Cannot change password via the API for secured users in 1.8.6.1

[Paul Smith]

Hi,

I'm trying out 1.8.6.1 before switching to it. I've noticed that if I create a user via the API and set 'secured: true':

curl -u 'admin' -X POST ${XNAT_URL}/xapi/users -H 'Content-Type: application/json' --data-raw '{"username":"testUser","password":"test1234","firstName":"test","lastName":"user","email":"test...@test.com","verified":true,"enabled":true,"secured":true}'

then when I try to modify the user's password with another API call:

curl -u 'admin' -X PUT ${XNAT_URL}/xapi/users/testUser"-H 'Content-Type: application/json' --data-raw '{"username":"testUser","password":"test1234new"}'

I get the following error:

There was an error in the request : Error occurred modifying user testUser%

 

I can modify the password okay if I don't set 'secured: true'. And I don't have this issue with 1.8.5.2.

Any help would be much appreciated!

Cheers,

Paul

[Rick Herrick]

Hi Paul,

There are really two issues interacting there. The first is when you create the user with the secure flag. That flag really isn’t intended to be used that way, but is for internal use so to control how the user object is serialized. When the model object has secured set to true, the password and salt values are passed as null and are then ignored by the JSON serializer. What’s happening is that your various parameters are being deserialized into a User object with secured set to true so that when the code tries to get the password it just gets null, which is what gets set in the database:

# psql --command="SELECT login, primary_password FROM xdat_user WHERE login = 'testUser'"

  login   | primary_password

----------+—————————

 testUser |

(1 row)

The code that handles that POST should explicitly set secured to false, but you can fix this just by not included "secured": true in your request data.

The second issue is that, once the password has been set to null, the code that looks for properties that have been changed and validates any changed data doesn’t check for null or use a null-safe utility method for comparing strings when comparing the password values. To work around this, you can set the password value to some random string, delete any potential cache entries for the user object, then try changing it again. That would look something like this:

In psql, pgAdmin, or whatever database management tool you have, run these queries:

UPDATE xdat_user SET primary_password = 'XXX' WHERE login = 'testUser';

DELETE FROM xs_item_cache WHERE contents ~ '^.*\(xdat:user\).*\(login:string\)=\(testUser\).*$';

Now re-run the PUT command and the password should update properly.

I created two issues to track this stuff:

• Passing secured=true causes user creation to set an empty password
  
• Trying to change user password results in NPE when current password is null

HTH

Rick Herrick

Senior Software Developer

rickh...@flywheel.io

------ Original Message ------

From "Paul Smith" <paul.14...@gmail.com>

To "xnat_discussion" <xnat_di...@googlegroups.com>

Date 1/27/2023 9:40:35 AM

Subject [XNAT Discussion] Cannot change password via the API for secured users in 1.8.6.1

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/7bfca21c-d81c-4ab6-87a2-b38efcbd8161n%40googlegroups.com.

[Paul Smith]

Hi Rick,

Thanks so much for the explanation. 

I was playing around with this in a VM so I've not got to worry about fixing any database entries, but it's good to know in case I come across this again.

Cheers,
Paul