Rocket.chat: invite url on 2.4.0

Created on 30 Dec 2019 · 11Comments · Source: RocketChat/Rocket.Chat

wrong token after proceed invite url: i wonder... what ttl in default of invite-url-token? is setting some how?

Steps to reproduce:

generate invite url on pv
transfer url to user
user must be login and after new user has proceed to url we looking a error

Expected behavior:

no error appear and user has invited to pv

Actual behavior:

error of invalid or expired token. but user inveted.

Server Setup Information:

Version of Rocket.Chat Server: 2.4.0
Operating System: Centos
Deployment Method: docker-compose
Number of Running Instances: 1
DB Replicaset Oplog: yes
NodeJS Version: last from docker
MongoDB Version: 4.0

Client Setup Information

Desktop App or Browser Version: 2.4.0 Web
Operating System: windows, linux,

after press to rocket-logo we enter on buddy list... but than user logout it proceed to create account windows, in my configuration create users is disabled.

Source

Shaverdoff

👍2

Most helpful comment

UPDATE: Found the culprit for the error.

ISSUE 1: If you disable the registration form for new users, channel invite links don't seem to work (even for current users that are currently logged in).

If you enable the registration form the invite links work, however:
ISSUE 2: If the user is logged in, after clicking the invite link and opening the channel, the page still performs this enormous amount of request /api/v1/useInviteToken spamming the server until the user changes channels.
ISSUE 3: If you use the "hidden registration" (and the user is not already logged in) the invite link exposes the hidden registration URL (😕)

cjhille on 11 Feb 2020

👍3

All 11 comments

Not sure if I should start a new ticket for this or not. Invite url duplicates the directory when running in sub directory mode.

https://domain.com/subdirectory/subdirectory/invite/SSBmcX

serviceman on 30 Dec 2019

The invite expiration date is displayed under the generated URL when you click on the invite button.

pierre-lehnen-rc on 7 Jan 2020

But why error appear?

--
Gerasim Shaverdov | Deputy CTO | Altarix
Mobile: +7 937 070 66 84 | Skype/email: [email protected]
Lenina av.25, Samara, Russia, 443068

7 янв. 2020 г., в 8:55, pierre-lehnen-rc notifications@github.com написал(а):

The invite expiration date is displayed under the generated URL when you click on the invite button.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

Shaverdoff on 7 Jan 2020

@pierre-lehnen-rc: I'm having the same issue here. Using latest Docker Image, Rocket.Chat v. 2.4.6 and nextcloud for OAUTH (registration and login via name+pw disabled .. if that's of any relevance).
URL: https://chat.REDACTED.de/invite/AgiKTo
Expire date is set to "never".
On the error page rocket.chat seems to hang and sends potentially hundreds of POST requests (about 12 per second) to /api/v1/useInviteToken, which all return {"room":{"rid":"REDACTED","fname":"off-topic","name":"off-topic","t":"c"},"success":true}. On /admin/invites this results in thousands of falsely tracked clicks.

Oddly enough the invite link actually works and the user has joined the channel once the page was refreshed. It just seems to hang "falsely" on this error page.

cjhille on 11 Feb 2020

UPDATE: Found the culprit for the error.

ISSUE 1: If you disable the registration form for new users, channel invite links don't seem to work (even for current users that are currently logged in).

cjhille on 11 Feb 2020

👍3

Still present in v2.4.8.