unable to delete user that was created by "login with github"

[ashimokawa]

• Gitea version (or commit ref): 1.10-rc1
• Git version: 2.20.1
• Operating system: Debian 10
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

1. Go to try.gitea.io
2. go to sign-in
3. click "login with github"
4. create a new account (left tab)
5. after logging in with github go to settings/account
6. click on delete user, enter password, confirm

A white page with the following error appears:
template: user/settings/account:62:48: executing "user/settings/account" at <eq .EmailNotificationsPreference "enabled">: error calling eq: invalid type for comparison
User Workaround:

1. log out
2. go to sign-in
3. click forgot passwort
4. click on the email link, specify a new password

Now it is possible to delete your user

What I also noticed:

1. When creating a new user with "login with github", there is no complexity check for the password, a simple one seemed to be accepted (no error visible at least)
2. the initial password does not work for login without gihub, but after clicking forgot password and creating a new one it does work.

[ashimokawa]

Just a random thought...
Could be worth to check if the complexity check somehow rejects the password silently when creating a new user with "login with github" and if that leads to all the problems (cant login without github, cant delete user)

[silverwind]

Please retest, #8826 might have fixed it.

[lafriks]

@silverwind I don't think my PR fixed this as there was bug also in LDAP sources but when I tested deleting user with ldap source it was working just fine so it must be something else

[guillep2k]

Well, I finally had the time to investigate how to setup OAuth2 app in Github (it was pretty easy, I was just over-complicating things myself).

The good (bad?) thing is that I couldn't reproduce the bug with master, so this must have been fixed sometime along the way? I need to check with 1.10.0.

Here's my tests (sorry, forgot to capture the Github login screen, but it's not important):

(Insert missing Github login capture here 😉)

[guillep2k]

It seems to have been fixed in v1.10.0-rc2 too. Unable to reproduce.

[guillep2k]

It seems that other users are still hitting this issue, so my findings should at least help isolate the problem. For context, my test instance is configured with:

[service]
REGISTER_EMAIL_CONFIRM            = false
ENABLE_NOTIFY_MAIL                = true
DISABLE_REGISTRATION              = false
ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
ENABLE_CAPTCHA                    = false
REQUIRE_SIGNIN_VIEW               = false

[guillep2k]

Well, I've tested with all of these combinations and I still can't reproduce:

• REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true (after Fix require external registration password #8885), PASSWORD_COMPLEXITY = off during the whole test.
• REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true (after Fix require external registration password #8885), PASSWORD_COMPLEXITY = off at the moment of registration; * PASSWORD_COMPLEXITY = (default) when attempting to delete the account (to attempt triggering an invalid complexity for the preexisting password).
• Create the user from the Github OAuth2, adding a password later.
• Register as a normal user with password; add OAuth2 later.

In any case, the code for password complexity check (IsComplexEnough()) was never reached during the delete operation (at least in my case).

I'm aware that try.gitea.io shows this problem, but being unable to reproduce... it's a tough task!

In a side note, I'm still bugged by @ashimokawa 's error description:

A white page with the following error appears:
template: user/settings/account:62:48: executing "user/settings/account" at <eq .EmailNotificationsPreference "enabled">: error calling eq: invalid type for comparison

I think that some users at try.gitea.com might have an invalid value in their email_notifications_preference column, although it's unclear how could that be related to this issue.

[guillep2k]

New development! I've unlinked my previous try account (guillep2k) from Github. Then I created a new try account (guillep3k) using Github; I gave it a password to complete the registration. Now I can log in using Github as expected (it brings me to the guillep3k user), but I can't log in with my password, which connects to this issue. But here's the Strangest Thing™ of all:

Where is my Github linked account?? I've just used it to log in!!

Am I crazy? 😵

I did what any of you would: I've logged off and attempted a new login with Github. I was able to log in. And the linked account is still missing from my settings.

Talk about reproducibility!

[jolheiser]

The email_notifications_preference bug was fixed by #8562

[guillep2k]

The email_notifications_preference bug was fixed by #8562

Oh, yes, now I remember.

[liszca]

Just a random thought...
Could be worth to check if the complexity check somehow rejects the password silently when creating a new user with "login with github" and if that leads to all the problems (cant login without github, cant delete user)

Are you sure this can be done when passwords are not in Plain-Text?