diff --git a/.changeset/cold-chairs-taste.md b/.changeset/cold-chairs-taste.md new file mode 100644 index 00000000000..e12a5765695 --- /dev/null +++ b/.changeset/cold-chairs-taste.md @@ -0,0 +1,5 @@ +--- +'@rocket.chat/meteor': patch +--- + +Fixes an issue where its not being possible to change the password in account security page diff --git a/apps/meteor/app/2fa/server/code/index.ts b/apps/meteor/app/2fa/server/code/index.ts index d4be080259c..cfe7b8ab7d4 100644 --- a/apps/meteor/app/2fa/server/code/index.ts +++ b/apps/meteor/app/2fa/server/code/index.ts @@ -9,6 +9,7 @@ import { EmailCheck } from './EmailCheck'; import type { ICodeCheck } from './ICodeCheck'; import { PasswordCheckFallback } from './PasswordCheckFallback'; import { TOTPCheck } from './TOTPCheck'; +import { normalizeHeaders } from '../../../lib/server/functions/getModifiedHttpHeaders'; import { settings } from '../../../settings/server'; export interface ITwoFactorOptions { @@ -184,9 +185,11 @@ export async function checkCodeForUser({ user, code, method, options = {}, conne throw new Meteor.Error('totp-user-not-found', 'TOTP User not found'); } - if (!code && !method && connection?.httpHeaders?.['x-2fa-code'] && connection.httpHeaders['x-2fa-method']) { - code = connection.httpHeaders['x-2fa-code']; - method = connection.httpHeaders['x-2fa-method']; + const headers = normalizeHeaders(connection?.httpHeaders); + + if (!code && !method && headers?.['x-2fa-code'] && headers['x-2fa-method']) { + code = headers['x-2fa-code']; + method = headers['x-2fa-method']; } if (connection && isAuthorizedForToken(connection, existingUser, options)) { diff --git a/apps/meteor/app/lib/server/functions/getModifiedHttpHeaders.ts b/apps/meteor/app/lib/server/functions/getModifiedHttpHeaders.ts index 63e6dc52b91..2a14900e10a 100644 --- a/apps/meteor/app/lib/server/functions/getModifiedHttpHeaders.ts +++ b/apps/meteor/app/lib/server/functions/getModifiedHttpHeaders.ts @@ -1,12 +1,14 @@ -export const getModifiedHttpHeaders = (httpHeaders: Headers | Record) => { - let modifiedHttpHeaders: { [k: string]: string }; - +export const normalizeHeaders = (httpHeaders?: Headers | Record) => { if (httpHeaders instanceof Headers) { - modifiedHttpHeaders = { ...Object.fromEntries(httpHeaders.entries()) }; - } else { - modifiedHttpHeaders = { ...httpHeaders }; + return { ...Object.fromEntries(httpHeaders.entries()) }; } + return { ...httpHeaders }; +}; + +export const getModifiedHttpHeaders = (httpHeaders: Headers | Record) => { + const modifiedHttpHeaders = normalizeHeaders(httpHeaders); + if ('x-auth-token' in modifiedHttpHeaders) { modifiedHttpHeaders['x-auth-token'] = '[redacted]'; } diff --git a/apps/meteor/tests/e2e/account-security.spec.ts b/apps/meteor/tests/e2e/account-security.spec.ts index 1fb41326cf6..e4ab3b3cc05 100644 --- a/apps/meteor/tests/e2e/account-security.spec.ts +++ b/apps/meteor/tests/e2e/account-security.spec.ts @@ -38,8 +38,7 @@ test.describe.serial('account-security', () => { await poAccountSecurity.toastMessage.waitForDisplay(); }); - // FIXME: This test should pass as soon as we provide the fix - test.skip('should be able to change password', async ({ api }) => { + test('should be able to change password', async ({ api }) => { await test.step('change password', async () => { await poAccountSecurity.changePassword(RANDOM_PASSWORD, RANDOM_PASSWORD, ADMIN_CREDENTIALS.password); await expect(poAccountSecurity.inputNewPassword).toHaveValue('');