API access with custom oauth token looses roles

[ralfbecker]

Description:

We use current 1.0.3 container with our custom oauth configuration.
Beside interactive logins via browser, desktop- or mobile-client, we also generate access tokens to talk to RC api.
That api login seems to sometimes remove the user roles, if role-sync is enabled in the custom oath config. Without "user" role, you can eg. not see any channels.

Role sync works fine for interactive none-api access. So doing an interactive logout and re-login fixes the issue.

It could be linked to the issue I talked about with @geekgonecrazy that api-oauth login runs from a different code-path and eg. does not set the avatar either.

Ralf

Steps to reproduce:

Expected behavior:

API access with oauth should ideally behave like interactive access, or at least not remove things like roles or avatar.

Actual behavior:

Server Setup Information:

• Version of Rocket.Chat Server: 1.0.3
• Operating System: rocketchat/rocket.chat container
• Deployment Method: Kubernetes
• Number of Running Instances: 1
• DB Replicaset Oplog: yes
• NodeJS Version: v8.11.4 (as of your 1.0.3 container)
• MongoDB Version: 4.0.8

Additional context

Relevant logs:

[engelgabriel]

@pierre-lehnen-rc can you please check if this is still the case?

[ralfbecker]

Just enabled role sync again, and lost my admin right on our installation, after accessing the API with a token :(

API together with role sync does NOT work!

Ralf

[ralfbecker]

Just tested with latest 3.16.3 and the issue still exists: after an API login with an OAuth token MongoDB users of the affected users has roles: [] (was roles: ["user","admin"] before the login).

Ralf

[johncrisp]

Hi Ralf.

I have raised this with the Product Team and will truy and get some eyes on this.