fix(fips): replace md5 with sha256 for 2fa fingerprint

[cardoso]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Task: FIPS-9

Summary by CodeRabbit

• Updates
  • Connection fingerprinting behavior adjusted: a stronger fingerprinting method is now used when the system is in high-security mode; behavior remains unchanged otherwise. Existing verified connections may be affected; you may need to re-verify trusted devices and sessions.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 48b45fa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 204eeafc-e12d-4963-964d-483ab2da0663

📥 Commits

Reviewing files that changed from the base of the PR and between 3f6b321 and 48b45fa.

📒 Files selected for processing (1)

• apps/meteor/app/2fa/server/code/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/app/2fa/server/code/index.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Walkthrough

The change makes fingerprint hashing conditional: when crypto.getFips() is true the code uses SHA-256, otherwise it uses MD5; previously MD5 was always used. No other logic or exported signatures changed.

Changes

Cohort / File(s)	Summary
2FA Fingerprint Hash Algorithm apps/meteor/app/2fa/server/code/index.ts	Fingerprint generation now selects sha256 if crypto.getFips() returns true, otherwise md5; prior behavior always used md5.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: bug, area: authentication

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: replacing MD5 with SHA-256 for 2FA fingerprint generation to achieve FIPS compliance.
Linked Issues check	✅ Passed	The PR implements the FIPS-9 objective by replacing MD5 with SHA-256 for 2FA fingerprint generation as required.
Out of Scope Changes check	✅ Passed	The changes are narrowly focused on updating fingerprint generation algorithm selection; no unrelated modifications are present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cardoso]

/jira FIPS-4

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.86%. Comparing base (b8b8611) to head (48b45fa).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #39262      +/-   ##
===========================================
- Coverage    70.92%   70.86%   -0.07%     
===========================================
  Files         3207     3207              
  Lines       113353   113353              
  Branches     20554    20529      -25     
===========================================
- Hits         80399    80327      -72     
- Misses       30908    30978      +70     
- Partials      2046     2048       +2     

Flag	Coverage Δ
unit	71.53% <ø> (-0.12%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 1 file

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/app/2fa/server/code/index.ts (1)

57-64: ⚠️ Potential issue | 🟠 Major

Plan an explicit migration/invalidation path for legacy remembered-device hashes

Changing the fingerprint algorithm at Line 63 invalidates previously stored twoFactorAuthorizedHash values, so the check at Line 114 will reject existing remembered sessions after rollout. Please make this transition explicit (one-off cleanup/migration or versioned hash format + rollout note) to avoid a silent UX break.

Suggested future-proofing for hash format versioning

 function getFingerprintFromConnection(connection: IMethodConnection): string {
 	const data = JSON.stringify({
 		userAgent: connection.httpHeaders['user-agent'],
 		clientAddress: connection.clientAddress,
 	});

-	return crypto.createHash('sha256').update(data).digest('hex');
+	return `sha256:${crypto.createHash('sha256').update(data).digest('hex')}`;
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/app/2fa/server/code/index.ts` around lines 57 - 64, The new
fingerprint algorithm in getFingerprintFromConnection will invalidate existing
twoFactorAuthorizedHash values; update the code to support a migration path by
implementing a versioned hash format or fallback validation: when verifying a
remembered device (the check that compares twoFactorAuthorizedHash), detect the
hash version (e.g., prefix like "v1:" vs "v2:"), accept legacy hashes by
computing the old algorithm for v1 entries, then on successful legacy validation
re-hash with the new algorithm and store the upgraded "v2:" value (or enqueue a
one-off migration job to rewrite existing records). Ensure
getFingerprintFromConnection is the canonical v2 generator, add a legacy
generator function for the previous algorithm, and update the verification logic
to handle both versions and persist the upgraded hash.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@apps/meteor/app/2fa/server/code/index.ts`:
- Around line 57-64: The new fingerprint algorithm in
getFingerprintFromConnection will invalidate existing twoFactorAuthorizedHash
values; update the code to support a migration path by implementing a versioned
hash format or fallback validation: when verifying a remembered device (the
check that compares twoFactorAuthorizedHash), detect the hash version (e.g.,
prefix like "v1:" vs "v2:"), accept legacy hashes by computing the old algorithm
for v1 entries, then on successful legacy validation re-hash with the new
algorithm and store the upgraded "v2:" value (or enqueue a one-off migration job
to rewrite existing records). Ensure getFingerprintFromConnection is the
canonical v2 generator, add a legacy generator function for the previous
algorithm, and update the verification logic to handle both versions and persist
the upgraded hash.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aaffdb49-a5a0-4ecb-ba86-551c9253fd2f

📥 Commits

Reviewing files that changed from the base of the PR and between 3a7f517 and 3f6b321.

📒 Files selected for processing (1)

• apps/meteor/app/2fa/server/code/index.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/2fa/server/code/index.ts

🧠 Learnings (4)

📚 Learning: 2025-10-07T15:08:37.419Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36942
File: apps/meteor/client/lib/e2ee/pbkdf2.ts:13-45
Timestamp: 2025-10-07T15:08:37.419Z
Learning: In apps/meteor/client/lib/e2ee/pbkdf2.ts, PBKDF2 iteration count validation is not enforced because the iterations parameter is outside the user's control and is system-managed.

Applied to files:

• apps/meteor/app/2fa/server/code/index.ts

📚 Learning: 2025-10-07T15:08:37.419Z

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36942
File: apps/meteor/client/lib/e2ee/pbkdf2.ts:13-45
Timestamp: 2025-10-07T15:08:37.419Z
Learning: In apps/meteor/client/lib/e2ee/pbkdf2.ts, the team has decided to use Latin-1 encoding (via Binary.toArrayBuffer and Binary.toString) for password encoding and decrypt output instead of UTF-8 encoding. This is a deliberate choice for E2EE password/key material handling.

Applied to files:

• apps/meteor/app/2fa/server/code/index.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/2fa/server/code/index.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/2fa/server/code/index.ts