loginWithPassword - Same issue
async loginWithPassword(user, password) {
  try {
    // ... login logic
  } catch (error) {
    console.error(error);  // ERROR: Not returned
  }
}

// Example 3: RocketChatAuth.load() - Same issue
async load() {
  try {
    this.currentUser = await this.api.me();
  } catch (err) {
    console.error('Failed to load user:', err);  // ERROR: Not returned
  }
}

💥 Impact

  • Login failures appear successful - UI shows logged in state but user has no auth
  • User left in inconsistent state - No token, but no error feedback
  • Impossible to debug - No way to know authentication failed
  • Data loss - Failed operations complete silently without notification

⚠️ Exploitation Scenario

  1. User attempts to log in
  2. Authentication fails on server
  3. Error caught and logged to console
  4. Function returns undefined
  5. Caller checks if (result) - evaluates to false
  6. No error message shown to user
  7. User stuck on login screen with no feedback

✅ Recommended Fix

Always return or throw errors from catch blocks:

async googleSSOLogin(token) {
  try {
    const response = await this.auth.googleSSOLogin(token);
    return { status: 'success', me: response };
  } catch (err) {
    console.error(err);
    return { status: 'error', error: err.message };  // FIX: Return error
  }
}

// Better: Use typed result pattern
type LoginResult = 
  | { success: true; data: UserData }
  | { success: false; error: string };

async googleSSOLogin(token): Promise<LoginResult> {
  try {
    const response = await this.auth.googleSSOLogin(token);
    return { success: true, data: response };
  } catch (err) {
    return { success: false, error: err.message };
  }
}

🎯 Action Items

  • Fix googleSSOLogin to return errors
  • Fix loginWithPassword to return errors
  • Fix RocketChatAuth.load() to return errors
  • Audit all async methods for similar pattern
  • Add TypeScript result types for consistency
  • Add tests for error scenarios

⏱️ Timeline

Fix Required: Within 48 hours
Priority: P0 - Critical Bug

Discovered by: Automated codebase security analysis
Date: April 5, 2026

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions