fix: clean up login tokens in users.deactivateidle

[julio-rocketchat]

Proposed changes (including videos or screenshots)

When idle users are bulk-deactivated via users.deactivateIdle, their Meteor login tokens (services.resume.loginTokens) were previously left intact. A deactivated user with an existing session token could continue using authenticated APIs.

This change folds the token clearance ('services.resume.loginTokens': []) into the same atomic updateMany that sets active: false, so deactivation and token revocation are a single write.

Additionally, WebSocket notifications are now pushed to affected clients so they immediately discover the deactivation instead of silently failing on the next API call. The old code had a comment claiming "there is no need to send data through WS" because the users "are not logged in," but this seems incorrect - a user's lastLogin timestamp could be stale while their WebSocket connection remains open.

Issue(s)

https://rocketchat.atlassian.net/browse/VLN-366

Steps to test or reproduce

• N/A

Further comments

• N/A

Summary by CodeRabbit

• Chores

  • Bumped package patch versions.

• Bug Fixes

  • Login tokens for idle-deactivated users are now cleaned up to prevent re-authentication.
  • System now emits notifications when users are deactivated for inactivity.

• Tests

  • Added end-to-end test validating idle user deactivation and token invalidation.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 8619844

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/model-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/meteor	Patch
@rocket.chat/apps	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/omnichannel-services	Patch
rocketchat-services	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/presence	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/license	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-composer	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

The PR clears deactivated users' login tokens during idle deactivation: model adds a finder and clears tokens on deactivation, the API endpoint emits per-user notifications after deactivation, and an e2e test plus changeset validate the behavior.

Changes

Idle user deactivation with login token cleanup

Layer / File(s)	Summary
Model interface and implementation packages/model-typings/src/models/IUsersModel.ts, packages/models/src/models/Users.ts	setActiveNotLoggedInAfterWithRole now clears services.resume.loginTokens when setting active: false. A new findActiveNotLoggedInAfterWithRole method returns matching active users and accepts optional FindOptions; the interface signature is updated to allow options?: FindOptions<IUser>.
API endpoint notification on deactivation apps/meteor/app/api/server/v1/users.ts	/users.deactivateIdle queries matching user IDs (projecting _id), calls the model deactivation, then iterates affected IDs and calls notifyOnUserChange per user with a diff clearing login tokens and setting active: false.
Test coverage and release documentation apps/meteor/tests/end-to-end/api/users.ts, .changeset/good-rules-lie.md	Added an e2e test that deactivates idle users and verifies revoked authentication (expects 401 for /me with previous credentials). Changeset bumps packages and documents the token cleanup behavior.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: clean up login tokens in users.deactivateidle' accurately describes the primary change: clearing login tokens during the idle user deactivation process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• VLN-366: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.65%. Comparing base (d34587c) to head (8619844).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40496      +/-   ##
===========================================
- Coverage    69.73%   69.65%   -0.09%     
===========================================
  Files         3320     3320              
  Lines       122010   122010              
  Branches     21862    21835      -27     
===========================================
- Hits         85089    84984     -105     
- Misses       33606    33705      +99     
- Partials      3315     3321       +6     

Flag	Coverage Δ
e2e	59.06% <ø> (-0.11%)	⬇️
e2e-api	46.29% <ø> (-0.87%)	⬇️
unit	70.45% <ø> (-0.06%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/api/server/v1/users.ts`:
- Around line 551-562: The cursor from Users.findActiveNotLoggedInAfterWithRole
is lazily evaluated and may see the update done by
Users.setActiveNotLoggedInAfterWithRole, so materialize the matched IDs first,
then run the update, then notify each ID; specifically, call
Users.findActiveNotLoggedInAfterWithRole(lastLoggedIn, role, { projection: {
_id: 1 } }) and collect all _ids into an array (e.g., via toArray/map) before
invoking Users.setActiveNotLoggedInAfterWithRole(...), then iterate that array
to call notifyOnUserChange with the same payload so no notifications are lost.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 52006551-a4af-4de0-85d0-430343e6f7c1

📥 Commits

Reviewing files that changed from the base of the PR and between d34587c and 3e87d51.

📒 Files selected for processing (5)

• .changeset/good-rules-lie.md
• apps/meteor/app/api/server/v1/users.ts
• apps/meteor/tests/end-to-end/api/users.ts
• packages/model-typings/src/models/IUsersModel.ts
• packages/models/src/models/Users.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/model-typings/src/models/IUsersModel.ts
• apps/meteor/app/api/server/v1/users.ts
• apps/meteor/tests/end-to-end/api/users.ts
• packages/models/src/models/Users.ts

🧠 Learnings (8)

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/good-rules-lie.md

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• packages/model-typings/src/models/IUsersModel.ts
• apps/meteor/app/api/server/v1/users.ts
• apps/meteor/tests/end-to-end/api/users.ts
• packages/models/src/models/Users.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• packages/model-typings/src/models/IUsersModel.ts
• apps/meteor/app/api/server/v1/users.ts
• apps/meteor/tests/end-to-end/api/users.ts
• packages/models/src/models/Users.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• packages/model-typings/src/models/IUsersModel.ts
• apps/meteor/app/api/server/v1/users.ts
• apps/meteor/tests/end-to-end/api/users.ts
• packages/models/src/models/Users.ts

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-03-15T14:31:25.380Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39647
File: apps/meteor/app/api/server/v1/users.ts:710-757
Timestamp: 2026-03-15T14:31:25.380Z
Learning: Do not flag this type/schema misalignment in the OpenAPI/migration review for apps/meteor/app/api/server/v1/users.ts. The UserCreateParamsPOST type intentionally uses non-optional fields: fields: string and settings?: IUserSettings without an AJV schema entry, carried over from the original rest-typings (PR `#39647`). Treat this as a known pre-existing divergence and document it as a separate follow-up fix; do not block or mark it as a review issue during the migration.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-03-16T23:33:11.443Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: apps/meteor/app/api/server/v1/users.ts:862-869
Timestamp: 2026-03-16T23:33:11.443Z
Learning: In rockets OpenAPI/AJV migration reviews for RocketChat/Rocket.Chat, when reviewing migrations that involve apps/meteor/app/api/server/v1/users.ts, do not require or flag a missing query AJV schema for the fields consumed by parseJsonQuery() (i.e., fields, sort, query) as part of this endpoint's migration PR. The addition of global query-param schemas for parseJsonQuery() usage is a cross-cutting concern and out of scope for individual endpoint migrations. Only flag violations related to the specific scope of the migration, not the absence of a query schema for parseJsonQuery() in this file.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

🔇 Additional comments (4)

.changeset/good-rules-lie.md (1)

2-7: LGTM!

apps/meteor/tests/end-to-end/api/users.ts (1)

4774-4795: LGTM!

packages/model-typings/src/models/IUsersModel.ts (1)

396-396: LGTM!

packages/models/src/models/Users.ts (1)

2953-2960: LGTM!

Also applies to: 2965-2976

[jonasflorencio]

/backport 8.4.2

[dionisio-bot]

Pull request #40559 added to Project: "Patch 8.4.2"

[jonasflorencio]

/backport 8.3.4

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.3.4-40496
git cherry-pick b6b04aadfcc8558f888b334e37c46a77e5816237
// solve the conflict
git push

after that just run /backport 8.3.4 again

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.2.4-40496
git cherry-pick b6b04aadfcc8558f888b334e37c46a77e5816237
// solve the conflict
git push

after that just run /backport 8.2.4 again

[jonasflorencio]

/backport 8.2.4

[dionisio-bot]

Pull request #40564 added to Project: "Patch 8.2.4"

[jonasflorencio]

/backport 8.1.5

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.1.5-40496
git cherry-pick b6b04aadfcc8558f888b334e37c46a77e5816237
// solve the conflict
git push

after that just run /backport 8.1.5 again

[jonasflorencio]

/backport 8.1.5

[dionisio-bot]

Pull request #40565 added to Project: "Patch 8.1.5"

[jonasflorencio]

/backport 8.0.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.0.6-40496
git cherry-pick b6b04aadfcc8558f888b334e37c46a77e5816237
// solve the conflict
git push

after that just run /backport 8.0.6 again

[jonasflorencio]

/backport 8.0.6

[dionisio-bot]

Pull request #40566 added to Project: "Patch 8.0.6"

[jonasflorencio]

/backport 7.13.8

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.13.8-40496
git cherry-pick b6b04aadfcc8558f888b334e37c46a77e5816237
// solve the conflict
git push

after that just run /backport 7.13.8 again

[jonasflorencio]

/backport 7.13.8

[dionisio-bot]

Pull request #40569 added to Project: "Patch 7.13.8"

[jonasflorencio]

/backport 7.10.12

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.10.12-40496
git cherry-pick b6b04aadfcc8558f888b334e37c46a77e5816237
// solve the conflict
git push

after that just run /backport 7.10.12 again

[jonasflorencio]

/backport 7.10.12

[dionisio-bot]

Pull request #40570 added to Project: "Patch 7.10.12"