User accounts are mixed up and seem shared between users
-
Hello,
I've recently encountered something of the most weird kind : user accounts are mixed up. What I mean is that for example, a user A can login to their account, with their username and password, but will have access to an account B, including settings, emails, posts and more.
It is a profound security issue, and is also causing great confusion.
I've had to restore a backup of the database a few months back, and this issue did not appear at the time. Some accounts do no appear to be affected, as mine for example is normal.
Did anyone else have this issue ? Can I do anything to resolve it ?
I was thinking of deleting all the accounts and re-creating them and inviting the users to reset their passwords en masse, for example by exporting all the users to a CSV and then re-inviting them, but I am not sure it will resolve the issue.
It seems as if the user's ID have been linked to two accounts. A strange case of data schyzophrenia.
The forum is also extremely slow and shows a very high mongoDB usage.
Thank you for your help,
Cheers
I'm currently running NodeBB 3.9.0.
-
@nono-lqdn said in User accounts are mixed up and seem shared between users:
The forum is also extremely slow and shows a very high mongoDB usage.
Looks like you'll need to re-create your MongoDB indices.
db.objects.createIndex({ _key: 1, score: -1 }, { background: true }); db.objects.createIndex({ _key: 1, value: -1 }, { background: true, unique: true, sparse: true }); db.objects.createIndex({ expireAt: 1 }, { expireAfterSeconds: 0, background: true });
As for the user accounts issue, that sounds concerning, but it sounds like we also need more information on how to reproduce that issue.
-
@julian said in User accounts are mixed up and seem shared between users:
As for the user accounts issue, that sounds concerning, but it sounds like we also need more information on how to reproduce that issue.
The only thing I can think of is that I've restored the mongod database of the forum.
-
What are the timestamps of these user accounts? Are they created in quick succession? Nodebb has some code in user creation that assigns a number to a username if there is already and existing user with the same name. See if that is getting triggered https://github.com/NodeBB/NodeBB/blob/master/src/user/create.js#L191
-
@nono-lqdn From this screenshot I can see that your objects collection is missing the indexes, run the commands julian posted to create them.
You need to switch to your database first and then run them. Once done you should see them when you run
db.objects.stats()
. -
I've already run the commands provided above.
I've re-run the following commands :
> db database > db.objects.stats() { "ns" : "database.objects", "size" : 129014610, "count" : 1274360, "avgObjSize" : 101, "storageSize" : 61870080, "capped" : false, "wiredTiger" : { "metadata" : { "formatVersion" : 1 }, "creationString" : "access_pattern_hint=none,allocation_size=4KB,app_metadata=(formatVersion=1),assert=(commit_timestamp=none,durable_timestamp=none,read_timestamp=none),block_allocation=best,block_compressor=snappy,cache_resident=false,checksum=on,colgroups=,collator=,columns=,dictionary=0,encryption=(keyid=,name=),exclusive=false,extractor=,format=btree,huffman_key=,huffman_value=,ignore_in_memory_cache_size=false,immutable=false,internal_item_max=0,internal_key_max=0,internal_key_truncate=true,internal_page_max=4KB,key_format=q,key_gap=10,leaf_item_max=0,leaf_key_max=0,leaf_page_max=32KB,leaf_value_max=64MB,log=(enabled=true),lsm=(auto_throttle=true,bloom=true,bloom_bit_count=16,bloom_config=,bloom_hash_count=8,bloom_oldest=false,chunk_count_limit=0,chunk_max=5GB,chunk_size=10MB,merge_custom=(prefix=,start_generation=0,suffix=),merge_max=15,merge_min=0),memory_page_image_max=0,memory_page_max=10m,os_cache_dirty_max=0,os_cache_max=0,prefix_compression=false,prefix_compression_min=4,source=,split_deepen_min_child=0,split_deepen_per_child=0,split_pct=90,type=file,value_format=u", "type" : "file", "uri" : "statistics:table:collection-18-5340287657212319973", "LSM" : { "bloom filter false positives" : 0, "bloom filter hits" : 0, "bloom filter misses" : 0, "bloom filter pages evicted from cache" : 0, "bloom filter pages read into cache" : 0, "bloom filters in the LSM tree" : 0, "chunks in the LSM tree" : 0, "highest merge generation in the LSM tree" : 0, "queries that could have benefited from a Bloom filter that did not exist" : 0, "sleep for LSM checkpoint throttle" : 0, "sleep for LSM merge throttle" : 0, "total size of bloom filters" : 0 }, "block-manager" : { "allocations requiring file extension" : 0, "blocks allocated" : 285406, "blocks freed" : 127049, "checkpoint size" : 47620096, "file allocation unit size" : 4096, "file bytes available for reuse" : 14233600, "file magic number" : 120897, "file major version number" : 1, "file size in bytes" : 61870080, "minor version number" : 0 }, "btree" : { "btree checkpoint generation" : 54559, "btree clean tree checkpoint expiration time" : 0, "column-store fixed-size leaf pages" : 0, "column-store internal pages" : 0, "column-store variable-size RLE encoded values" : 0, "column-store variable-size deleted values" : 0, "column-store variable-size leaf pages" : 0, "fixed-record size" : 0, "maximum internal page key size" : 368, "maximum internal page size" : 4096, "maximum leaf page key size" : 2867, "maximum leaf page size" : 32768, "maximum leaf page value size" : 67108864, "maximum tree depth" : 4, "number of key/value pairs" : 0, "overflow pages" : 0, "pages rewritten by compaction" : 0, "row-store empty values" : 0, "row-store internal pages" : 0, "row-store leaf pages" : 0 }, "cache" : { "bytes currently in the cache" : 165367663, "bytes dirty in the cache cumulative" : 11479373193, "bytes read into cache" : 137799231, "bytes written from cache" : 4025805366, "checkpoint blocked page eviction" : 0, "data source pages selected for eviction unable to be evicted" : 0, "eviction walk passes of a file" : 0, "eviction walk target pages histogram - 0-9" : 0, "eviction walk target pages histogram - 10-31" : 0, "eviction walk target pages histogram - 128 and higher" : 0, "eviction walk target pages histogram - 32-63" : 0, "eviction walk target pages histogram - 64-128" : 0, "eviction walks abandoned" : 0, "eviction walks gave up because they restarted their walk twice" : 0, "eviction walks gave up because they saw too many pages and found no candidates" : 0, "eviction walks gave up because they saw too many pages and found too few candidates" : 0, "eviction walks reached end of tree" : 0, "eviction walks started from root of tree" : 0, "eviction walks started from saved location in tree" : 0, "hazard pointer blocked page eviction" : 0, "in-memory page passed criteria to be split" : 0, "in-memory page splits" : 0, "internal pages evicted" : 0, "internal pages split during eviction" : 0, "leaf pages split during eviction" : 0, "modified pages evicted" : 0, "overflow pages read into cache" : 0, "page split during eviction deepened the tree" : 0, "page written requiring cache overflow records" : 0, "pages read into cache" : 2280, "pages read into cache after truncate" : 0, "pages read into cache after truncate in prepare state" : 0, "pages read into cache requiring cache overflow entries" : 0, "pages requested from the cache" : 4729850454, "pages seen by eviction walk" : 0, "pages written from cache" : 179850, "pages written requiring in-memory restoration" : 0, "tracked dirty bytes in the cache" : 129955, "unmodified pages evicted" : 0 }, "cache_walk" : { "Average difference between current eviction generation when the page was last considered" : 0, "Average on-disk page image size seen" : 0, "Average time in cache for pages that have been visited by the eviction server" : 0, "Average time in cache for pages that have not been visited by the eviction server" : 0, "Clean pages currently in cache" : 0, "Current eviction generation" : 0, "Dirty pages currently in cache" : 0, "Entries in the root page" : 0, "Internal pages currently in cache" : 0, "Leaf pages currently in cache" : 0, "Maximum difference between current eviction generation when the page was last considered" : 0, "Maximum page size seen" : 0, "Minimum on-disk page image size seen" : 0, "Number of pages never visited by eviction server" : 0, "On-disk page image sizes smaller than a single allocation unit" : 0, "Pages created in memory and never written" : 0, "Pages currently queued for eviction" : 0, "Pages that could not be queued for eviction" : 0, "Refs skipped during cache traversal" : 0, "Size of the root page" : 0, "Total number of pages currently in cache" : 0 }, "compression" : { "compressed page maximum internal page size prior to compression" : 4096, "compressed page maximum leaf page size prior to compression " : 117968, "compressed pages read" : 2266, "compressed pages written" : 67977, "page written failed to compress" : 0, "page written was too small to compress" : 111873 }, "cursor" : { "bulk loaded cursor insert calls" : 0, "cache cursors reuse count" : 832548, "close calls that result in cache" : 0, "create calls" : 6796, "insert calls" : 2213, "insert key and value bytes" : 225786, "modify" : 2930838, "modify key and value bytes affected" : 264014851, "modify value bytes modified" : 23182965, "next calls" : 270537099937, "open cursor count" : 0, "operation restarted" : 0, "prev calls" : 4, "remove calls" : 152, "remove key bytes removed" : 605, "reserve calls" : 0, "reset calls" : 2123494764, "search calls" : 2931157, "search near calls" : 2116620574, "truncate calls" : 0, "update calls" : 0, "update key and value bytes" : 0, "update value size change" : 0 }, "reconciliation" : { "dictionary matches" : 0, "fast-path pages deleted" : 0, "internal page key bytes discarded using suffix compression" : 25393, "internal page multi-block writes" : 250, "internal-page overflow keys" : 0, "leaf page key bytes discarded using prefix compression" : 0, "leaf page multi-block writes" : 3861, "leaf-page overflow keys" : 0, "maximum blocks required for a page" : 1, "overflow values written" : 0, "page checksum matches" : 4478, "page reconciliation calls" : 178523, "page reconciliation calls for eviction" : 0, "pages deleted" : 0 }, "session" : { "object compaction" : 0 }, "transaction" : { "update conflicts" : 0 } }, "nindexes" : 1, "indexBuilds" : [ ], "totalIndexSize" : 22716416, "indexSizes" : { "_id_" : 22716416 }, "scaleFactor" : 1, "ok" : 1 } > db.objects.createIndex({ _key: 1, score: -1 }, { background: true }); { "createdCollectionAutomatically" : false, "numIndexesBefore" : 1, "numIndexesAfter" : 2, "ok" : 1 } > db.objects.createIndex({ _key: 1, value: -1 }, { background: true, unique: true, sparse: true }); { "ok" : 0, "errmsg" : "E11000 duplicate key error collection: fotepo.objects index: _key_1_value_-1 dup key: { _key: \"analytics:pageviews:byCid:32\", value: \"1726783200000\" }", "code" : 11000, "codeName" : "DuplicateKey", "keyPattern" : { "_key" : 1, "value" : -1 }, "keyValue" : { "_key" : "analytics:pageviews:byCid:32", "value" : "1726783200000" } } > db.objects.createIndex({ expireAt: 1 }, { expireAfterSeconds: 0, background: true }); { "createdCollectionAutomatically" : false, "numIndexesBefore" : 2, "numIndexesAfter" : 3, "ok" : 1 }
It seems like I now have 3 indexes, and an error in the index creation for the second command ?
-
Indexes are used to speed up database/datastore.
https://en.wikipedia.org/wiki/Database_index -
@nono-lqdn The error message is showing you which key is causing the violation, in this case it is
analytics:pageviews:byCid:32
you need to delete that and try the createIndex command again until you no longer get errors and the index is created successfully. Do this when the forum is not running so you don't get more invalid keys.> db.objects.createIndex({ _key: 1, value: -1 }, { background: true, unique: true, sparse: true }); { "ok" : 0, "errmsg" : "E11000 duplicate key error collection: fotepo.objects index: _key_1_value_-1 dup key: { _key: \"analytics:pageviews:byCid:32\", value: \"1726783200000\" }", "code" : 11000, "codeName" : "DuplicateKey", "keyPattern" : { "_key" : 1, "value" : -1 }, "keyValue" : { "_key" : "analytics:pageviews:byCid:32", "value" : "1726783200000" } }