The Great Open Source Debate with Elastic, Gluu and GitHub 🎤 Oct 26

Cannot change password with users.update method of REST API

We’re integrating Rocket.Chat with our platform, creating chat accounts with the same login and password users have in our system. Subsequently, when user password is changed in our system, we need to update chat account password as well - but we’re not able to do so, we are getting “TOTP Required [totp-required]” error.

The documentation states that “Edit Other User Password” permission is required, administrator has such permission of course. We’re not sure if it’s a good idea to set such permission for a user though, sounds like they’ll be able to change each others’ password then; still we tried granting such permission and nothing has changed. Anyway, we’re using REST API from an administrator user, they create accounts successfully, unable to change passwords though.

Do you think this may be a bug and submitting a bugreport may help?

Thank you for all the help.

Hmm - it probably isn’t a bug.

Search github for the error.

That will lead you to these.

Thank you for the response. Sure, we did search through GitHub, unfortunately threads we found don’t seem to be relevant for the issue we’re facing. Upon experimenting with this further, it appears that the same issue occurs even if we don’t attempt modifying the password, changing data.roles results in the same error.

If anyone is using users.update method with the latest Rocket.Chat version, we’d appreciate sharing an example of the method call that works for them. We utilize the method much like the one used to create a user, logged in as administrator account, and can’t figure out where our mistake could be.

Thanks again.

Have attempted to do that directly via cURL according to the documentation page, modifying just the name, not a password - same error:

$ curl -H "X-Auth-Token: rEcvAe0uIk0ZRGveG1eIo4C8Zi88bxo3xkDrbLg-sAs" \
>      -H "X-User-Id: kc3dBmjGnCBx6AG2g" \
>      -H "Content-type:application/json" \
> \
>      -d '{"userId": "FowAqkCqmagRdYKkm", "data": { "name": "new name"}}'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   223    0   161  100    62    181     69 --:--:-- --:--:-- --:--:--   181
{"success":false,"error":"TOTP Required [totp-required]","errorType":"totp-required","details":{"method":"password","codeGenerated":false,"availableMethods":[]}}

In theory, we could use users.updateOwnBasicInfo but having no luck there either, getting Error 401 no matter what we send in data.

So you didn’t find this PR linked for the bugs above?

Which I believe is part of this:

1 Like

Oh wow, my mistake, somehow I didn’t think it applied to our case as we’re not using 2FA anywhere. But, sending X-2fa-code and X-2fa-method actually did help, everything worked like a charm. Thank you!

1 Like

If this is the solution please mark this solved.

I tried doing that, but my account probably doesn’t have sufficient permissions for editing forum thread properties… Sorry about the trouble.