fix: imported fixes 03 09 2026

[yasnagat]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Bug Fixes

  • Security hotfix for OAuth2 authentication token handling to strengthen API authentication and prevent malformed token abuse.

• Tests

  • Added end-to-end tests ensuring malformed or malicious access token requests are rejected and return proper JSON error responses.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 81f1e47

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 96b5c841-8c1f-4902-b5d1-447a99c1ac9b

📥 Commits

Reviewing files that changed from the base of the PR and between 0f38329 and 81f1e47.

📒 Files selected for processing (1)

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Walkthrough

Refactors OAuth2 authentication: middleware extracts authorization header and access_token (from query), passes a simplified { authorization, accessToken } object to the OAuth2 server auth function whose signature was updated. Adds tests that assert malformed access_token query payloads are rejected with 401. Adds a changeset documenting a patch security hotfix.

Changes

Cohort / File(s)	Summary
Changeset \.changeset/blue-points-dream.md	Adds a patch changeset recording a security hotfix for @rocket.chat/meteor.
OAuth2 Authentication apps/meteor/app/api/server/middlewares/authentication.ts, apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts	Middleware no longer forwards full req.headers/req.query; it extracts authorization and access_token (removes access_token from query) and passes { authorization, accessToken } to updated oAuth2ServerAuth which now accepts that partial request shape and derives the token from authorization or accessToken.
Security Tests apps/meteor/tests/end-to-end/api/oauth-server.ts	Adds end-to-end tests asserting /oauth/me rejects malformed access_token query payloads with 401 and a JSON error indicating login required.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Middleware
    participant OAuth2Server
    participant UserStore
    Client->>Middleware: HTTP request (headers, query)
    Middleware->>Middleware: extract Authorization header\nextract access_token from query\ndelete access_token from query
    Middleware->>OAuth2Server: oAuth2ServerAuth({authorization, accessToken})
    OAuth2Server->>UserStore: validate token / lookup user
    UserStore-->>OAuth2Server: user | not found
    OAuth2Server-->>Middleware: user | undefined
    Middleware-->>Client: authorized response | 401 JSON error

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: bug, area: authentication

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The PR title 'fix: imported fixes 03 09 2026' is vague and does not meaningfully describe the actual changes—it uses a generic timestamp-based pattern without conveying what was fixed.	Revise the title to specifically describe the main change, such as 'fix: prevent NoSQL injection in OAuth2 authentication via query parameter validation' or 'fix: sanitize access_token query parameter in OAuth2 fallback flow'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts">

<violation number="1" location="apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts:78">
P1: `delete routeContext.queryParams.access_token` bypasses the `isPlainObject` guard on the previous line. If `queryParams` is nullish, this throws a `TypeError`. Use the already-guarded `query` variable instead.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts`:
- Around line 22-24: The code treats any Authorization header as a bearer token
by calling replace('Bearer ', '') on partialRequest.authorization; change this
so oAuth2ServerAuth only treats the header as a bearer token when the scheme is
actually "Bearer" (case-insensitive). In the oAuth2ServerAuth function, replace
the headerToken logic with a check like testing /^Bearer\s+/i against
partialRequest.authorization and only then strip the scheme (e.g.,
replace(/^Bearer\s+/i, '')); otherwise leave headerToken undefined so
incomingToken can fall back to partialRequest.accessToken (use headerToken ??
partialRequest.accessToken).
- Around line 76-80: The code reads into the guarded local variable query but
deletes from routeContext.queryParams only when the value is truthy, leaving
falsy values (e.g. empty string) behind and creating a mismatch; instead delete
the property from the guarded query using a presence check (e.g. if
('access_token' in query) delete query.access_token) and then write the
sanitized query back to routeContext.queryParams when the original was a plain
object so both read and delete paths agree (refer to routeContext, query,
accessToken, and queryParams to locate the logic).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c067bf5e-238b-485a-a970-5fadcf8c5baf

📥 Commits

Reviewing files that changed from the base of the PR and between c987432 and 0f38329.

📒 Files selected for processing (4)

• .changeset/blue-points-dream.md
• apps/meteor/app/api/server/middlewares/authentication.ts
• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: 📦 Build Packages

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• apps/meteor/app/api/server/middlewares/authentication.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

🧠 Learnings (17)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

📚 Learning: 2026-02-24T19:09:09.561Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• .changeset/blue-points-dream.md

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

📚 Learning: 2026-01-26T18:26:01.279Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38227
File: apps/meteor/app/api/server/router.ts:44-49
Timestamp: 2026-01-26T18:26:01.279Z
Learning: In apps/meteor/app/api/server/router.ts, when retrieving bodyParams and queryParams from the Hono context via c.get(), do not add defensive defaults (e.g., ?? {}). The code should fail fast if these parameters are missing, as endpoint handlers expect them to be present and breaking here helps surface parsing problems rather than hiding them.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

📚 Learning: 2026-03-04T14:16:49.202Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39304
File: packages/ui-contexts/src/ActionManagerContext.ts:26-26
Timestamp: 2026-03-04T14:16:49.202Z
Learning: In `packages/ui-contexts/src/ActionManagerContext.ts` (TypeScript, RocketChat/Rocket.Chat), the `disposeView` method in `IActionManager` uses an intentionally explicit union `UiKit.ModalView['id'] | UiKit.BannerView['viewId'] | UiKit.ContextualBarView['id']` to document which view types are accepted, even though all constituents resolve to the same primitive. The inline `// eslint-disable-next-line typescript-eslint/no-duplicate-type-constituents` comment is intentional and should not be flagged or removed.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

📚 Learning: 2026-03-09T21:20:07.542Z

Learnt from: pierre-lehnen-rc
Repo: RocketChat/Rocket.Chat PR: 39386
File: apps/meteor/server/services/push/tokenManagement/findDocumentToUpdate.ts:12-15
Timestamp: 2026-03-09T21:20:07.542Z
Learning: In `apps/meteor/server/services/push/tokenManagement/findDocumentToUpdate.ts`, the early return `if (data.voipToken) return null` (Lines 13-15) is intentionally correct. VoIP token updates always include an `_id`, so they are handled by the `_id` lookup block above (Lines 5-9) and never reach this guard. The guard is only a safety net for edge cases where `_id` is absent or no document was found, preventing an incorrect `token + appName` fallback match for VoIP-only payloads.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

📚 Learning: 2025-09-15T06:21:00.139Z

Learnt from: Dnouv
Repo: RocketChat/Rocket.Chat PR: 36868
File: apps/meteor/app/apps/server/bridges/serverEndpoints.ts:35-48
Timestamp: 2025-09-15T06:21:00.139Z
Learning: In ServerEndpointsBridge.ts, the permission model distinguishes between token pass-through and true impersonation: `server-endpoints.call` is required for all endpoint access, while `server-endpoints.impersonate` is only required when `info.user.id` is provided without `info.user.token` (lines 48-53), meaning the bridge needs to mint a token. When both user ID and token are provided, it's considered legitimate credential usage, not impersonation.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• apps/meteor/app/api/server/middlewares/authentication.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• apps/meteor/app/api/server/middlewares/authentication.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : All test files must be created in `apps/meteor/tests/e2e/` directory

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `expect` matchers for assertions (`toEqual`, `toContain`, `toBeTruthy`, `toHaveLength`, etc.) instead of `assert` statements in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-10-06T20:30:45.540Z

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 37152
File: packages/apps-engine/tests/test-data/storage/storage.ts:101-122
Timestamp: 2025-10-06T20:30:45.540Z
Learning: In `packages/apps-engine/tests/test-data/storage/storage.ts`, the stub methods (updatePartialAndReturnDocument, updateStatus, updateSetting, updateAppInfo, updateMarketplaceInfo) intentionally throw "Method not implemented." Tests using these methods must stub them using `SpyOn` from the test library rather than relying on actual implementations.

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Group related tests in the same file

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-12-10T21:00:54.909Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:54.909Z
Learning: Rocket.Chat monorepo: Jest testMatch pattern '<rootDir>/src/**/*.spec.(ts|js|mjs)' is valid in this repo and used across multiple packages (e.g., packages/tools, ee/packages/omnichannel-services). Do not flag it as invalid in future reviews.

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Applied to files:

• .changeset/blue-points-dream.md

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Applied to files:

• .changeset/blue-points-dream.md

🔇 Additional comments (3)

.changeset/blue-points-dream.md (1)

1-5: Changeset looks consistent with the hotfix scope.

Patch bump and terse security note are appropriate here.

apps/meteor/app/api/server/middlewares/authentication.ts (1)

30-33: Good narrowing before the OAuth2 fallback.

Only a string access_token is forwarded, and the consumed query key is removed before downstream code sees it.

apps/meteor/tests/end-to-end/api/oauth-server.ts (1)

178-198: Nice coverage for malformed token payloads.

These cases hit the operator-shaped query payloads and the plain invalid token path that the hotfix is trying to close.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.88%. Comparing base (0cb6a96) to head (81f1e47).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #39492      +/-   ##
===========================================
- Coverage    70.94%   70.88%   -0.07%     
===========================================
  Files         3197     3197              
  Lines       113339   113339              
  Branches     20580    20534      -46     
===========================================
- Hits         80410    80336      -74     
- Misses       30880    30953      +73     
- Partials      2049     2050       +1     

Flag	Coverage Δ
e2e	60.39% <ø> (-0.01%)	⬇️
e2e-api	47.75% <ø> (-1.01%)	⬇️
unit	71.60% <ø> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.