fix: add timeout to CAS popup login to prevent infinite hang

[Kgupta62]

Summary

Closes #40153

• openCASLoginPopup() polls popup.closed every 100ms with no timeout, causing the login flow to hang indefinitely if the popup never closes
• Added a 120-second timeout using Promise.race() that rejects with a user-friendly error message and attempts to close the stale popup
• No changes to the happy path -- if the popup closes normally, the timeout is never triggered

Changes

• apps/meteor/client/lib/openCASLoginPopup.ts: Wrapped the polling promise in Promise.race() alongside a 120-second timeout promise that rejects with "CAS login timed out. Please try again."

Test plan

• Verify CAS login still works normally when the popup closes as expected
• Simulate a stuck popup (e.g. block the CAS redirect) and confirm the login rejects with the timeout error after ~120 seconds instead of hanging forever

---

Note

This PR was authored with assistance from an AI coding tool (Claude Code by Anthropic).

Summary by CodeRabbit

• Bug Fixes
  • CAS login popup now enforces a 120-second timeout for authentication attempts. If the process doesn't complete within this timeframe, the popup will be closed and a timeout error shown to the user, preventing indefinite hangs and improving the reliability and responsiveness of the login flow.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: dbe6ed9

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 50f65c21-8703-4c83-97d8-d8308a31aa95

📥 Commits

Reviewing files that changed from the base of the PR and between 8e8711c and dbe6ed9.

📒 Files selected for processing (1)

• .changeset/fix-cas-popup-timeout.md

✅ Files skipped from review due to trivial changes (1)

• .changeset/fix-cas-popup-timeout.md

---

Walkthrough

Added a 120s timeout to the CAS popup login flow: waitForPopupClose now races popup-closed polling against a timeout, attempts to close the popup on timeout, and rejects with Error('CAS login timed out. Please try again.') if exceeded.

Changes

Cohort / File(s)	Summary
CAS Popup Timeout apps/meteor/client/lib/openCASLoginPopup.ts	Added CAS_POPUP_TIMEOUT_MS (120000ms). waitForPopupClose now races the existing popup-closed polling against a timeout, attempts to close the popup on timeout (guarded by try/catch), and rejects with a timeout error message.
Release Notes .changeset/fix-cas-popup-timeout.md	Added changeset entry describing the patch release that adds the 120s CAS popup timeout.

Sequence Diagram(s)

sequenceDiagram
participant Client as Client (main window)
participant Popup as Popup (CAS window)
participant CAS as CAS Server

Client->>Popup: open popup to CAS auth URL
Popup->>CAS: request / authenticate user
CAS-->>Popup: redirect to callback page
Note right of Popup: callback may or may not auto-close
alt Popup closes within 120s
Popup-->>Client: (window.closed detected)
Client->>Client: resolve login flow
else Popup doesn't close within 120s
Client->>Client: timeout elapsed
Client->>Popup: try to close() (try/catch)
Client->>Client: reject promise with timeout error
end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a timeout to the CAS popup login flow to prevent infinite hangs.
Linked Issues check	✅ Passed	The PR implements the primary objective from issue #40153 by adding a 120-second timeout to prevent indefinite hanging in the CAS popup login flow.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the CAS popup timeout fix: the timeout logic in openCASLoginPopup.ts and the corresponding changeset entry.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@apps/meteor/client/lib/openCASLoginPopup.ts`:
- Line 60: Remove the inline comment inside the catch block in
apps/meteor/client/lib/openCASLoginPopup.ts (the catch handling around the
popup/window check in function openCASLoginPopup), i.e., delete the comment text
"// popup may already be closed or cross-origin" so the catch block contains no
implementation comment and matches repository style; leave the catch body empty
or add a minimal TODO or proper error handling if required by project policy.
- Around line 46-67: The polling interval and timeout are not cleared in both
completion paths; update the logic in openCASLoginPopup (the pollClosed Promise
and timeout Promise using checkPopupOpen interval and the setTimeout with
CAS_POPUP_TIMEOUT_MS) so that when either path completes you clear the other
timer: store the interval id (checkPopupOpen) and timeout id, call
clearInterval(checkPopupOpen) and clearTimeout(timeoutId) inside the pollClosed
resolve branch and likewise clearInterval/checkPopupOpen before rejecting in the
timeout branch (ensure popup.close() remains wrapped in try/catch).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7719af75-046c-4d40-add0-14ce44381d94

📥 Commits

Reviewing files that changed from the base of the PR and between 41f6662 and 8e8711c.

📒 Files selected for processing (1)

• apps/meteor/client/lib/openCASLoginPopup.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/lib/openCASLoginPopup.ts

🧠 Learnings (5)

📓 Common learnings

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `page.waitFor()` with specific conditions instead of hardcoded timeouts in Playwright tests

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `page.waitFor()` with specific conditions instead of hardcoded timeouts in Playwright tests

Applied to files:

• apps/meteor/client/lib/openCASLoginPopup.ts

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

• apps/meteor/client/lib/openCASLoginPopup.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/client/lib/openCASLoginPopup.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/client/lib/openCASLoginPopup.ts

🔇 Additional comments (1)

apps/meteor/client/lib/openCASLoginPopup.ts (1)

43-44: Nice extraction of popup timeout constant.

Good call centralizing the timeout value; this keeps the flow readable and easier to adjust later.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Clear timer handles on both completion paths.

On Line 46 and Line 55, interval/timeout are created independently but never jointly cleaned up. If the timeout path hits Line 57 and popup.close() fails, polling may continue forever; if polling wins first, the timeout still executes later.

Proposed fix

 const waitForPopupClose = (popup: Window) => {
-	const pollClosed = new Promise<void>((resolve) => {
-		const checkPopupOpen = setInterval(() => {
-			if (popup.closed || popup.closed === undefined) {
-				clearInterval(checkPopupOpen);
-				resolve();
-			}
-		}, 100);
-	});
-
-	const timeout = new Promise<never>((_, reject) => {
-		setTimeout(() => {
-			try {
-				popup.close();
-			} catch {
-				// popup may already be closed or cross-origin
-			}
-			reject(new Error('CAS login timed out. Please try again.'));
-		}, CAS_POPUP_TIMEOUT_MS);
-	});
-
-	return Promise.race([pollClosed, timeout]);
+	return new Promise<void>((resolve, reject) => {
+		const checkPopupOpen = window.setInterval(() => {
+			if (popup.closed || popup.closed === undefined) {
+				cleanup();
+				resolve();
+			}
+		}, 100);
+
+		const timeoutId = window.setTimeout(() => {
+			cleanup();
+			try {
+				popup.close();
+			} catch {}
+			reject(new Error('CAS login timed out. Please try again.'));
+		}, CAS_POPUP_TIMEOUT_MS);
+
+		const cleanup = (): void => {
+			window.clearInterval(checkPopupOpen);
+			window.clearTimeout(timeoutId);
+		};
+	});
 };

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/client/lib/openCASLoginPopup.ts` around lines 46 - 67, The
polling interval and timeout are not cleared in both completion paths; update
the logic in openCASLoginPopup (the pollClosed Promise and timeout Promise using
checkPopupOpen interval and the setTimeout with CAS_POPUP_TIMEOUT_MS) so that
when either path completes you clear the other timer: store the interval id
(checkPopupOpen) and timeout id, call clearInterval(checkPopupOpen) and
clearTimeout(timeoutId) inside the pollClosed resolve branch and likewise
clearInterval/checkPopupOpen before rejecting in the timeout branch (ensure
popup.close() remains wrapped in try/catch).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove inline catch comment to match repository style.

Line 60 adds an implementation comment in production code; this should be removed to follow project conventions.

As per coding guidelines "Avoid code comments in the implementation".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/client/lib/openCASLoginPopup.ts` at line 60, Remove the inline
comment inside the catch block in apps/meteor/client/lib/openCASLoginPopup.ts
(the catch handling around the popup/window check in function
openCASLoginPopup), i.e., delete the comment text "// popup may already be
closed or cross-origin" so the catch block contains no implementation comment
and matches repository style; leave the catch body empty or add a minimal TODO
or proper error handling if required by project policy.

[cubic-dev-ai]

No issues found across 1 file