refactor: Remove global references to Accounts

[tassoevan]

Proposed changes (including videos or screenshots)

It imports Accounts from meteor/accounts-base instead of referencing the global-scoped variable.

Issue(s)

Steps to test or reproduce

Further comments

Task: ARCH-2036

Summary by CodeRabbit

• Chores
  • Consolidated authentication-related dependencies across server modules for improved code organization.
  • Refactored internal user management logic to enhance code consistency and maintainability.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: dbab121

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[tassoevan]

/jira ARCH-2021

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between baf9770 and dbab121.

📒 Files selected for processing (6)

• apps/meteor/app/2fa/server/methods/validateTempToken.ts
• apps/meteor/app/api/server/v1/push.ts
• apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts
• apps/meteor/client/lib/2fa/overrideLoginMethod.ts
• apps/meteor/packages/linkedin-oauth/linkedin-server.js
• apps/meteor/server/configuration/cas.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/2fa/server/methods/validateTempToken.ts
• apps/meteor/app/api/server/v1/push.ts
• apps/meteor/server/configuration/cas.ts
• apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts
• apps/meteor/client/lib/2fa/overrideLoginMethod.ts
• apps/meteor/packages/linkedin-oauth/linkedin-server.js

🧠 Learnings (11)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/app/2fa/server/methods/validateTempToken.ts
• apps/meteor/app/api/server/v1/push.ts
• apps/meteor/server/configuration/cas.ts
• apps/meteor/client/lib/2fa/overrideLoginMethod.ts

📚 Learning: 2026-01-27T20:57:56.529Z

Learnt from: nazabucciarelli
Repo: RocketChat/Rocket.Chat PR: 38294
File: apps/meteor/server/hooks/sauMonitorHooks.ts:0-0
Timestamp: 2026-01-27T20:57:56.529Z
Learning: In Rocket.Chat, the `accounts.login` event listened to by DeviceManagementService is only broadcast when running in microservices mode (via DDPStreamer), not in monolith mode. The `Accounts.onLogin` hook in sauMonitorHooks.ts runs in monolith deployments. These are mutually exclusive deployment modes, so there's no duplication of event emissions between these two code paths.

Applied to files:

• apps/meteor/app/2fa/server/methods/validateTempToken.ts

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

• apps/meteor/app/2fa/server/methods/validateTempToken.ts
• apps/meteor/app/api/server/v1/push.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/2fa/server/methods/validateTempToken.ts
• apps/meteor/app/api/server/v1/push.ts
• apps/meteor/server/configuration/cas.ts
• apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts
• apps/meteor/client/lib/2fa/overrideLoginMethod.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/2fa/server/methods/validateTempToken.ts
• apps/meteor/app/api/server/v1/push.ts
• apps/meteor/server/configuration/cas.ts
• apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts
• apps/meteor/client/lib/2fa/overrideLoginMethod.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/push.ts

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/push.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/page-objects/**/*.ts : Utilize existing page objects pattern from `apps/meteor/tests/e2e/page-objects/`

Applied to files:

• apps/meteor/server/configuration/cas.ts

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

• apps/meteor/client/lib/2fa/overrideLoginMethod.ts

🧬 Code graph analysis (1)

apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts (1)

apps/meteor/app/authentication/server/startup/index.js (1)

• roles (305-305)

🪛 Biome (2.4.4)

apps/meteor/packages/linkedin-oauth/linkedin-server.js

[error] 1-1: Illegal use of an import declaration outside of a module

(parse)

🔇 Additional comments (7)

apps/meteor/client/lib/2fa/overrideLoginMethod.ts (1)

1-1: Good explicit Accounts import to remove global coupling.

This is a clean refactor and keeps runtime behavior unchanged.

apps/meteor/server/configuration/cas.ts (1)

2-2: Accounts import is correctly localized for CAS login handler registration.

Nice scope-tight change.

apps/meteor/app/2fa/server/methods/validateTempToken.ts (1)

3-3: Explicit Accounts import is correct for token hashing usage in this method.

Refactor is consistent and behavior-preserving.

apps/meteor/app/api/server/v1/push.ts (1)

12-12: Scoped Accounts import in push.ts looks good.

Matches the no-logic-change intent for this endpoint refactor.

apps/meteor/packages/linkedin-oauth/linkedin-server.js (1)

1-1: Importing Accounts explicitly here is the right migration.

It cleanly supports Accounts.ConfigError usage without relying on globals.

apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts (2)

4-4: Accounts import is correctly added for createUserAsync.

No concerns on this change.

---

20-20: Optional chaining update in guest-role check is safe and clear.

Looks good for a non-behavioral refactor.

---

Walkthrough

Multiple files across authentication, user management, and API modules have been updated to explicitly import the Accounts module from 'meteor/accounts-base'. Additionally, the saveNewUser function signature was updated to include a performedBy parameter, and optional chaining was applied to a guest role check.

Changes

Cohort / File(s)	Summary
2FA and Login apps/meteor/app/2fa/server/methods/validateTempToken.ts, apps/meteor/client/lib/2fa/overrideLoginMethod.ts	Added Accounts import from 'meteor/accounts-base' to enable Accounts-related APIs.
User Management apps/meteor/app/lib/server/functions/saveUser/saveNewUser.ts	Added Accounts import, refactored isGuest computation using optional chaining (roles?.length), and updated saveNewUser function signature to include new third parameter performedBy: IUser.
API and External Auth apps/meteor/app/api/server/v1/push.ts, apps/meteor/server/configuration/cas.ts, apps/meteor/packages/linkedin-oauth/linkedin-server.js	Added Accounts import from 'meteor/accounts-base' to enable Accounts-related functionality.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: chore, area: authentication

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main refactoring effort: replacing global references to Accounts with explicit imports from 'meteor/accounts-base' across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 6 files

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.85%. Comparing base (baf9770) to head (dbab121).
⚠️ Report is 4 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #39314      +/-   ##
===========================================
- Coverage    70.90%   70.85%   -0.05%     
===========================================
  Files         3208     3208              
  Lines       113433   113433              
  Branches     20558    20549       -9     
===========================================
- Hits         80433    80377      -56     
- Misses       30955    31012      +57     
+ Partials      2045     2044       -1     

Flag	Coverage Δ
e2e	60.36% <ø> (-0.06%)	⬇️
e2e-api	47.85% <ø> (-0.99%)	⬇️
unit	71.55% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.