QA-Regression: User is not able to change the account password.

[Ishrat-Manzoor]

Description:

User is not able to change the account password.

Steps to reproduce:

1. Login to Rocketchat
2. Click on the user icon in the side menu.
3. Click "My Account"
4. Go to Profile and Enter new password in the password field.
5. Enter same password in the confirm password field.
6. Click Save changes button
   Issue: Invalid password error is displayed and user is not able to change the password."

Expected behavior:

Password should be changed successfully.

Actual behavior:

Error is displayed and password is not changed.

Server Setup Information:

• Version of Rocket.Chat Server: 3.8.0
• Operating System:
• Deployment Method:
• Number of Running Instances:
• DB Replicaset Oplog:
• NodeJS Version:
• MongoDB Version:

Client Setup Information

• Desktop App or Browser Version:
• Operating System:

Additional context

Relevant logs:

[MJPGPleasant]

Having the same issue Rocket.Chat 3.8.0, deployed via Docker on Ubuntu 20.04. Occurs both on Web Interface and Desktop Client.

I20201127-16:32:02.382(0) Exception while invoking method saveUserProfile Error: Not allowed [error-not-allowed]
     at MethodInvocation.<anonymous> (server/methods/saveUserProfile.js:18:10)
     at MethodInvocation.<anonymous> (app/2fa/server/twoFactorRequired.ts:34:13)
     at MethodInvocation.methodsMap.<computed> (app/lib/server/lib/debug.js:76:34)
     at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12)
     at packages/ddp-server/livedata_server.js:1689:15
     at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
     at packages/ddp-server/livedata_server.js:1687:36
     at new Promise (<anonymous>)
     at Server.applyAsync (packages/ddp-server/livedata_server.js:1686:12)
     at Server.apply (packages/ddp-server/livedata_server.js:1625:26)
     at Server.call (packages/ddp-server/livedata_server.js:1607:17)
     at Object.post (app/api/server/v1/misc.js:262:26)
     at app/api/server/api.js:394:82
     at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
     at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)
     at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)
     at packages/nimble_restivus/lib/route.coffee:59:33
     at packages/simple_json-routes.js:98:9
  => awaited here:
     at Promise.await (/app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12)
     at Server.apply (packages/ddp-server/livedata_server.js:1638:22)
     at Server.call (packages/ddp-server/livedata_server.js:1607:17)
     at Object.post (app/api/server/v1/misc.js:262:26)
     at app/api/server/api.js:394:82
     at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
     at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)
     at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)
     at packages/nimble_restivus/lib/route.coffee:59:33
     at packages/simple_json-routes.js:98:9

EDIT: "Allow Profile Change" needs to be enabled to allow password change, and overrides "Allow Password Change" setting below. May want to change either behavior or UI such that it either disables the ability to change other settings, or does not override other settings.

[valcryst]

Same Problem :(

[salahtobok]

@valcryst @Ishrat-Manzoor @MJPGPleasant ,me too i had encounter with that problem , this is caused by saveUserProfile method that is exist in Rocket.Chat/programs/server/app/app.js file or Rocket.Chat/server/methods/saveUserProfile.js, and specifically in part of code that is responsible of setting a new email or a new password :
Line : 189689

---

---

and with i debugged some value of attributes a settings object is found that settings.typedPassword is undefined

01 - console.debug("RocketChat debugging : typedPassword : "+settings.typedPassword);

02 - the result in the console will be :

RocketChat debugging : typedPassword : undefined

[salahtobok]

Regarding to issue in updating profile details in AccountProfilePage (password, email) already declared by some users such us : #19604 , #6226 , #10730

To resolve the issue saveuserprofile error: invalid password I suggest this solution :

1. For server version of RocketChat append xe method that is exist in Rocket.Chat/programs/web.browser/dynamic/client/account/AccountProfilePage.js file with the following code :

, t = b("Are_you_sure");
				return R(I ? () => u.createElement(U, {
					onSave: e,
					onCancel: H,
					title: t,
					text: b("For_your_security_you_must_enter_your_current_password_to_continue"),
					isPassword: !0
				}) : () => u.createElement(U, {
					onSave: e,
					onCancel: H,
					title: t,
					text: b("If_you_are_sure_type_in_your_username"),
					isPassword: !0
				}))

and add the following dependencies H, I, R to the last method like this [G, J, K, z, V, we, re, ie, _e, ue, he, me, P, ke, ye, S, b, ve, ge, O, Ce, Ae, pe, H, I, R])

2. For GitHub repository version of RocketChat append onSave method that is exist in Rocket.Chat/client/views/account/AccountProfilePage.js file with the following code :

const title = t('Are_you_sure');
		if (localPassword) {
			return setModal(() => <ActionConfirmModal
				onSave={save}
				onCancel={closeModal}
				title={title}
				text={t('For_your_security_you_must_enter_your_current_password_to_continue')}
				isPassword
			/>);
		}
		return setModal(() => <ActionConfirmModal
			onSave={save}
			onCancel={closeModal}
			title={title}
			text={t('If_you_are_sure_type_in_your_username')}
			isPassword
		/>);

and add the following dependencies closeModal,localPassword,setModal to the last method like this
[
saveFn,
allowEmailChange,
allowPasswordChange,
allowRealNameChange,
allowUserStatusMessageChange,
bio,
canChangeUsername,
email,
password,
realname,
statusText,
username,
user,
updateAvatar,
handleAvatar,
dispatchToastMessage,
t,
customFields,
statusType,
commit,
nickname,
handlePassword,
handleConfirmationPassword,
closeModal,
localPassword,
setModal
]

Modified files :

1. For GitHub repository version of RocketChat

AccountProfilePage.zip

2. For Server version of RocketChat

AccountProfilePage.zip

[MJPGPleasant]

Not sure if the code above achieves this, but I would suggest that that "Allow Profile Change", when set to disabled, should NOT override other options such as "Allow Password Change", "Allow Avatar Change", etc.

This allows for lockdown of Bio, Nicknames, Custom Properties, without disabling other items (Password being the most critical)

Setting "Allow profile change" should also grey out controls in the same way as "Disable Name Change" and similar does.

[wongsingfo]

Same problem Rocket.Chat 3.9.4

Exception while invoking method saveUserProfile Error: Invalid password [error-invalid-password]
    at MethodInvocation.<anonymous> (server/methods/saveUserProfile.js:82:12)
    at MethodInvocation.<anonymous> (app/2fa/server/twoFactorRequired.ts:34:13)
    at MethodInvocation.methodsMap.<computed> (app/lib/server/lib/debug.js:76:34)
    at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12)
    at packages/ddp-server/livedata_server.js:1689:15
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
    at packages/ddp-server/livedata_server.js:1687:36
    at new Promise (<anonymous>)
    at Server.applyAsync (packages/ddp-server/livedata_server.js:1686:12)
    at Server.apply (packages/ddp-server/livedata_server.js:1625:26)
    at Server.call (packages/ddp-server/livedata_server.js:1607:17)
    at Object.post (app/api/server/v1/misc.js:262:26)
    at app/api/server/api.js:394:82
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
    at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)
    at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)
    at packages/nimble_restivus/lib/route.coffee:59:33
    at packages/simple_json-routes.js:98:9
 => awaited here:
    at Promise.await (/app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12)
    at Server.apply (packages/ddp-server/livedata_server.js:1638:22)
    at Server.call (packages/ddp-server/livedata_server.js:1607:17)
    at Object.post (app/api/server/v1/misc.js:262:26)
    at app/api/server/api.js:394:82
    at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
    at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)
    at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)
    at packages/nimble_restivus/lib/route.coffee:59:33
    at packages/simple_json-routes.js:98:9

[amsnek]

same issue on 3.9.1

[korobita]

same issue on 3.9.0

[mmgoilf]

Same issue on 3.10.3

[akshun-j]

same issue on 3.10.0

[bndn]

Same issue on 3.10.4. The error is displayed when we update other data of our profile like status and surname, but data is saved. When we update a custom field, the error is displayed but the data is not saved.

[cloudwindy]

Same issue on 3.9.3 (snap is tracking 3.x/stable)

Exception while invoking method saveUserProfile Error: Invalid password [error-invalid-password]
     at MethodInvocation.<anonymous> (server/methods/saveUserProfile.js:82:12)
     at MethodInvocation.<anonymous> (app/2fa/server/twoFactorRequired.ts:34:13)
     at MethodInvocation.methodsMap.<computed> (app/lib/server/lib/debug.js:76:34)
     at maybeAuditArgumentChecks (packages/ddp-server/livedata_server.js:1771:12)
     at packages/ddp-server/livedata_server.js:1689:15
     at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
     at packages/ddp-server/livedata_server.js:1687:36
     at new Promise (<anonymous>)
     at Server.applyAsync (packages/ddp-server/livedata_server.js:1686:12)
     at Server.apply (packages/ddp-server/livedata_server.js:1625:26)
     at Server.call (packages/ddp-server/livedata_server.js:1607:17)
     at Object.post (app/api/server/v1/misc.js:262:26)
     at app/api/server/api.js:394:82
     at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
     at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)
     at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)
     at packages/nimble_restivus/lib/route.coffee:59:33
     at packages/simple_json-routes.js:98:9
  => awaited here:
     at Promise.await (/snap/rocketchat-server/1449/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/promise_server.js:60:12)
     at Server.apply (packages/ddp-server/livedata_server.js:1638:22)
     at Server.call (packages/ddp-server/livedata_server.js:1607:17)
     at Object.post (app/api/server/v1/misc.js:262:26)
     at app/api/server/api.js:394:82
     at Meteor.EnvironmentVariable.EVp.withValue (packages/meteor.js:1234:12)
     at Object._internalRouteActionHandler [as action] (app/api/server/api.js:394:39)
     at Route.share.Route.Route._callEndpoint (packages/nimble_restivus/lib/route.coffee:150:32)
     at packages/nimble_restivus/lib/route.coffee:59:33
     at packages/simple_json-routes.js:98:9

[rasos]

Changing your own e-mail address does not work either, tested on 3.9.3.