Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logoutCleanup does not need to send whole user object when called #18183

Closed
grahamsmith opened this issue Jul 6, 2020 · 5 comments
Closed

logoutCleanup does not need to send whole user object when called #18183

grahamsmith opened this issue Jul 6, 2020 · 5 comments

Comments

@grahamsmith
Copy link

grahamsmith commented Jul 6, 2020
edited by Sing-Li
Loading

Description:

When a user logs out of Rocket Chat, a message is sent upstream via the web socket that includes the entire User object payload. After investigation, all current listeners do not take the user object and ignore it.

For security based installations of Rocket Chat the amount of data is hard to inspect and validate.

Steps to reproduce:

  1. Logout of Rocket Chat
  2. Inspect Web Socket traffic and see the whole user object get sent with the method logoutCleanup.
  3. The server side logic invokes post logout callbacks that ignore the provided user object.

Expected behaviour:

The user object is not required in this call.

Actual behavior:

https://github.com/RocketChat/Rocket.Chat/blob/d53e264b83ccc971236123853e4b68c9eb6beeb4/server/methods/logoutCleanUp.js

app/ui-utils/client/lib/RoomManager.js
callbacks.add('afterLogoutCleanUp', () => RoomManager.closeAllRooms()

app/ui-master/client/main.js
callbacks.add('afterLogoutCleanUp', () => customScriptsOnLogout()

app/ui-utils/client/lib/popout.js
callbacks.add('afterLogoutCleanUp', () => popout.close(), callbacks.priority.MEDIUM, 'popout-close-after-logout-cleanup');

app/ui/client/lib/iframeCommands.js

Notice here how callbacks.run('afterLogoutCleanUp', user); is called but Meteor.call('logoutCleanUp', user); calls the same function internally too.

'logout'() {
		const user = Meteor.user();
		Meteor.logout(() => {
			callbacks.run('afterLogoutCleanUp', user);
			Meteor.call('logoutCleanUp', user);
			return FlowRouter.go('home');
		});
	},

Server Setup Information:

  • Version of Rocket.Chat Server: 3.2.2
  • Operating System: Mac OS / Docker
  • Deployment Method: k8s/docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version:

Client Setup Information

  • Desktop App or Browser Version: Chrome 83.0.4103.116
  • Operating System: Catalina Mac OS

Additional context

N/A

Relevant logs:

N/A
@close-issue-app
Copy link

This issue was closed because it does not use any of our issue templates. Please make sure to use one of the suggested templates.

@Sing-Li
Copy link
Member

Sing-Li commented Jul 6, 2020

some bug in template identification?

@Sing-Li Sing-Li reopened this Jul 6, 2020
@close-issue-app
Copy link

This issue was closed because it does not use any of our issue templates. Please make sure to use one of the suggested templates.

@Sing-Li
Copy link
Member

Sing-Li commented Jul 6, 2020

Attempt #2.

@Sing-Li Sing-Li reopened this Jul 6, 2020
@close-issue-app
Copy link

This issue was closed because it does not use any of our issue templates. Please make sure to use one of the suggested templates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Sing-Li @grahamsmith