getPasswordPolicy Throws Error Because of Missing Token (Even When No Token **Can** Be Provided)

[einfallstoll]

Description:

Steps to reproduce:

1. Disable Accounts_TwoFactorAuthentication_By_Email_Enabled
2. Create user via API
3. First login using credentials

Expected behavior:

Password policy should be shown

Actual behavior:

An error [undefined] will be shown:

Relevant Request:

{"message":"{\"msg\":\"method\",\"method\":\"getPasswordPolicy\",\"params\":[{}],\"id\":\"12\"}"}

Relevant Response:

{"message":"{\"msg\":\"result\",\"id\":\"12\",\"error\":{\"message\":\"Match error: Missing key 'token'\",\"path\":\"\",\"sanitizedError\":{\"isClientSafe\":true,\"error\":400,\"reason\":\"Match failed\",\"message\":\"Match failed [400]\",\"errorType\":\"Meteor.Error\"},\"errorType\":\"Match.Error\"}}","success":true}

Server Setup Information:

• Version of Rocket.Chat Server: 3.15.1 (but 3.16.0 as well)
• Operating System: not relevant
• Deployment Method: docker
• Number of Running Instances: not relevant
• DB Replicaset Oplog: not relevant
• NodeJS Version: not relevant
• MongoDB Version: not relevant

Client Setup Information

• Desktop App or Browser Version: not relevant
• Operating System: not relevant

Additional context

Relevant code:
https://github.com/RocketChat/Rocket.Chat/blob/master/server/methods/getPasswordPolicy.js#L8-L17

As the user does not perform a regular password reset but login for the first time, a token is not provided, therefore an error is thrown. From my point of view checking the existence of a user (using a password reset token) is superfluous and could be completely removed (correct me if I'm wrong).

Also, I think a proper error message would be helpful as well.

Relevant logs:

not relevant