RocketChat · rocketchat-github-ci · Jan 26, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 23, 2026
@@ -170,7 +170,7 @@ runs:
             "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-linux-x64-musl" # Removes 58M
             "meteor/babel-compiler/node_modules/@meteorjs/swc-core/.swc/node_modules/@swc/core-linux-arm64-musl" # Removes 44M
             "meteor/babel-compiler/node_modules/typescript" # Removes 31M
-            "meteor/babel-compiler/node_modules/@babel" # Removes 14M
+        #     "meteor/babel-compiler/node_modules/@babel" # Removes 14M
 
             "@rocket.chat/i18n/src" # Removes 16M
             "typescript" # Removes 19M

diff --git a/apps/meteor/.mocharc.js b/apps/meteor/.mocharc.js
@@ -28,5 +28,8 @@ module.exports = {
 		'tests/unit/server/**/*.spec.ts',
 		'app/api/server/lib/**/*.spec.ts',
 		'app/file-upload/server/**/*.spec.ts',
+		'app/statistics/server/**/*.spec.ts',
+		'app/livechat/server/lib/**/*.spec.ts',
+		'app/utils/server/**/*.spec.ts',
 	],
 };
diff --git a/apps/meteor/CHANGELOG.md b/apps/meteor/CHANGELOG.md
@@ -1,5 +1,52 @@
 # @rocket.chat/meteor
 
+## 8.0.2
+
+### Patch Changes
+
+- ([#38351](https://github.com/RocketChat/Rocket.Chat/pull/38351) by [@dionisio-bot](https://github.com/dionisio-bot)) Fixes integration saving error because of missing babel dependencies inside the docker container
+
+- Bump @rocket.chat/meteor version.
+
+- Bump @rocket.chat/meteor version.
+
+- ([#38787](https://github.com/RocketChat/Rocket.Chat/pull/38787) by [@dionisio-bot](https://github.com/dionisio-bot)) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)
+
+- <details><summary>Updated dependencies []:</summary>
+
+  - @rocket.chat/core-typings@8.0.2
+  - @rocket.chat/rest-typings@8.0.2
+  - @rocket.chat/abac@0.1.2
+  - @rocket.chat/federation-matrix@0.0.11
+  - @rocket.chat/license@1.1.9
+  - @rocket.chat/media-calls@0.2.2
+  - @rocket.chat/omnichannel-services@0.3.46
+  - @rocket.chat/pdf-worker@0.3.28
+  - @rocket.chat/presence@0.2.49
+  - @rocket.chat/api-client@0.2.49
+  - @rocket.chat/apps@0.6.2
+  - @rocket.chat/core-services@0.12.2
+  - @rocket.chat/cron@0.1.49
+  - @rocket.chat/fuselage-ui-kit@26.0.2
+  - @rocket.chat/gazzodown@26.0.2
+  - @rocket.chat/http-router@7.9.16
+  - @rocket.chat/message-types@0.1.0
+  - @rocket.chat/model-typings@2.0.2
+  - @rocket.chat/ui-avatar@22.0.2
+  - @rocket.chat/ui-client@26.0.2
+  - @rocket.chat/ui-contexts@26.0.2
+  - @rocket.chat/ui-voip@16.0.2
+  - @rocket.chat/web-ui-registration@26.0.2
+  - @rocket.chat/models@2.0.2
+  - @rocket.chat/server-cloud-communication@0.0.2
+  - @rocket.chat/network-broker@0.2.28
+  - @rocket.chat/omni-core-ee@0.0.14
+  - @rocket.chat/ui-theming@0.4.4
+  - @rocket.chat/ui-video-conf@26.0.2
+  - @rocket.chat/instance-status@0.1.49
+  - @rocket.chat/omni-core@0.0.14
+  </details>
+
 ## 8.0.1
 
 ### Patch Changes

@@ -71,6 +71,11 @@ describe('getUserInfo', () => {
 		);
 	});
 
+	it("should NOT return user preferences when 'pullPreferences' param is false", async () => {
+		const userInfo = await getUserInfo(user, false);
+		expect(userInfo.settings).not.toHaveProperty('preferences');
+	});
+
 	describe('email handling', () => {
 		it('should not include email if no emails are present', async () => {
 			user.emails = [];

@@ -65,7 +65,10 @@ const getUserCalendar = (email: false | IUserEmail | undefined): IUserCalendar =
 	return calendarSettings;
 };
 
-export async function getUserInfo(me: IUser): Promise<
+export async function getUserInfo(
+	me: IUser,
+	pullPreferences = true,
+): Promise<
 	IUser & {
 		email?: string;
 		avatarUrl: string;
@@ -80,10 +83,7 @@ export async function getUserInfo(me: IUser): Promise<
 		email: verifiedEmail ? verifiedEmail.address : undefined,
 		settings: {
 			profile: {},
-			preferences: {
-				...(await getUserPreferences(me)),
-				...userPreferences,
-			},
+			...(pullPreferences && { preferences: { ...(await getUserPreferences(me)), ...userPreferences } }),
 			calendar: getUserCalendar(verifiedEmail),
 		},
 		avatarUrl: getURL(`/avatar/${me.username}`, { cdn: false, full: true }),

@@ -74,6 +74,7 @@ import type { ExtractRoutesFromAPI } from '../ApiClass';
 import { API } from '../api';
 import { getPaginationItems } from '../helpers/getPaginationItems';
 import { getUserFromParams } from '../helpers/getUserFromParams';
+import { getUserInfo } from '../helpers/getUserInfo';
 import { isUserFromParams } from '../helpers/isUserFromParams';
 import { getUploadFormData } from '../lib/getUploadFormData';
 import { isValidQuery } from '../lib/isValidQuery';
@@ -189,7 +190,7 @@ API.v1.addRoute(
 			);
 
 			return API.v1.success({
-				user: await Users.findOneById(this.userId, { projection: API.v1.defaultFieldsToExclude }),
+				user: await getUserInfo((await Users.findOneById(this.userId, { projection: API.v1.defaultFieldsToExclude })) as IUser, false),
 			});
 		},
 	},

@@ -11,10 +11,25 @@ const settingsGetMap = new Map();
 const messagesModelStub = {
 	find: sinon.stub(),
 };
+const usersModelStub = {
+	findOneByIdAndLoginToken: sinon.stub(),
+};
+const subscriptionsModelStub = {
+	findOneByRoomIdAndUserId: sinon.stub(),
+};
+const validateAndDecodeJWTStub = sinon.stub();
+const systemLoggerStub = {
+	error: sinon.stub(),
+};
+const roomCoordinatorStub = {
+	getRoomDirectives: sinon.stub(),
+};
 
 const { FileUpload, FileUploadClass } = proxyquire.noCallThru().load('./FileUpload', {
 	'@rocket.chat/models': {
 		Messages: messagesModelStub,
+		Users: usersModelStub,
+		Subscriptions: subscriptionsModelStub,
 	},
 	'meteor/check': sinon.stub(),
 	'meteor/meteor': sinon.stub(),
@@ -23,14 +38,19 @@ const { FileUpload, FileUploadClass } = proxyquire.noCallThru().load('./FileUplo
 	'stream-buffers': sinon.stub(),
 	'./streamToBuffer': sinon.stub(),
 	'../../../../server/lib/i18n': sinon.stub(),
-	'../../../../server/lib/logger/system': sinon.stub(),
-	'../../../../server/lib/rooms/roomCoordinator': sinon.stub(),
+	'../../../../server/lib/logger/system': { SystemLogger: systemLoggerStub },
+	'../../../../server/lib/rooms/roomCoordinator': { roomCoordinator: roomCoordinatorStub },
 	'../../../../server/ufs': sinon.stub(),
 	'../../../../server/ufs/ufs-methods': sinon.stub(),
 	'../../../settings/server': { settings: settingsStub },
 	'../../../utils/lib/mimeTypes': sinon.stub(),
-	'../../../utils/server/lib/JWTHelper': sinon.stub(),
+	'../../../utils/server/lib/JWTHelper': {
+		validateAndDecodeJWT: validateAndDecodeJWTStub,
+		generateJWT: sinon.stub(),
+	},
 	'../../../utils/server/restrictions': sinon.stub(),
+	'../../../api/server/lib/MultipartUploadHandler': sinon.stub(),
+	'@rocket.chat/account-utils': { hashLoginToken: sinon.stub().callsFake((token) => `hashed_${token}`) },
 });
 
 describe('FileUpload', () => {
@@ -44,6 +64,13 @@ describe('FileUpload', () => {
 		messagesModelStub.find.reset();
 		fakeStorageModel.findOneById.reset();
 		fakeStorageModel.deleteFile.reset();
+		usersModelStub.findOneByIdAndLoginToken.reset();
+		subscriptionsModelStub.findOneByRoomIdAndUserId.reset();
+		validateAndDecodeJWTStub.reset();
+		systemLoggerStub.error.reset();
+		roomCoordinatorStub.getRoomDirectives.reset();
+		settingsGetMap.clear();
+		settingsGetMap.set('FileUpload_Storage_Type', 'fakeStorage');
 	});
 
 	it('should not remove any file if no room id is provided', async () => {
@@ -100,4 +127,165 @@ describe('FileUpload', () => {
 		expect(fakeStorageModel.deleteFile.calledWith('file-id')).to.be.true;
 		expect(fakeStorageModel.deleteFile.calledWith('thumbnail-id')).to.be.true;
 	});
+
+	describe('requestCanAccessFiles', () => {
+		it('should allow access if FileUpload_ProtectFiles is false', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', false);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request);
+			expect(result).to.be.true;
+		});
+
+		it('should allow access if no url is provided', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+
+			const request = {
+				headers: {},
+				url: undefined,
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request);
+			expect(result).to.be.true;
+		});
+
+		it('should deny access if FileUpload_Enable_json_web_token_for_files is true but no token is provided', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+		});
+
+		it('should deny access if FileUpload_json_web_token_secret_for_files is not configured', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', '');
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=some-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+			expect(systemLoggerStub.error.calledOnce).to.be.true;
+		});
+
+		it('should deny access if an invalid token is provided', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns(null);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=invalid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+			expect(validateAndDecodeJWTStub.calledOnce).to.be.true;
+		});
+
+		it('should deny access if token is invalid or payload cannot be decoded', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns(null);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+		});
+
+		it('should deny access if the fileId and rid in the token do not match the requested file', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns({ fileId: 'different-file-id', rid: 'different-room-id', userId: 'test-user-id' });
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+		});
+
+		it('should deny access if file object is not provided when using JWT', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns({ fileId: 'test-file-id', rid: 'test-room-id', userId: 'test-user-id' });
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, undefined);
+			expect(result).to.be.false;
+		});
+
+		it('should allow access when everything is valid: token is valid, secret configured, and file/room match', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns({ fileId: 'test-file-id', rid: 'test-room-id', userId: 'test-user-id' });
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.true;
+			expect(validateAndDecodeJWTStub.calledOnceWith('valid-token', 'test-secret')).to.be.true;
+		});
+	});
 });