User accounts are mixed up and seem shared between users

nono-lqdn

Hello,

I've recently encountered something of the most weird kind : user accounts are mixed up. What I mean is that for example, a user A can login to their account, with their username and password, but will have access to an account B, including settings, emails, posts and more.

It is a profound security issue, and is also causing great confusion.

I've had to restore a backup of the database a few months back, and this issue did not appear at the time. Some accounts do no appear to be affected, as mine for example is normal.

Did anyone else have this issue ? Can I do anything to resolve it ?

I was thinking of deleting all the accounts and re-creating them and inviting the users to reset their passwords en masse, for example by exporting all the users to a CSV and then re-inviting them, but I am not sure it will resolve the issue.

It seems as if the user's ID have been linked to two accounts. A strange case of data schyzophrenia.

The forum is also extremely slow and shows a very high mongoDB usage.

Thank you for your help,

Cheers

I'm currently running NodeBB 3.9.0.

julian

@nono-lqdn said in User accounts are mixed up and seem shared between users:

The forum is also extremely slow and shows a very high mongoDB usage.

Looks like you'll need to re-create your MongoDB indices.

db.objects.createIndex({ _key: 1, score: -1 }, { background: true });
db.objects.createIndex({ _key: 1, value: -1 }, { background: true, unique: true, sparse: true });
db.objects.createIndex({ expireAt: 1 }, { expireAfterSeconds: 0, background: true });

As for the user accounts issue, that sounds concerning, but it sounds like we also need more information on how to reproduce that issue.

nono-lqdn

@julian said in User accounts are mixed up and seem shared between users:

As for the user accounts issue, that sounds concerning, but it sounds like we also need more information on how to reproduce that issue.

The only thing I can think of is that I've restored the mongod database of the forum.

nono-lqdn

I've executed the commands to rebuild the mongoDB indices, but it didn't help to speedup the forum.

For information, the server is running with 11Gb RAM / 12 Cores CPU .

nono-lqdn

Hello @julian , is there a way I could properly debug this issue ? Thanks,

nono-lqdn

FYI, this is a snapshot of the state of the database as of today :

nono-lqdn

Here is a sample of user accounts that are not the same, but share a similar username :

nono-lqdn

Is there someone or somewhere I can go to in hope of getting this issue resolved ?

<baris>

What are the timestamps of these user accounts? Are they created in quick succession? Nodebb has some code in user creation that assigns a number to a username if there is already and existing user with the same name. See if that is getting triggered https://github.com/NodeBB/NodeBB/blob/master/src/user/create.js#L191

nono-lqdn

@baris thanks for the answer ! The user accounts have been created on wildly different dates : some are years old, some are a few days old. The accounts are created every week or so, the signup frequency is slow.

<baris>

@nono-lqdn From this screenshot I can see that your objects collection is missing the indexes, run the commands julian posted to create them.

You need to switch to your database first and then run them. Once done you should see them when you run db.objects.stats().