chore: properly close websocket connection on device logout

[juliajforesti]

CORE-1847

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Refactor
  • Simplified force logout mechanism with improved session connection handling.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 57e4c74

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9d161967-3ff6-4966-bdf3-ee886d228b5f

📥 Commits

Reviewing files that changed from the base of the PR and between 819399c and 57e4c74.

📒 Files selected for processing (3)

• apps/meteor/client/views/root/hooks/loggedIn/useForceLogout.ts
• apps/meteor/definition/externals/meteor/meteor.d.ts
• apps/meteor/server/modules/listeners/listeners.module.ts

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/modules/listeners/listeners.module.ts
• apps/meteor/definition/externals/meteor/meteor.d.ts
• apps/meteor/client/views/root/hooks/loggedIn/useForceLogout.ts

🧠 Learnings (5)

📚 Learning: 2026-02-20T09:04:55.725Z

Learnt from: Shreyas2004wagh
Repo: RocketChat/Rocket.Chat PR: 38681
File: apps/meteor/server/modules/streamer/streamer.module.ts:307-313
Timestamp: 2026-02-20T09:04:55.725Z
Learning: In apps/meteor/server/modules/streamer/streamer.module.ts, the catch block in sendToManySubscriptions intentionally uses SystemLogger.debug (not error or warn) for per-subscription delivery failures to keep logs less noisy, as this was a deliberate design choice reviewed and approved by KevLehman.

Applied to files:

• apps/meteor/server/modules/listeners/listeners.module.ts

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/server/modules/listeners/listeners.module.ts
• apps/meteor/definition/externals/meteor/meteor.d.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/modules/listeners/listeners.module.ts
• apps/meteor/definition/externals/meteor/meteor.d.ts
• apps/meteor/client/views/root/hooks/loggedIn/useForceLogout.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/modules/listeners/listeners.module.ts
• apps/meteor/definition/externals/meteor/meteor.d.ts
• apps/meteor/client/views/root/hooks/loggedIn/useForceLogout.ts

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

• apps/meteor/client/views/root/hooks/loggedIn/useForceLogout.ts

🔇 Additional comments (3)

apps/meteor/client/views/root/hooks/loggedIn/useForceLogout.ts (1)

11-13: LGTM!

The simplification is appropriate. The callback now unconditionally sets forceLogout to true without client-side session validation, which aligns with the server-side changes that handle connection closure via connectionHandle.close(). The server ensures only the correct session receives the notification and has its connection terminated.

apps/meteor/server/modules/listeners/listeners.module.ts (1)

50-56: LGTM!

The implementation correctly handles the user.forceLogout event:

1. Always notifies the user in this instance (for client-side state update)
2. Only attempts to close the connection when sessionId is provided
3. Uses optional chaining (sessions?.connectionHandle.close()) to safely handle cases where the session doesn't exist in this instance's local Map (important for clustered deployments)

This aligns well with the emission sites: sessions/logout.me provides a sessionId for targeted logout, while resetUserE2EKey omits it for broader logout scenarios.

apps/meteor/definition/externals/meteor/meteor.d.ts (1)

42-43: Verify that Meteor.Connection type from @types/meteor includes the close() method.

The connectionHandle in Meteor.server.sessions is typed as Meteor.Connection, but this type is not defined in the augmentation and is externally sourced. The server code in listeners.module.ts (lines 53-54) calls connectionHandle.close(). Ensure that the Meteor.Connection type from @types/meteor v2.9.10 accurately includes the close() method to match the runtime server session behavior.

---

Walkthrough

The changes refactor logout session behavior by removing Meteor-specific validation logic from the client-side force logout handler and implementing server-side connection closure via a session's DDP connection handle. Type definitions are updated to reflect the new connectionHandle property on server sessions.

Changes

Cohort / File(s)	Summary
Client-side logout simplification apps/meteor/client/views/root/hooks/loggedIn/useForceLogout.ts	Simplified force logout callback to set a flag without session ID validation or page reload logic.
Type definitions update apps/meteor/definition/externals/meteor/meteor.d.ts	Added connectionHandle: Meteor.Connection to server sessions type and removed unused _lastSessionId property from IMeteorConnection.
Server-side logout handling apps/meteor/server/modules/listeners/listeners.module.ts	Added logic to close the DDP connection handle when a force logout event is received with a valid sessionId.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: chore, area: authentication

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: closing websocket connections on device logout, which aligns with the primary code modifications across all three files.
Linked Issues check	✅ Passed	The PR implements the core requirement from CORE-1847 to shut down DDP/websocket connections on session logout by adding connectionHandle closure logic.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to improving logout session behavior: type definitions were updated, listener logic was added, and force-logout behavior was simplified.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 25.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.87%. Comparing base (b8b8611) to head (57e4c74).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #39383      +/-   ##
===========================================
- Coverage    70.92%   70.87%   -0.06%     
===========================================
  Files         3207     3196      -11     
  Lines       113353   113254      -99     
  Branches     20554    20506      -48     
===========================================
- Hits         80399    80272     -127     
- Misses       30908    30932      +24     
- Partials      2046     2050       +4     

Flag	Coverage Δ
e2e	60.41% <100.00%> (-0.01%)	⬇️
e2e-api	47.72% <0.00%> (-0.15%)	⬇️
unit	71.58% <ø> (-0.08%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 3 files