regression: custom sound record breaks when validation error on update

[nazabucciarelli]

Proposed changes (including videos or screenshots)

When an admin tried to update a custom sound but provided an invalid name (e.g., a name already in use), the update would correctly throw a 400 validation error, but the underlying audio file would break.

• Swapped execution order: We now invoke insertOrUpdateSound first. If the payload fails validation (e.g., duplicate name), the error is thrown immediately, and the execution stops before any file manipulation occurs.

• Added Regression Test: Added an isolated integration test within the test suite to simulate a failed update (name collision with a different file extension) and assert that neither the database metadata nor the underlying file is mutated.

Issue(s)

CORE-2243 [Regression] Failed custom-sound rename can break the sound file

Steps to test or reproduce

Preconditions: Have two custom sounds, for example sound-a.mp3 and sound-b.mp3

1. Go to Workspace → Sounds
2. Open sound-a
3. Attach a replacement file with a different extension than the current one.
   e.g: replace the current .mp3 with an .wav
4. Change the name of sound-a to fail the validation
   e.g: change it “sound-b”
5. Save
6. Close it
7. Click to hear the sound-a

Expected Behavior: The update should fail and leave sound-a unchanged and still play
Wrong Behavior: The update fails, and when you click to hear the sound-a it doesn’t play anymore. If the new file uses a different extension, the database still points to the old extension, and the sound becomes broken.

Further comments

Summary by CodeRabbit

• Bug Fixes
  • Prevents uploaded sound files from replacing existing sounds when an update fails validation, ensuring original files, names and served audio formats remain unchanged.
• Tests
  • Added end-to-end test coverage to verify failed sound updates do not alter stored audio content or served endpoints (including content-type and byte-for-byte checks).

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 088b7ed

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The update handler now upserts sound metadata before conditional file upload; a new E2E test verifies that a failed update (name collision) does not change metadata or the stored WAV file.

Changes

Sound Update Operation Safety

Layer / File(s)	Summary
Reorder metadata upsert before file upload apps/meteor/app/api/server/v1/custom-sounds.ts	The custom-sounds.update handler now calls insertOrUpdateSound immediately (with _id, validated name, and computed extension) before conditionally uploading fileBuffer; the later post-upload upsert was removed.
Test: failed validation does not mutate state apps/meteor/tests/end-to-end/api/custom-sounds.ts	Adds fs import and a new E2E test that triggers a name-collision during update while uploading a file, expects a 400, and asserts the original sound's metadata and WAV bytes/content-type remain unchanged and the MP3 endpoint for that id is 404.

Sequence Diagram

sequenceDiagram
  participant Client
  participant UpdateHandler
  participant Database
  participant FileStorage
  Client->>UpdateHandler: PUT /custom-sounds.update (name, file)
  UpdateHandler->>Database: insertOrUpdateSound (name, extension)
  alt metadata update succeeds
    Database-->>UpdateHandler: metadata persisted
    UpdateHandler->>FileStorage: upload file (if present)
    alt file upload succeeds
      FileStorage-->>UpdateHandler: file stored
      UpdateHandler-->>Client: 200 OK
    else file upload fails
      UpdateHandler-->>Client: error (metadata already saved)
    end
  else metadata update fails (validation error)
    Database-->>UpdateHandler: error (e.g., name collision)
    UpdateHandler-->>Client: 400 Bad Request (file not uploaded)
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Suggested reviewers

• ggazzo

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: a regression fix for custom sound records being mutated when validation errors occur during updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CORE-2243: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nazabucciarelli]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/app/api/server/v1/custom-sounds.ts (1)

262-275: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pre-upload metadata update can notify clients before the new file exists.

insertOrUpdateSound() persists the new name/extension and broadcasts immediately, but uploadCustomSound() writes ${_id}.${extension} afterward. For rename + file replacement flows, subscribers can observe metadata that points to a file path that is still being written (or not written yet if the upload later fails). Consider splitting validation from persistence, or suppressing the pre-upload update/broadcast when fileBuffer is present.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/app/api/server/v1/custom-sounds.ts` around lines 262 - 275, The
current flow calls insertOrUpdateSound(...) before uploadCustomSound(...), which
broadcasts metadata (name/extension) that may reference a file not yet uploaded;
change the logic so that when fileBuffer is present you do not persist/broadcast
the final metadata up-front: instead perform validations (keep any validation
logic), then call uploadCustomSound(fileBuffer, computedMimeType, {...}) first
and only after a successful upload call insertOrUpdateSound(...) (or update the
DB and broadcast) using the uploaded extension/_id; if you must persist earlier,
suppress the broadcast in insertOrUpdateSound when fileBuffer is provided and
emit an update after upload completes; reference insertOrUpdateSound,
uploadCustomSound and soundToUpdate to implement this ordering or
broadcast-suppression.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/tests/end-to-end/api/custom-sounds.ts`:
- Around line 398-415: Add an assertion that the unexpected .mp3 path does not
exist by issuing a GET to `/custom-sounds/${soundAId}.mp3` (after the existing
checks for api('custom-sounds.getOne') and `/custom-sounds/${soundAId}.wav`) and
expecting a 404; reference the existing test variables soundAId/soundAName and
the same credentials to perform the request so the suite verifies no orphan
`${soundAId}.mp3` was created.

---

Outside diff comments:
In `@apps/meteor/app/api/server/v1/custom-sounds.ts`:
- Around line 262-275: The current flow calls insertOrUpdateSound(...) before
uploadCustomSound(...), which broadcasts metadata (name/extension) that may
reference a file not yet uploaded; change the logic so that when fileBuffer is
present you do not persist/broadcast the final metadata up-front: instead
perform validations (keep any validation logic), then call
uploadCustomSound(fileBuffer, computedMimeType, {...}) first and only after a
successful upload call insertOrUpdateSound(...) (or update the DB and broadcast)
using the uploaded extension/_id; if you must persist earlier, suppress the
broadcast in insertOrUpdateSound when fileBuffer is provided and emit an update
after upload completes; reference insertOrUpdateSound, uploadCustomSound and
soundToUpdate to implement this ordering or broadcast-suppression.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cc2b146b-d7df-4e20-8c8f-e5531a78b7b2

📥 Commits

Reviewing files that changed from the base of the PR and between 6fb88e1 and ca8f097.

📒 Files selected for processing (2)

• apps/meteor/app/api/server/v1/custom-sounds.ts
• apps/meteor/tests/end-to-end/api/custom-sounds.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts
• apps/meteor/app/api/server/v1/custom-sounds.ts

🧠 Learnings (5)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts
• apps/meteor/app/api/server/v1/custom-sounds.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts
• apps/meteor/app/api/server/v1/custom-sounds.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts
• apps/meteor/app/api/server/v1/custom-sounds.ts

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/custom-sounds.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/custom-sounds.ts

[cubic-dev-ai]

2 issues found across 2 files

<sub>Tip: cubic used a learning from your PR history. Let your coding agent read cubic learnings directly with the cubic MCP.

Re-trigger cubic</sub>

[coderabbitai]

🧹 Nitpick comments (1)

apps/meteor/tests/end-to-end/api/custom-sounds.ts (1)

378-379: 💤 Low value

Consider aligning cleanup patterns across all test suites in this file.

These lines remove the conditional guards present in other after hooks (e.g., lines 64–71, 76–80). While the "fail fast" approach can surface setup failures more clearly, the inconsistency may confuse future maintainers. Consider either adopting unconditional cleanup throughout the file or restoring the guards here for consistency.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/end-to-end/api/custom-sounds.ts` around lines 378 - 379,
The two cleanup calls await deleteCustomSound(soundAId) and await
deleteCustomSound(soundBId) are unconditional while other after hooks use
presence guards; update this block to match the file's pattern by either (A)
wrapping both calls in conditional checks for soundAId and soundBId (e.g., if
(soundAId) deleteCustomSound(soundAId)) to avoid throwing when setup failed, or
(B) make all after hooks in this test file unconditional by removing guards
elsewhere so cleanup is consistent; locate the after hook containing
deleteCustomSound and apply the chosen consistent pattern across the file.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/meteor/tests/end-to-end/api/custom-sounds.ts`:
- Around line 378-379: The two cleanup calls await deleteCustomSound(soundAId)
and await deleteCustomSound(soundBId) are unconditional while other after hooks
use presence guards; update this block to match the file's pattern by either (A)
wrapping both calls in conditional checks for soundAId and soundBId (e.g., if
(soundAId) deleteCustomSound(soundAId)) to avoid throwing when setup failed, or
(B) make all after hooks in this test file unconditional by removing guards
elsewhere so cleanup is consistent; locate the after hook containing
deleteCustomSound and apply the chosen consistent pattern across the file.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9ea9ccff-0b29-4a1a-b003-ae09e162baab

📥 Commits

Reviewing files that changed from the base of the PR and between 3a28b57 and 088b7ed.

📒 Files selected for processing (1)

• apps/meteor/tests/end-to-end/api/custom-sounds.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/tests/end-to-end/api/custom-sounds.ts

🔇 Additional comments (2)

apps/meteor/tests/end-to-end/api/custom-sounds.ts (2)

2-2: LGTM!

---

382-418: LGTM!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (release-8.5.0@6fb88e1). Learn more about missing BASE report.

Additional details and impacted files

@@               Coverage Diff                @@
##             release-8.5.0   #40696   +/-   ##
================================================
  Coverage                 ?   69.63%           
================================================
  Files                    ?     3338           
  Lines                    ?   123236           
  Branches                 ?    21968           
================================================
  Hits                     ?    85821           
  Misses                   ?    34059           
  Partials                 ?     3356           

Flag	Coverage Δ
unit	70.45% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.