revert: Phishing resistant multi factor authentication#40679
Merged
Conversation
Contributor
|
Looks like this PR is ready to merge! 🎉 |
|
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)
🔇 Additional comments (1)
WalkthroughRemoves Passport/express-session OAuth wiring and OAuth 2FA challenge storage/endpoints, migrates provider setup to CustomOAuth instances (server-side), and removes client deep-link session sharing and related desktop integrations. ChangesOAuth Architecture Modernization
Estimated code review effort🎯 4 (Complex) | ⏱️ ~75 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
KevLehman
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## develop #40679 +/- ##
===========================================
+ Coverage 69.71% 69.75% +0.04%
===========================================
Files 3339 3326 -13
Lines 123269 123016 -253
Branches 21971 21899 -72
===========================================
- Hits 85931 85808 -123
+ Misses 33990 33851 -139
- Partials 3348 3357 +9
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 7
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (4)
apps/meteor/definition/externals/meteor/accounts-base.d.ts (1)
40-44:⚠️ Potential issue | 🟠 Major | ⚡ Quick winKeep
updateOrCreateUserFromExternalServicetyped for async overrides.This declaration is now sync-only, but
apps/meteor/server/configuration/accounts_meld.jsLine 7 replaces it with anasyncfunction. The type should reflect both shapes to prevent incorrect non-awaited usage.Proposed fix
- function updateOrCreateUserFromExternalService( + function updateOrCreateUserFromExternalService( serviceName: string, serviceData: Record<string, unknown>, options: Record<string, unknown>, - ): Record<string, unknown>; + ): Record<string, unknown> | Promise<Record<string, unknown> | undefined> | undefined;🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/meteor/definition/externals/meteor/accounts-base.d.ts` around lines 40 - 44, The declaration for updateOrCreateUserFromExternalService is currently synchronous but can be overridden with an async implementation; update the type to allow both sync and async shapes (e.g., change the return type to support Promise<Record<string, unknown>> or provide an overload that returns either Record<string, unknown> or Promise<Record<string, unknown>>), so callers aren’t incorrectly treated as non-awaited when an async override (like the one in accounts_meld.js) is used; update the function signature (updateOrCreateUserFromExternalService) accordingly to accept serviceName, serviceData, options and return either Record<string, unknown> or Promise<Record<string, unknown>>.apps/meteor/app/apple/lib/handleIdentityToken.ts (1)
30-49:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winAlign the return type with the values you actually guarantee.
handleIdentityTokenpromises{ id: string; email: string; name: string }, but it only checksiss;subandid/undefinedat runtime).loginHandler.tsonly patches missingid.Suggested fix
-export async function handleIdentityToken(identityToken: string): Promise<{ id: string; email: string; name: string }> { +export async function handleIdentityToken(identityToken: string): Promise<{ id: string; email?: string; name: string }> { const decodedToken = KJUR.jws.JWS.parse(identityToken); @@ - const { iss, sub, email } = decodedToken.payloadObj as any; - if (!iss) { + const { iss, sub, email } = decodedToken.payloadObj as { iss?: string; sub?: string; email?: string }; + if (!iss || !sub) { throw new Error('Insufficient data in auth response token'); }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/meteor/app/apple/lib/handleIdentityToken.ts` around lines 30 - 49, handleIdentityToken currently claims to return {id:string,email:string,name:string} but only validates iss; ensure sub and email are validated (or the return type changed). Update handleIdentityToken to check decodedToken.payloadObj.sub and .email (unique symbols: handleIdentityToken, decodedToken.payloadObj, sub, email) and either throw clear errors when they are missing or coerce/derive safe defaults for id/email before building serviceData, and keep the function signature in sync (change the Promise return type to allow undefined for email/id only if you intentionally allow missing values). Also consider how loginHandler.ts patches email and ensure there is a guaranteed non-empty id for downstream logic (e.g., throw if sub is missing).apps/meteor/app/2fa/server/code/index.ts (1)
66-74:⚠️ Potential issue | 🟠 Major | ⚡ Quick winGuard invalid
RememberForvalues before building the expiry.
parseInt(...)returnsNaNfor an empty or malformed setting, andNaN <= 0is false. That makesexpiresbecomeInvalid Date, whichrememberAuthorization()later persists as the token's 2FA-until timestamp.Suggested fix
function getRememberDate(from: Date = new Date()): Date | undefined { - const rememberFor = parseInt(settings.get('Accounts_TwoFactorAuthentication_RememberFor') as string, 10); + const rememberFor = Number.parseInt(String(settings.get('Accounts_TwoFactorAuthentication_RememberFor') ?? ''), 10); - if (rememberFor <= 0) { + if (!Number.isFinite(rememberFor) || rememberFor <= 0) { return; }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/meteor/app/2fa/server/code/index.ts` around lines 66 - 74, getRememberDate currently parses Accounts_TwoFactorAuthentication_RememberFor with parseInt and then compares to <= 0, but parseInt can produce NaN which makes the check fail and yields an Invalid Date persisted by rememberAuthorization; update getRememberDate to validate the parsed value (e.g., const rememberFor = parseInt(...); if (!Number.isFinite(rememberFor) || rememberFor <= 0) return undefined) before constructing expires, so only a valid positive numeric rememberFor is used to compute and return the expiry Date.apps/meteor/app/apple/server/appleOauthRegisterService.ts (1)
25-38:⚠️ Potential issue | 🟠 Major | ⚡ Quick winTreat partially configured Apple OAuth as disabled.
The watcher only hides the Apple login button when all
clientId,serverSecret,iss, andkidare empty (to support “mobile-only” mode), but if any single value is missing it still proceeds to signsecretand upsert the Apple provider withenabledandshowButton: true. The OAuth handshake then relies onServiceConfigurationfields likeclientId/secretfor the token exchange, so partial credentials lead to a broken login flow or runtime errors during reconfiguration.Suggested fix
- // if everything is empty but Apple login is enabled, don't show the login button - if (!clientId && !serverSecret && !iss && !kid) { + if (!clientId || !serverSecret || !iss || !kid) { await ServiceConfiguration.configurations.upsertAsync( { service: 'apple', }, { $set: { showButton: false, enabled: settings.get('Accounts_OAuth_Apple'), }, }, ); return; }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@apps/meteor/app/apple/server/appleOauthRegisterService.ts` around lines 25 - 38, The watcher currently only disables Apple OAuth when all of clientId, serverSecret, iss, and kid are empty; change the logic in appleOauthRegisterService.ts so that any missing required credential (clientId, serverSecret, iss, or kid) is treated as "disabled": call ServiceConfiguration.configurations.upsertAsync (the same document keyed by service: 'apple') setting enabled: false and showButton: false and then return instead of proceeding to sign the secret or upserting an enabled provider; ensure the check references the same variables (clientId, serverSecret, iss, kid) used later so partial configurations never create an enabled provider.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@apps/meteor/app/api/server/index.ts`:
- Around line 48-50: The file dropped the side-effect import for the two-factor
routes so those endpoints aren't registered before OpenAPI generation; re-add
the import for the module (import './v1/twoFactorChallenges') in
apps/meteor/app/api/server/index.ts so it is executed before the existing import
'./default/openApi' (keep the comment ordering so all endpoints register before
OpenAPI is built).
In `@apps/meteor/app/gitlab/server/lib.ts`:
- Line 24: The code calls settings.get<string>('API_Gitlab_URL').trim() without
guarding for null/undefined or non-string values; update the assignment that
sets config.serverURL so it first reads the raw value (e.g., const raw =
settings.get('API_Gitlab_URL')), verify typeof raw === 'string' and raw.trim()
is used only then, otherwise fall back to the existing config.serverURL; ensure
you still perform the replace(/\/*$/, '') on the trimmed string when valid and
keep the overall fallback behavior intact for config.serverURL.
In `@apps/meteor/app/nextcloud/server/lib.ts`:
- Around line 23-28: The debounced initializer fillServerURL currently
self-reschedules by calling fillServerURL() when
settings.get('Accounts_OAuth_Nextcloud_URL') returns undefined; remove that
recursive call so the debounced function simply returns when nextcloudURL is
undefined (letting settings.watch trigger future invocations) — edit the
fillServerURL function to check nextcloudURL and if it === undefined just return
instead of calling fillServerURL(), leaving the rest of the _.debounce behavior
unchanged.
In `@apps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsx`:
- Around line 36-40: The resend handler (onClickResendCode) currently calls
sendEmailCode directly and allows overlapping requests which can invalidate
previous codes; add a local boolean state (e.g., isResending) and wrap
onClickResendCode with a guard that returns immediately if isResending is true,
set isResending=true before awaiting sendEmailCode(...) and set it false in
finally, and ensure the resend button is disabled while isResending is true;
apply the same guarded state pattern to the other resend handler at the similar
block (lines referenced as 97-99) so no concurrent resend requests can occur.
In `@apps/meteor/client/lib/2fa/process2faReturn.ts`:
- Around line 31-34: The assertModalProps check is too strict for the 'email'
branch because callers to process2faReturn may pass an object identifier ({
username } | { email } | { id }) and getProps/getUser fallback can return
objects; update process2faReturn (and the other spots flagged around lines 40-50
and 75-77) to normalize the login identifier to a plain string before calling
assertModalProps: extract a string emailOrUsername from possible object shapes
(e.g., prefer a .email or .username property, or call toString on primitives)
and pass that normalized string into assertModalProps so the 'email' case
receives a true string rather than an object. Ensure you update any helpers used
by getProps so all three locations use the same normalization logic.
In `@apps/meteor/server/configuration/accounts_meld.js`:
- Around line 21-23: The unconditional assignment serviceData.email =
serviceData.emailAddress when serviceName === 'linkedin' can overwrite a valid
normalized email with undefined or non-string data; change it to only set
serviceData.email when serviceData.emailAddress is a non-empty string (or
normalize/validate it) and otherwise leave existing serviceData.email intact so
the email-based linking path still works—look for the serviceName check and the
serviceData.email/serviceData.emailAddress references to implement this guard.
In `@packages/web-ui-registration/src/LoginServicesButton.tsx`:
- Around line 30-37: The LDAP button fails because
AuthenticationProvider.loginWithService builds the Meteor method name with
capitalize(service) (e.g., "Ldap") but Meteor exposes "loginWithLDAP"; update
loginWithService (used by useLoginWithService) to special-case known acronym
services (at least 'ldap') so the generated method name matches Meteor (e.g., if
service.toLowerCase() === 'ldap' use "loginWithLDAP"), or implement a small
mapping/normalization that converts service names like 'ldap' to the exact
expected casing before calling Meteor.loginWithX.
---
Outside diff comments:
In `@apps/meteor/app/2fa/server/code/index.ts`:
- Around line 66-74: getRememberDate currently parses
Accounts_TwoFactorAuthentication_RememberFor with parseInt and then compares to
<= 0, but parseInt can produce NaN which makes the check fail and yields an
Invalid Date persisted by rememberAuthorization; update getRememberDate to
validate the parsed value (e.g., const rememberFor = parseInt(...); if
(!Number.isFinite(rememberFor) || rememberFor <= 0) return undefined) before
constructing expires, so only a valid positive numeric rememberFor is used to
compute and return the expiry Date.
In `@apps/meteor/app/apple/lib/handleIdentityToken.ts`:
- Around line 30-49: handleIdentityToken currently claims to return
{id:string,email:string,name:string} but only validates iss; ensure sub and
email are validated (or the return type changed). Update handleIdentityToken to
check decodedToken.payloadObj.sub and .email (unique symbols:
handleIdentityToken, decodedToken.payloadObj, sub, email) and either throw clear
errors when they are missing or coerce/derive safe defaults for id/email before
building serviceData, and keep the function signature in sync (change the
Promise return type to allow undefined for email/id only if you intentionally
allow missing values). Also consider how loginHandler.ts patches email and
ensure there is a guaranteed non-empty id for downstream logic (e.g., throw if
sub is missing).
In `@apps/meteor/app/apple/server/appleOauthRegisterService.ts`:
- Around line 25-38: The watcher currently only disables Apple OAuth when all of
clientId, serverSecret, iss, and kid are empty; change the logic in
appleOauthRegisterService.ts so that any missing required credential (clientId,
serverSecret, iss, or kid) is treated as "disabled": call
ServiceConfiguration.configurations.upsertAsync (the same document keyed by
service: 'apple') setting enabled: false and showButton: false and then return
instead of proceeding to sign the secret or upserting an enabled provider;
ensure the check references the same variables (clientId, serverSecret, iss,
kid) used later so partial configurations never create an enabled provider.
In `@apps/meteor/definition/externals/meteor/accounts-base.d.ts`:
- Around line 40-44: The declaration for updateOrCreateUserFromExternalService
is currently synchronous but can be overridden with an async implementation;
update the type to allow both sync and async shapes (e.g., change the return
type to support Promise<Record<string, unknown>> or provide an overload that
returns either Record<string, unknown> or Promise<Record<string, unknown>>), so
callers aren’t incorrectly treated as non-awaited when an async override (like
the one in accounts_meld.js) is used; update the function signature
(updateOrCreateUserFromExternalService) accordingly to accept serviceName,
serviceData, options and return either Record<string, unknown> or
Promise<Record<string, unknown>>.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 002076d7-c2b8-46d8-ac96-3c39c1a6cd39
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (73)
.changeset/flat-poets-cheat.mdapps/meteor/app/2fa/server/code/EmailCheck.tsapps/meteor/app/2fa/server/code/EmailCheckForOAuth.tsapps/meteor/app/2fa/server/code/TOTPCheck.tsapps/meteor/app/2fa/server/code/TOTPCheckForOAuth.tsapps/meteor/app/2fa/server/code/index.tsapps/meteor/app/api/server/ApiClass.tsapps/meteor/app/api/server/index.tsapps/meteor/app/api/server/v1/twoFactorChallenges.tsapps/meteor/app/apple/lib/handleIdentityToken.tsapps/meteor/app/apple/server/appleOauthRegisterService.tsapps/meteor/app/apple/server/loginHandler.tsapps/meteor/app/custom-oauth/server/customOAuth.tsapps/meteor/app/custom-oauth/server/custom_oauth_server.jsapps/meteor/app/dolphin/server/lib.tsapps/meteor/app/drupal/server/lib.tsapps/meteor/app/gitlab/server/lib.tsapps/meteor/app/lib/server/methods/createToken.tsapps/meteor/app/linkedin/server/index.tsapps/meteor/app/linkedin/server/lib.tsapps/meteor/app/meteor-developer/server/index.tsapps/meteor/app/meteor-developer/server/lib.tsapps/meteor/app/nextcloud/server/lib.tsapps/meteor/app/wordpress/server/lib.tsapps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsxapps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsxapps/meteor/client/lib/2fa/process2faReturn.tsapps/meteor/client/lib/buildAuthDeeplinkURL.tsapps/meteor/client/lib/sdk/ddpSdk.tsapps/meteor/client/startup/routes.tsxapps/meteor/client/views/OAuthTwoFactorAuthentication/OAuthTwoFactorAuthenticationRouter.tsxapps/meteor/client/views/root/AppLayout.tsxapps/meteor/client/views/root/hooks/useLoginOtherClients.tsapps/meteor/client/views/root/hooks/useLoginViaQuery.tsapps/meteor/client/views/root/hooks/useShareSessionWithOtherClients.tsapps/meteor/definition/externals/express-session.d.tsapps/meteor/definition/externals/express.d.tsapps/meteor/definition/externals/meteor/accounts-base.d.tsapps/meteor/package.jsonapps/meteor/server/configuration/accounts_meld.jsapps/meteor/server/configuration/configurePassport.tsapps/meteor/server/configuration/index.tsapps/meteor/server/importPackages.tsapps/meteor/server/lib/oauth/addPassportCustomOAuth.tsapps/meteor/server/lib/oauth/configureOAuthServices.tsapps/meteor/server/lib/oauth/createOAuthServiceConfig.tsapps/meteor/server/lib/oauth/getOAuthServices.tsapps/meteor/server/lib/oauth/oauthConfigs.tsapps/meteor/server/lib/oauth/passportOAuthCallback.tsapps/meteor/server/lib/oauth/twoFactorAuth.tsapps/meteor/server/lib/oauth/updateOAuthServices.tsapps/meteor/server/lib/oauth/verifyFunction.tsapps/meteor/server/models.tsapps/meteor/server/settings/oauth.tsapps/meteor/tests/e2e/fixtures/addCustomOAuth.tspackages/core-typings/src/ILoginServiceConfiguration.tspackages/core-typings/src/ITwoFactorChallenge.tspackages/core-typings/src/IUser.tspackages/core-typings/src/index.tspackages/desktop-api/src/index.tspackages/i18n/src/locales/en.i18n.jsonpackages/model-typings/src/index.tspackages/model-typings/src/models/ITwoFactorChallengesModel.tspackages/models/src/index.tspackages/models/src/modelClasses.tspackages/models/src/models/TwoFactorChallenges.tspackages/rest-typings/src/index.tspackages/rest-typings/src/v1/twoFactorChallenges.tspackages/web-ui-registration/global.d.tspackages/web-ui-registration/src/LoginServices.tsxpackages/web-ui-registration/src/LoginServicesButton.tsxpackages/web-ui-registration/tsconfig.build.jsonpackages/web-ui-registration/tsconfig.json
💤 Files with no reviewable changes (46)
- packages/model-typings/src/models/ITwoFactorChallengesModel.ts
- apps/meteor/server/lib/oauth/oauthConfigs.ts
- apps/meteor/app/custom-oauth/server/custom_oauth_server.js
- apps/meteor/app/meteor-developer/server/index.ts
- apps/meteor/app/2fa/server/code/TOTPCheckForOAuth.ts
- apps/meteor/server/importPackages.ts
- apps/meteor/client/views/root/hooks/useShareSessionWithOtherClients.ts
- apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
- apps/meteor/server/lib/oauth/getOAuthServices.ts
- apps/meteor/server/lib/oauth/twoFactorAuth.ts
- apps/meteor/client/lib/buildAuthDeeplinkURL.ts
- apps/meteor/server/lib/oauth/configureOAuthServices.ts
- apps/meteor/server/lib/oauth/passportOAuthCallback.ts
- apps/meteor/server/configuration/index.ts
- packages/web-ui-registration/global.d.ts
- apps/meteor/server/lib/oauth/verifyFunction.ts
- apps/meteor/server/configuration/configurePassport.ts
- apps/meteor/client/views/root/AppLayout.tsx
- apps/meteor/app/2fa/server/code/EmailCheckForOAuth.ts
- apps/meteor/app/linkedin/server/lib.ts
- apps/meteor/app/custom-oauth/server/customOAuth.ts
- apps/meteor/client/views/OAuthTwoFactorAuthentication/OAuthTwoFactorAuthenticationRouter.tsx
- apps/meteor/definition/externals/express-session.d.ts
- packages/core-typings/src/ITwoFactorChallenge.ts
- apps/meteor/tests/e2e/fixtures/addCustomOAuth.ts
- .changeset/flat-poets-cheat.md
- apps/meteor/app/linkedin/server/index.ts
- packages/core-typings/src/index.ts
- apps/meteor/app/api/server/v1/twoFactorChallenges.ts
- packages/core-typings/src/ILoginServiceConfiguration.ts
- packages/model-typings/src/index.ts
- apps/meteor/app/meteor-developer/server/lib.ts
- packages/models/src/index.ts
- packages/desktop-api/src/index.ts
- apps/meteor/server/models.ts
- packages/rest-typings/src/v1/twoFactorChallenges.ts
- apps/meteor/package.json
- apps/meteor/client/startup/routes.tsx
- apps/meteor/client/views/root/hooks/useLoginOtherClients.ts
- packages/models/src/modelClasses.ts
- packages/models/src/models/TwoFactorChallenges.ts
- apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts
- apps/meteor/server/settings/oauth.ts
- packages/rest-typings/src/index.ts
- apps/meteor/definition/externals/express.d.ts
- packages/i18n/src/locales/en.i18n.json
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: 📦 Build Packages
- GitHub Check: Hacktron Security Check
- GitHub Check: CodeQL-Build
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}
📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)
**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation
Files:
apps/meteor/client/views/root/hooks/useLoginViaQuery.tsapps/meteor/app/2fa/server/code/TOTPCheck.tsapps/meteor/client/lib/sdk/ddpSdk.tsapps/meteor/server/configuration/accounts_meld.jsapps/meteor/app/gitlab/server/lib.tsapps/meteor/definition/externals/meteor/accounts-base.d.tsapps/meteor/app/lib/server/methods/createToken.tsapps/meteor/app/dolphin/server/lib.tsapps/meteor/app/api/server/ApiClass.tsapps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsxapps/meteor/app/apple/lib/handleIdentityToken.tsapps/meteor/app/2fa/server/code/EmailCheck.tsapps/meteor/app/apple/server/loginHandler.tspackages/web-ui-registration/src/LoginServicesButton.tsxapps/meteor/app/api/server/index.tsapps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsxapps/meteor/app/drupal/server/lib.tsapps/meteor/server/lib/oauth/updateOAuthServices.tsapps/meteor/app/wordpress/server/lib.tsapps/meteor/app/nextcloud/server/lib.tspackages/web-ui-registration/src/LoginServices.tsxapps/meteor/app/2fa/server/code/index.tsapps/meteor/client/lib/2fa/process2faReturn.tspackages/core-typings/src/IUser.tsapps/meteor/app/apple/server/appleOauthRegisterService.ts
🧠 Learnings (6)
📚 Learning: 2026-02-10T16:32:42.586Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.
Applied to files:
apps/meteor/client/views/root/hooks/useLoginViaQuery.tsapps/meteor/client/lib/sdk/ddpSdk.tsapps/meteor/client/lib/2fa/process2faReturn.ts
📚 Learning: 2026-05-11T20:30:35.265Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:35.265Z
Learning: In Rocket.Chat’s Meteor client code, when calling `dispatchToastMessage` with `{ type: 'error' }`, pass the raw caught error object as `message` without manual normalization. `dispatchToastMessage` is designed to accept `message: unknown` for error toasts, so avoid converting errors to strings (e.g., `String(error)`) or extracting `error.message` before passing them.
Applied to files:
apps/meteor/client/views/root/hooks/useLoginViaQuery.tsapps/meteor/client/lib/sdk/ddpSdk.tsapps/meteor/client/lib/2fa/process2faReturn.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.
Applied to files:
apps/meteor/client/views/root/hooks/useLoginViaQuery.tsapps/meteor/app/2fa/server/code/TOTPCheck.tsapps/meteor/client/lib/sdk/ddpSdk.tsapps/meteor/app/gitlab/server/lib.tsapps/meteor/definition/externals/meteor/accounts-base.d.tsapps/meteor/app/lib/server/methods/createToken.tsapps/meteor/app/dolphin/server/lib.tsapps/meteor/app/api/server/ApiClass.tsapps/meteor/app/apple/lib/handleIdentityToken.tsapps/meteor/app/2fa/server/code/EmailCheck.tsapps/meteor/app/apple/server/loginHandler.tsapps/meteor/app/api/server/index.tsapps/meteor/app/drupal/server/lib.tsapps/meteor/server/lib/oauth/updateOAuthServices.tsapps/meteor/app/wordpress/server/lib.tsapps/meteor/app/nextcloud/server/lib.tsapps/meteor/app/2fa/server/code/index.tsapps/meteor/client/lib/2fa/process2faReturn.tspackages/core-typings/src/IUser.tsapps/meteor/app/apple/server/appleOauthRegisterService.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.
Applied to files:
apps/meteor/client/views/root/hooks/useLoginViaQuery.tsapps/meteor/app/2fa/server/code/TOTPCheck.tsapps/meteor/client/lib/sdk/ddpSdk.tsapps/meteor/app/gitlab/server/lib.tsapps/meteor/definition/externals/meteor/accounts-base.d.tsapps/meteor/app/lib/server/methods/createToken.tsapps/meteor/app/dolphin/server/lib.tsapps/meteor/app/api/server/ApiClass.tsapps/meteor/app/apple/lib/handleIdentityToken.tsapps/meteor/app/2fa/server/code/EmailCheck.tsapps/meteor/app/apple/server/loginHandler.tsapps/meteor/app/api/server/index.tsapps/meteor/app/drupal/server/lib.tsapps/meteor/server/lib/oauth/updateOAuthServices.tsapps/meteor/app/wordpress/server/lib.tsapps/meteor/app/nextcloud/server/lib.tsapps/meteor/app/2fa/server/code/index.tsapps/meteor/client/lib/2fa/process2faReturn.tspackages/core-typings/src/IUser.tsapps/meteor/app/apple/server/appleOauthRegisterService.ts
📚 Learning: 2026-05-06T12:21:44.083Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.
Applied to files:
apps/meteor/client/views/root/hooks/useLoginViaQuery.tsapps/meteor/app/2fa/server/code/TOTPCheck.tsapps/meteor/client/lib/sdk/ddpSdk.tsapps/meteor/app/gitlab/server/lib.tsapps/meteor/definition/externals/meteor/accounts-base.d.tsapps/meteor/app/lib/server/methods/createToken.tsapps/meteor/app/dolphin/server/lib.tsapps/meteor/app/api/server/ApiClass.tsapps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsxapps/meteor/app/apple/lib/handleIdentityToken.tsapps/meteor/app/2fa/server/code/EmailCheck.tsapps/meteor/app/apple/server/loginHandler.tspackages/web-ui-registration/src/LoginServicesButton.tsxapps/meteor/app/api/server/index.tsapps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsxapps/meteor/app/drupal/server/lib.tsapps/meteor/server/lib/oauth/updateOAuthServices.tsapps/meteor/app/wordpress/server/lib.tsapps/meteor/app/nextcloud/server/lib.tspackages/web-ui-registration/src/LoginServices.tsxapps/meteor/app/2fa/server/code/index.tsapps/meteor/client/lib/2fa/process2faReturn.tspackages/core-typings/src/IUser.tsapps/meteor/app/apple/server/appleOauthRegisterService.ts
📚 Learning: 2026-03-27T14:52:56.865Z
Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.
Applied to files:
apps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsxpackages/web-ui-registration/src/LoginServicesButton.tsxapps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsxpackages/web-ui-registration/src/LoginServices.tsx
🧬 Code graph analysis (10)
apps/meteor/client/lib/sdk/ddpSdk.ts (1)
apps/meteor/client/lib/sdk/storage.ts (1)
getStoredItem(19-19)
apps/meteor/app/gitlab/server/lib.ts (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.d.ts (1)
CustomOAuth(1-7)
apps/meteor/app/dolphin/server/lib.ts (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.d.ts (1)
CustomOAuth(1-7)
apps/meteor/client/components/TwoFactorModal/TwoFactorModal.tsx (1)
apps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsx (3)
onClickResendCode(38-48)TwoFactorEmailModalProps(12-16)TwoFactorEmailModal(22-102)
apps/meteor/client/components/TwoFactorModal/TwoFactorEmailModal.tsx (1)
apps/meteor/app/2fa/server/code/EmailCheck.ts (1)
sendEmailCode(99-113)
apps/meteor/app/drupal/server/lib.ts (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.d.ts (1)
CustomOAuth(1-7)
apps/meteor/server/lib/oauth/updateOAuthServices.ts (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.d.ts (1)
CustomOAuth(1-7)
apps/meteor/app/wordpress/server/lib.ts (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.d.ts (1)
CustomOAuth(1-7)
apps/meteor/app/nextcloud/server/lib.ts (1)
apps/meteor/app/custom-oauth/server/custom_oauth_server.d.ts (1)
CustomOAuth(1-7)
packages/web-ui-registration/src/LoginServices.tsx (1)
packages/web-ui-registration/src/LoginServicesButton.tsx (1)
LoginServicesButton(11-55)
🔇 Additional comments (11)
packages/web-ui-registration/tsconfig.build.json (1)
3-3: LGTM!packages/web-ui-registration/tsconfig.json (1)
7-7: LGTM!apps/meteor/client/views/root/hooks/useLoginViaQuery.ts (1)
10-10: LGTM!apps/meteor/app/2fa/server/code/TOTPCheck.ts (1)
8-8: LGTM!apps/meteor/client/lib/sdk/ddpSdk.ts (1)
71-71: LGTM!apps/meteor/app/gitlab/server/lib.ts (1)
1-1: LGTM!Also applies to: 5-5, 8-23, 25-31
apps/meteor/definition/externals/meteor/accounts-base.d.ts (1)
26-26: LGTM!apps/meteor/app/lib/server/methods/createToken.ts (1)
19-21: _insertLoginToken is synchronous (: void), so removingawaitincreateToken.tsshouldn’t cause a persistence race.
The localaccounts-basetyping declares_insertLoginToken(...): void; callers can safely treat it as immediate beforeawait User.ensureLoginTokensLimit(userId);. (Other sites usingawait Accounts._insertLoginToken(...)are likely redundant.)> Likely an incorrect or invalid review comment.apps/meteor/app/apple/server/loginHandler.ts (1)
32-35: Remove the Promise/await contract concern forupdateOrCreateUserFromExternalService
Local externals typing declaresAccounts.updateOrCreateUserFromExternalService(...)as a non-Promise return, and there are noawait Accounts.updateOrCreateUserFromExternalService(...)call sites in the repo—so the “Line 35 always hits the failure branch because it’s a Promise” concern doesn’t apply.apps/meteor/server/lib/oauth/updateOAuthServices.ts (1)
71-96: CustomOAuth repeated construction is safe here (cached perserviceKey).
CustomOAuthcaches instances inServices[this.name]; on subsequentnew CustomOAuth(serviceKey, ...)calls it only runsconfigure(options)and returns, avoiding duplicateAccounts.oauth.registerService(...),registerService(),addHookToProcessUser(), andregisterAccessTokenService(...)executions.packages/core-typings/src/IUser.ts (1)
169-238: ConfirmIUsercan dropproviderIdsafely
- No
providerIdmember exists inpackages/core-typings/src/IUser.ts, and there are no in-repo usages ofuser.providerId/profile.providerIdor"providerId"keys within user payloads (the onlyproviderIdreferences are outbound-comms provider identifiers).- This still remains a breaking exported-type change for any downstream consumers still relying on
IUser.providerId; either deprecate for one cycle or ensure/document the migration.
![hacktron-app[bot]](https://avatars.githubusercontent.com/in/1250513?s=60&v=4){kind=small}
There was a problem hiding this comment.
1 issue found across 1 file
| Severity | Count |
|---|---|
| 🟡 Medium | 1 |
Comments Outside Diff (1)
🟡 Medium: Insecure CSP frame-ancestors policy bypass via omitted Referer header
Location: apps/meteor/app/livechat/server/livechat.ts:41
The Livechat widget dynamically sets the frame-ancestors Content-Security-Policy (CSP) header based on the Referer HTTP header. If the Referer header is missing or stripped by the user's browser (e.g., due to 'Referrer-Policy' settings), the server removes the Content-Security-Policy header entirely. This allows the Livechat widget to be embedded in an iframe on any website, potentially enabling clickjacking or UI redressing attacks against the Livechat interface.
Steps to Reproduce
- Create an HTML file with the following content on any domain:
<!DOCTYPE html>
<html>
<head>
<title>Clickjacking PoC</title>
</head>
<body>
<h1>Clickjacking PoC</h1>
<!-- The referrerpolicy="no-referrer" attribute ensures the Referer header is not sent -->
<iframe src="http://<rocket_chat_url>/livechat" width="800" height="600" referrerpolicy="no-referrer"></iframe>
</body>
</html>- Open the HTML file in a browser.
- Observe that the Livechat widget is successfully loaded in the iframe, bypassing the
Livechat_AllowedDomainsListrestriction because the server removes the CSP header when theRefereris missing.
tassoevan
approved these changes
May 26, 2026
tassoevan
added
the
stat: QA assured
ricardogarim
approved these changes
May 27, 2026
yash-rajpal
added
the
stat: ready to merge
dionisio-bot
Bot
removed
the
stat: ready to merge
dionisio-bot
Bot
added
the
stat: ready to merge
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
ggazzo
pushed a commit
that referenced
this pull request
May 27, 2026
Co-authored-by: Tasso Evangelista <tasso.evangelista@rocket.chat>
ggazzo
pushed a commit
that referenced
this pull request
May 28, 2026
Co-authored-by: Tasso Evangelista <tasso.evangelista@rocket.chat>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes (including videos or screenshots)
Issue(s)
Steps to test or reproduce
Further comments
Summary by CodeRabbit
New Features
Bug Fixes