Login with invalid username or email displays 'Internal Server Error' message

[saralavanip]

Steps:

1. Visit https://apinf.io
2. Click on 'Login'
3. Enter non-registered username or email address
4. Enter valid password
5. Click on 'Sign In' button

Expected Result

Notify user with error message 'Invalid email address'

Actual Result

Displays 'Internal Server' error

Findings

• This scenario was also tested on https://nightly.apinf.io and the result is: displays error message 'Login forbidden' (login unsuccessful )as expected.

Browser

1. Mozilla Firefox 48.0
   (Mozilla Firefox for Ubuntu Canonical – 1.0 )
2. Google Chrome 52.0.2743.116

Operating System

Ubuntu 16.0 LTS

Screenshot

[bajiat]

@brylie Can you check if anything has changed in validate (?) login code after release 0.33?

[brylie]

There is a login_verify function that runs on the server when submitting the form. As of today, the most recent change to that file was on October 13th.

It is possible that recent changes to that file, or some other user login related function/configuration has resolved this issue in nightly.

[bajiat]

@jykae Please check this one after apinf.io is redeployed and settings have been changed

[jykae]

@bajiat Still results "Internal server error" in apinf.io

[brylie]

I think this is by design. If we submit an invalid email address, the security method may be designed to throw a 500 error to the client.

See

• Meteor audit-argument-checks

[jykae]

@brylie yep, error is ok, but we should find a way to catch error and show nicer error message for user :) And interesting part is why nightly gives "Login forbidden" that is a bit better message.

[brylie]

Also, the login form allows people to login with a username, so we can't always expect an email address.

[jykae]

@brylie Right, but it behaves same way if username does not exist on apinf.io

[brylie]

Where does the error originate? What method is checking that the user exists?

[brylie]

And what is the difference between our local envoronment, where we see 'Login forbidden' and the deployment, where we see 'Internal server error'?

[jykae]

@brylie Don't know, trying to look at it.. in progress

[brylie]

I am testing locally with meteor --production to see if there are any console errors.

[jykae]

This does not look too good, https://github.com/apinf/platform/blob/develop/users/server/accounts_hooks.js#L38
but it has worked somehow in the past :D

[brylie]

Hm. That seems to be left over from our boilerplate. Is it still necessary, or can we remove it?

[brylie]

Also, how can we access the server error log? It would probably be useful to get an error message.

[jykae]

@brylie I asked @shaliko to look server logs

[brylie]

Kool beans.

[jykae]

@brylie onLogin hook seems to be unnecessary, tested locally by commenting out, tried to register/login both with Github. It should wipe away undefined user._id error found in server logs.

[brylie]

Good work! Lets clean up that hook. 💣 💥 😎

[jykae]

Reason for this according above apinf.io logs:
https://github.com/apinf/platform/blob/0.33.2/users/server/login_verify.js#L15

Current develop, we are checking that: (would explain difference between nightly vs. apinf.io)
https://github.com/apinf/platform/blob/develop/users/server/login_verify.js#L20

[jykae]

@bajiat @brylie maybe we can close this as solved?

[brylie]

@jykae we need to verify that it works properly in apinf.io.

@bajiat mentioned testing it on staging.apinf.io and then deploying the next release on apinf.io.

[jykae]

@bajiat @brylie Tested new release on staging. Verified to work as expected. Closing.

[bajiat]

Also apinf.io looks ok after the new release was deployed. Showing Login forbidden instead of Internal server error