fix: imported fixes 09-18-2025

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Issue(s)

VLN-151

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Security
  • Strengthened API authentication by binding user identity to the authenticated session; header-only requests are no longer accepted.
• Bug Fixes
  • Unauthorized requests now consistently return 401 (e.g., when Anonymous Read is disabled), improving error accuracy.
• Tests
  • Added end-to-end tests enforcing authentication for user info and updated channel tests to reflect 401 behavior.
• Chores
  • Added a changeset for a patch release and a security hotfix note.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 12e25c3

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 39 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/license	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

.changeset/grumpy-berries-arrive.md (1)

5-5: Fix MD034 (bare URL) and tighten the release note.

Wrap the URL to appease markdownlint and make the note a bit clearer for release consumers.

-Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
+Security hotfix — see [security fixes and updates](https://docs.rocket.chat/docs/security-fixes-and-updates).

apps/meteor/app/api/server/ApiClass.ts (1)

968-972: Avoid treating a missing X-Auth-Token as the literal string "undefined".

String(undefined) is truthy and triggers an unnecessary DB lookup with a bogus hashed token. Use a guarded read.

-		const userToken = String(headers['x-auth-token']);
-
-		if (userId && userToken) {
+		const rawToken = headers['x-auth-token'];
+		const userToken = rawToken ? String(rawToken) : undefined;
+
+		if (userId && userToken) {

apps/meteor/tests/end-to-end/api/users.ts (1)

684-729: Tests correctly assert 401 for unauthenticated /users.info (with and without Anonymous Read).

Good coverage for “no creds” and “X-User-Id only” cases.

Consider adding one more case: “X-Auth-Token only” (no X-User-Id) should also 401, to fully bracket header permutations.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b1cefb0 and 5aaf2ef.

📒 Files selected for processing (3)

• .changeset/grumpy-berries-arrive.md (1 hunks)
• apps/meteor/app/api/server/ApiClass.ts (1 hunks)
• apps/meteor/tests/end-to-end/api/users.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-16T22:08:51.490Z

Learnt from: CR
PR: RocketChat/Rocket.Chat#0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-09-16T22:08:51.490Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use descriptive test names that clearly communicate expected behavior

Applied to files:

• apps/meteor/tests/end-to-end/api/users.ts

🧬 Code graph analysis (1)

apps/meteor/tests/end-to-end/api/users.ts (1)

apps/meteor/tests/data/api-data.ts (1)

• credentials (39-42)

🪛 markdownlint-cli2 (0.17.2)

.changeset/grumpy-berries-arrive.md

5-5: Bare URL used

(MD034, no-bare-urls)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (2)

apps/meteor/app/api/server/ApiClass.ts (2)

816-816: Deriving userId from the authenticated user is correct.

This removes header spoofing risk and aligns downstream permission checks with a verified identity. LGTM.

---

821-825: Early 401 gate reads clean; behavior matches intent.

Short‑circuiting before rate‑limit/validation is correct — use authOrAnonRequired: true for anon‑OK endpoints and authRequired: true for auth‑only endpoints. Ripgrep results show X-User-Id only in tests/fixtures (apps/meteor/tests/**); no production routes read the x-user-id header directly.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.18%. Comparing base (f139c0d) to head (12e25c3).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #36982      +/-   ##
===========================================
- Coverage    66.21%   66.18%   -0.03%     
===========================================
  Files         3384     3384              
  Lines       115027   115027              
  Branches     21064    21066       +2     
===========================================
- Hits         76161    76136      -25     
- Misses       36260    36283      +23     
- Partials      2606     2608       +2     

Flag	Coverage Δ
e2e	56.94% <ø> (-0.06%)	⬇️
unit	71.16% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Walkthrough

Switches API identity source from the X-User-Id header to the authenticated session (this.user?._id), adds explicit anonymous/auth guards to return 401 for unauthorized access, updates end-to-end tests to expect 401, and adds a changeset noting a patch security hotfix.

Changes

Cohort / File(s)	Summary of Changes
API auth flow adjustments apps/meteor/app/api/server/ApiClass.ts	Derive user ID from session (this.user?._id) instead of x-user-id. Add shouldPreventAnonymousRead and shouldPreventUserRead guards and return 401 when access is unauthorized while preserving response shape and compatibility flags.
E2E tests updates apps/meteor/tests/end-to-end/api/channels.ts, apps/meteor/tests/end-to-end/api/users.ts	Update channels anonymous-read test to expect 401 (was 400). Add /users.info tests asserting 401 when requests lack valid auth (including cases where Anonymous Read is enabled or when only X-User-Id header is provided).
Release metadata .changeset/grumpy-berries-arrive.md	Add changeset entry for a patch release of @rocket.chat/meteor with a security hotfix note and reference URL.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Router as API Router
    participant Api as ApiClass
    participant Session as Auth/Session
    participant Settings as Workspace Settings

    Client->>Router: HTTP Request (headers, params)
    Router->>Api: Dispatch handler
    Api->>Session: check this.user?
    Session-->>Api: user or null
    Api->>Settings: read Accounts_AllowAnonymousRead
    Settings-->>Api: true/false

    alt No user AND authRequired
        Api-->>Client: 401 Unauthorized
    else No user AND authOrAnonRequired AND !Accounts_AllowAnonymousRead
        Api-->>Client: 401 Unauthorized
    else Proceed
        Api-->>Client: continue to endpoint logic / success
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I nibbled on the headers bright,
and sniffed the session’s proper right.
No spoofed IDs or secret peeks,
the burrow guards its secret creeks.
Patch applied — the tunnel’s snug. 🐇🔐

Pre-merge checks and finishing touches

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The PR title "fix: imported fixes 09-18-2025" is generic and date-focused rather than describing the substantive change; it does not identify the affected subsystem (API authentication / AnonymousRead) or reference the security issue being addressed, so it is not sufficiently descriptive for reviewers scanning history. Under the provided evaluation rules this qualifies as a vague/generic title.	Rename the PR to a concise, descriptive title such as "fix(api): prevent X-User-Id spoofing and enforce session authentication (VLN-151)" and add a short PR body that lists the core fixes and which endpoints are covered so reviewers can quickly assess scope; if the branch contains multiple unrelated fixes, split them or list them clearly in the description.
Linked Issues Check	❓ Inconclusive	The changes reported move identity sourcing from the X-User-Id header to this.user?._id, add explicit guards to block anonymous/unauthenticated access, and add/update e2e tests for /api/users.info and channels anonymous-read, which align with the primary goals of VLN-151 (prevent X-User-Id spoofing, enforce session/token validation, and restrict anonymous-read) VLN-151. However, the summaries do not show explicit coverage or tests for all previously affected administrative endpoints (for example GET /api/v1/audit.settings) nor do they prove every code path and admin route now rejects X-User-Id-only requests, so I cannot conclusively verify complete remediation from the provided information.	Ask the author to include explicit regression/e2e tests for the previously vulnerable admin endpoints (e.g., audit.settings and other /api/v1/* admin routes) demonstrating that X-User-Id-only requests are rejected, and add a short PR note enumerating which endpoints the ApiClass change covers and confirming the server no longer trusts X-User-Id for authorization; once those tests and documentation are present the compliance check can be re-evaluated.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Out of Scope Changes Check	✅ Passed	The provided diffs are limited to a changeset entry, modifications to ApiClass authentication/access checks, and related end-to-end test updates; these changes are directly related to addressing the VLN-151 vulnerability and I do not see unrelated or out-of-scope modifications in the supplied summaries.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch imported-fixes-11-18-2025

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4f75e56 and 35dc5a0.

📒 Files selected for processing (1)

• apps/meteor/tests/end-to-end/api/channels.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/tests/end-to-end/api/channels.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 🔨 Test Unit / Unit Tests
• GitHub Check: 🔨 Test Storybook / Test Storybook
• GitHub Check: 🔎 Code Check / TypeScript
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

.changeset/grumpy-berries-arrive.md (1)

5-5: Fix markdownlint MD034 and clarify the security note.

Wrap the bare URL and briefly summarize the behavioral change (session-based auth, 401 vs 400), so release notes are actionable.

-Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
+### Security
+
+Harden API authorization by deriving identity from the authenticated session instead of the X-User-Id header. Anonymous-read now returns 401 (Unauthorized) when disabled. This closes a broken access control path affecting admin/sensitive endpoints.
+
+See: [Security fixes and updates](https://docs.rocket.chat/docs/security-fixes-and-updates)

apps/meteor/app/api/server/ApiClass.ts (3)

821-825: Auth gating logic is correct; minor hardening suggested

The two guards correctly block anonymous access when Anonymous Read is off, and require auth when authRequired is set.

To avoid any truthiness surprises and to clarify intent, coerce the setting to boolean once and reuse it:

- const shouldPreventAnonymousRead = !this.user && options.authOrAnonRequired && !settings.get('Accounts_AllowAnonymousRead');
+ const allowAnonymous = !!settings.get<boolean>('Accounts_AllowAnonymousRead');
+ const shouldPreventAnonymousRead = !this.user && options.authOrAnonRequired && !allowAnonymous;

---

821-825: Defense-in-depth: ignore spoofed X-User-Id and derive identity from token

Today authenticatedRoute still accepts a caller-provided x-user-id (paired with a valid token). To fully eliminate header spoofing as an attack surface, derive the user solely from the token, and if a mismatching x-user-id is supplied, treat it as unauthorized (and optionally log).

Apply this change to authenticatedRoute:

@@
-	protected async authenticatedRoute(req: Request): Promise<IUser | null> {
-		const headers = Object.fromEntries(req.headers.entries());
-
-		const { 'x-user-id': userId } = headers;
-
-		const userToken = String(headers['x-auth-token']);
-
-		if (userId && userToken) {
-			return Users.findOne(
-				{
-					'services.resume.loginTokens.hashedToken': Accounts._hashLoginToken(userToken),
-					'_id': userId,
-				},
-				{
-					projection: getDefaultUserFields(),
-				},
-			);
-		}
-		return null;
-	}
+	protected async authenticatedRoute(req: Request): Promise<IUser | null> {
+		const rawToken = req.headers.get('x-auth-token') || '';
+		if (!rawToken) {
+			return null;
+		}
+		const hashed = Accounts._hashLoginToken(String(rawToken));
+		const user = await Users.findOne(
+			{ 'services.resume.loginTokens.hashedToken': hashed },
+			{ projection: getDefaultUserFields() },
+		);
+		// Optional: reject mismatched X-User-Id if the client sent one
+		const hintedId = req.headers.get('x-user-id') || undefined;
+		if (hintedId && user && user._id !== hintedId) {
+			// logger.warn(`Mismatched X-User-Id for provided token (hinted=${hintedId}, tokenUser=${user._id})`);
+			return null;
+		}
+		return user ?? null;
+	}

---

821-825: Anonymous path can hit non-null assertion on this.token

When Anonymous Read is enabled and the route uses authOrAnonRequired, this.user is null and authToken may be absent. Later we call Accounts._setAccountData(..., this.token!), which will pass undefined at runtime. Guard it.

Here’s a targeted fix (outside the changed hunk):

@@
- Accounts._setAccountData(connection.id, 'loginToken', this.token!);
+ if (this.token) {
+   Accounts._setAccountData(connection.id, 'loginToken', this.token);
+ }

Please run an anonymous GET on a route with authOrAnonRequired: true and Anonymous Read enabled to confirm no runtime error occurs today.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b1cefb0 and 4f75e56.

📒 Files selected for processing (4)

• .changeset/grumpy-berries-arrive.md (1 hunks)
• apps/meteor/app/api/server/ApiClass.ts (1 hunks)
• apps/meteor/tests/end-to-end/api/channels.ts (1 hunks)
• apps/meteor/tests/end-to-end/api/users.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-16T22:08:51.490Z

Learnt from: CR
PR: RocketChat/Rocket.Chat#0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-09-16T22:08:51.490Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use descriptive test names that clearly communicate expected behavior

Applied to files:

• apps/meteor/tests/end-to-end/api/users.ts

🧬 Code graph analysis (1)

apps/meteor/tests/end-to-end/api/users.ts (1)

apps/meteor/tests/data/api-data.ts (1)

• credentials (39-42)

🪛 markdownlint-cli2 (0.17.2)

.changeset/grumpy-berries-arrive.md

5-5: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (4)

apps/meteor/tests/end-to-end/api/users.ts (2)

684-696: Good negative coverage for missing credentials (expects 401).

This validates the new auth guard for /users.info. LGTM.

---

698-729: Add spoof‑resistance e2e and audit server-side X-User-Id usage

Add an e2e that proves a low‑privilege token + spoofed X-User-Id cannot access admin-only endpoints (e.g., GET /api/v1/audit.settings). Audit and patch any server handlers that read x-user-id so they verify the token→user mapping (do not authorize based solely on the header).

Files to audit (found usages): apps/meteor/server/routes/userDataDownload.ts:36, apps/meteor/app/file-upload/server/lib/FileUpload.ts:470, apps/meteor/app/api/server/middlewares/authentication.ts (header handling), apps/meteor/app/api/server/helpers/getLoggedInUser.ts:7, apps/meteor/app/api/server/ApiClass.ts:966.

Example test (add under a new e2e Security describe):

it('should ignore X-User-Id header and deny admin-only endpoint with low-privilege token', async () => {
  const regular = await createUser();
  const regularCreds = await login(regular.username, password);

  await request
    .get(api('audit.settings'))
    .set({
      'X-Auth-Token': regularCreds['X-Auth-Token'],
      // Spoof header to admin; server must ignore this for authZ
      'X-User-Id': credentials['X-User-Id'],
    })
    .expect('Content-Type', 'application/json')
    .expect(403)
    .expect((res) => {
      expect(res.body).to.have.property('success', false);
    });

  await deleteUser(regular);
});

apps/meteor/tests/end-to-end/api/channels.ts (1)

3587-3591: Approve — 401 for anonymous read is correct. Message assertion unchanged; LGTM. Verification script to find stale tests expecting 400 returned no output; unable to confirm absence of such tests — re-run rg -nP 'channels.anonymousread.expect(\s400\s*)' -- apps/meteor/tests/end-to-end or inspect tests manually.

apps/meteor/app/api/server/ApiClass.ts (1)

816-816: Good: userId now derived from authenticated user object

Setting this.userId = this.user?._id removes reliance on the X-User-Id header at call sites. This is the right direction for fixing VLN-151.

Run to spot any routes that read this.userId without setting authRequired or authOrAnonRequired (those handlers would now see undefined for anonymous calls):

[julio-rocketchat]

/patch

[dionisio-bot]

Pull request #37000 added to Project: "Patch 7.10.1"

[julio-rocketchat]

/backport 7.9.4

[dionisio-bot]

Pull request #37001 added to Project: "Patch 7.9.4"

[julio-rocketchat]

/backport 7.8.5

[dionisio-bot]

Pull request #37002 added to Project: "Patch 7.8.5"

[julio-rocketchat]

/backport 7.7.9

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.7.9-36982
git cherry-pick b76d99b3d16a23d3eca1bcdd8813a4740b1b4459
// solve the conflict
git push

after that just run /backport 7.7.9 again

[julio-rocketchat]

/backport 7.7.9

[dionisio-bot]

Pull request #37003 added to Project: "Patch 7.7.9"

[julio-rocketchat]

/backport 7.6.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.6.6-36982
git cherry-pick b76d99b3d16a23d3eca1bcdd8813a4740b1b4459
// solve the conflict
git push

after that just run /backport 7.6.6 again

[julio-rocketchat]

/backport 7.6.6

[dionisio-bot]

Pull request #37004 added to Project: "Patch 7.6.6"

[jonasflorencio]

/backport 7.5.5

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.5.5-36982
git cherry-pick b76d99b3d16a23d3eca1bcdd8813a4740b1b4459
// solve the conflict
git push

after that just run /backport 7.5.5 again

[jonasflorencio]

/backport 7.5.5

[dionisio-bot]

Pull request #37005 added to Project: "Patch 7.5.5"

[jonasflorencio]

/backport 7.4.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.4.6-36982
git cherry-pick b76d99b3d16a23d3eca1bcdd8813a4740b1b4459
// solve the conflict
git push

after that just run /backport 7.4.6 again

[jonasflorencio]

/backport 7.4.6

[dionisio-bot]

Pull request #37006 added to Project: "Patch 7.4.6"