Release 8.2.1

[rocketchat-github-ci]

Summary by CodeRabbit

• Chores

  • Bumped package patch version and updated CI manifest publishing/retention.

• Security

  • Improved SSRF validation handling for OAuth endpoints.

• Authentication

  • Simplified OAuth token extraction and handling.

• Tests

  • Added end-to-end tests for malformed access_token payloads on /me requests.

You can see below a preview of the release change log:

8.2.1

Engine versions

• Node: 22.16.0
• Deno: 1.43.5
• MongoDB: 8.0
• Apps-Engine: 1.60.0

Patch Changes

• (#39508 by @dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• Bump @rocket.chat/meteor version.

• (#39517 by @dionisio-bot) Fixes ssrf validation for oauth endpoints, which allows internal endpoints to be used during the auth flow.

• Updated dependencies []:

  • @rocket.chat/core-typings@8.2.1
  • @rocket.chat/rest-typings@8.2.1
  • @rocket.chat/abac@0.1.5
  • @rocket.chat/federation-matrix@0.0.14
  • @rocket.chat/license@1.1.12
  • @rocket.chat/media-calls@0.2.5
  • @rocket.chat/omnichannel-services@0.3.49
  • @rocket.chat/pdf-worker@0.3.31
  • @rocket.chat/presence@0.2.52
  • @rocket.chat/api-client@0.2.52
  • @rocket.chat/apps@0.6.5
  • @rocket.chat/core-services@0.13.1
  • @rocket.chat/cron@0.1.52
  • @rocket.chat/fuselage-ui-kit@28.0.1
  • @rocket.chat/gazzodown@28.0.1
  • @rocket.chat/http-router@7.9.19
  • @rocket.chat/message-types@0.1.0
  • @rocket.chat/model-typings@2.1.1
  • @rocket.chat/ui-avatar@24.0.1
  • @rocket.chat/ui-client@28.0.1
  • @rocket.chat/ui-contexts@28.0.1
  • @rocket.chat/ui-voip@18.0.1
  • @rocket.chat/web-ui-registration@28.0.1
  • @rocket.chat/models@2.1.1
  • @rocket.chat/server-cloud-communication@0.0.2
  • @rocket.chat/network-broker@0.2.31
  • @rocket.chat/omni-core-ee@0.0.17
  • @rocket.chat/ui-theming@0.4.4
  • @rocket.chat/ui-video-conf@28.0.1
  • @rocket.chat/instance-status@0.1.52
  • @rocket.chat/omni-core@0.0.17
  • @rocket.chat/server-fetch@0.1.1

[changeset-bot]

🦋 Changeset detected

Latest commit: 72f9768

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2b62ebce-e046-4e2b-837f-fb76d4b02c3b

📥 Commits

Reviewing files that changed from the base of the PR and between 3b0e799 and 72f9768.

📒 Files selected for processing (1)

• .github/actions/build-docker/action.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: update-pr
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38068
File: apps/meteor/tests/data/apps/app-packages/README.md:14-16
Timestamp: 2026-01-08T15:03:59.621Z
Learning: For the RocketChat/Rocket.Chat repository, do not analyze or report formatting issues (such as hard tabs vs spaces, line breaks, etc.). The project relies on automated linting tools to enforce formatting standards.

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:26:01.702Z
Learning: The RocketChat/Rocket.Chat project does not use Biome for linting, despite the presence of a biome.json file in the repository. Lint-related suggestions should not reference Biome rules.

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:26:01.702Z
Learning: The RocketChat/Rocket.Chat project does not use Biome for linting, despite the presence of a biome.json file in the repository. Lint-related suggestions should not reference Biome rules.

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36942
File: apps/meteor/client/lib/e2ee/keychain.ts:148-156
Timestamp: 2025-10-16T21:09:51.816Z
Learning: In the RocketChat/Rocket.Chat repository, only platforms with native crypto.randomUUID() support are targeted, so fallback implementations for crypto.randomUUID() are not required in E2EE or cryptographic code.

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37408
File: apps/meteor/client/views/admin/ABAC/useRoomAttributeOptions.tsx:53-69
Timestamp: 2025-11-10T19:06:20.146Z
Learning: In the Rocket.Chat repository, do not provide suggestions or recommendations about code sections marked with TODO comments. The maintainers have already identified these as future work and external reviewers lack the full context about implementation plans and timing.

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 37547
File: packages/i18n/src/locales/en.i18n.json:634-634
Timestamp: 2025-11-19T12:32:29.696Z
Learning: Repo: RocketChat/Rocket.Chat
Context: i18n workflow
Learning: In this repository, new translation keys should be added to packages/i18n/src/locales/en.i18n.json only; other locale files are populated via the external translation pipeline and/or fall back to English. Do not request adding the same key to all locale files in future reviews.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

🔇 Additional comments (1)

.github/actions/build-docker/action.yml (1)

167-172: LGTM! Correctly enables multi-arch manifest uploads.

Removing the && inputs.arch == 'amd64' restriction allows both arm64 and amd64 builds to upload their manifests. Since the artifact name at line 170 includes the architecture (manifests-${{ inputs.service }}-${{ inputs.arch }}-${{ inputs.type }}), there's no collision between concurrent uploads. The downstream build-gh-docker-publish job already handles this correctly via pattern: manifests-* with merge-multiple: true.

---

Walkthrough

Adds three changeset files; disables SSRF validation on custom OAuth token/identity fetches; refactors OAuth2 auth extraction to accept a simplified { authorization, accessToken } input across middleware and server; adds end-to-end tests for malformed access_token payloads; updates GitHub Action manifest artifact conditions and retention.

Changes

Cohort / File(s)	Summary
Changesets .changeset/bump-patch-1773156283920.md, .changeset/unlucky-impalas-matter.md, .changeset/blue-points-dream.md	Three new changeset files added declaring patch bumps for @rocket.chat/meteor; one references an SSRF-related fix and another includes a Security Hotfix header.
Custom OAuth server apps/meteor/app/custom-oauth/server/custom_oauth_server.js	Adds ignoreSsrfValidation: true to POST token and GET identity fetches (security comment added).
Authentication middleware apps/meteor/app/api/server/middlewares/authentication.ts	Extracts authorization from headers and access_token from query (string), deletes access_token from query, and calls oAuth2ServerAuth with { authorization, accessToken }.
OAuth2 server logic apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts	Changes oAuth2ServerAuth signature to accept { authorization?: string; accessToken?: string }; token extraction/validation now use authorization or accessToken; removed prior headers/query object handling.
End-to-end tests apps/meteor/tests/end-to-end/api/oauth-server.ts	Adds tests asserting /me returns 401 for multiple malformed access_token query payloads and an invalid token string.
CI action .github/actions/build-docker/action.yml	upload-artifact condition changed to trigger when inputs.publish-image == 'true' regardless of arch; artifact retention-days increased from 1 to 5.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as Client (browser/API)
participant Middleware as Authentication Middleware
participant OAuthServer as OAuth2 Server Auth
participant UserDB as User / Token Store

Client->>Middleware: Request with Authorization header or access_token query
Middleware->>OAuthServer: oAuth2ServerAuth({ authorization, accessToken })
OAuthServer->>UserDB: Validate token (lookup, expiry)
UserDB-->>OAuthServer: Token valid / invalid
OAuthServer-->>Middleware: return IUser | undefined
Middleware-->>Client: allow request or 401 response

%% Note: custom-oauth fetches use ignoreSsrfValidation flag when obtaining token/identity

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: bug, area: authentication, area: oauth, type: security, type: tests

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Release 8.2.1' directly summarizes the main objective of the PR, which is to release version 8.2.1 with security hotfixes and dependency updates.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.60%. Comparing base (f2a05ce) to head (72f9768).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #39511      +/-   ##
==========================================
+ Coverage   70.59%   70.60%   +0.01%     
==========================================
  Files        3188     3188              
  Lines      112623   112623              
  Branches    20402    20402              
==========================================
+ Hits        79502    79516      +14     
+ Misses      31071    31053      -18     
- Partials     2050     2054       +4     

Flag	Coverage Δ
e2e	60.37% <ø> (-0.01%)	⬇️
e2e-api	48.82% <ø> (+0.93%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

.changeset/unlucky-impalas-matter.md (1)

1-5: Consider clarifying the changeset description.

The current wording "Fixes ssrf validation" could be misread as fixing a bug in SSRF validation, when the actual change is intentionally disabling SSRF checks for admin-configured OAuth endpoints. A clearer phrasing might be:

Disables SSRF validation for OAuth endpoints since URLs are admin-configured, allowing internal identity providers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.changeset/unlucky-impalas-matter.md around lines 1 - 5, Update the
changeset description to clearly state that SSRF checks are being disabled for
admin-configured OAuth endpoints rather than implying a bugfix to SSRF
validation; replace "Fixes `ssrf` validation for oauth endpoints, which allows
internal endpoints to be used during the auth flow." with a clearer sentence
such as "Disables SSRF validation for OAuth endpoints since URLs are
admin-configured, allowing internal identity providers." so readers understand
the intent is to permit admin-provided internal endpoints.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.changeset/unlucky-impalas-matter.md:
- Around line 1-5: Update the changeset description to clearly state that SSRF
checks are being disabled for admin-configured OAuth endpoints rather than
implying a bugfix to SSRF validation; replace "Fixes `ssrf` validation for oauth
endpoints, which allows internal endpoints to be used during the auth flow."
with a clearer sentence such as "Disables SSRF validation for OAuth endpoints
since URLs are admin-configured, allowing internal identity providers." so
readers understand the intent is to permit admin-provided internal endpoints.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7414bd99-d219-4e75-adb9-f1227dcde03b

📥 Commits

Reviewing files that changed from the base of the PR and between 553ca59 and 375476a.

📒 Files selected for processing (2)

• .changeset/unlucky-impalas-matter.md
• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: update-pr
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

🧠 Learnings (6)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 38068
File: apps/meteor/tests/data/apps/app-packages/README.md:14-16
Timestamp: 2026-01-08T15:03:59.621Z
Learning: For the RocketChat/Rocket.Chat repository, do not analyze or report formatting issues (such as hard tabs vs spaces, line breaks, etc.). The project relies on automated linting tools to enforce formatting standards.

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:26:01.702Z
Learning: The RocketChat/Rocket.Chat project does not use Biome for linting, despite the presence of a biome.json file in the repository. Lint-related suggestions should not reference Biome rules.

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:26:01.702Z
Learning: The RocketChat/Rocket.Chat project does not use Biome for linting, despite the presence of a biome.json file in the repository. Lint-related suggestions should not reference Biome rules.

Learnt from: cardoso
Repo: RocketChat/Rocket.Chat PR: 36942
File: apps/meteor/client/lib/e2ee/keychain.ts:148-156
Timestamp: 2025-10-16T21:09:51.816Z
Learning: In the RocketChat/Rocket.Chat repository, only platforms with native crypto.randomUUID() support are targeted, so fallback implementations for crypto.randomUUID() are not required in E2EE or cryptographic code.

Learnt from: MartinSchoeler
Repo: RocketChat/Rocket.Chat PR: 37408
File: apps/meteor/client/views/admin/ABAC/useRoomAttributeOptions.tsx:53-69
Timestamp: 2025-11-10T19:06:20.146Z
Learning: In the Rocket.Chat repository, do not provide suggestions or recommendations about code sections marked with TODO comments. The maintainers have already identified these as future work and external reviewers lack the full context about implementation plans and timing.

Learnt from: d-gubert
Repo: RocketChat/Rocket.Chat PR: 37547
File: packages/i18n/src/locales/en.i18n.json:634-634
Timestamp: 2025-11-19T12:32:29.696Z
Learning: Repo: RocketChat/Rocket.Chat
Context: i18n workflow
Learning: In this repository, new translation keys should be added to packages/i18n/src/locales/en.i18n.json only; other locale files are populated via the external translation pipeline and/or fall back to English. Do not request adding the same key to all locale files in future reviews.

📚 Learning: 2026-03-09T23:46:48.340Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 39492
File: apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts:22-24
Timestamp: 2026-03-09T23:46:48.340Z
Learning: In `apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts`, the `oAuth2ServerAuth` function's `authorization` field in `partialRequest` is exclusively expected to carry Bearer tokens. Basic authentication is not supported in this OAuth flow, so there is no need to guard against non-Bearer schemes when extracting the token from the `Authorization` header.

Applied to files:

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

📚 Learning: 2026-02-24T19:09:09.561Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Applied to files:

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js
• .changeset/unlucky-impalas-matter.md

📚 Learning: 2026-03-09T21:20:07.542Z

Learnt from: pierre-lehnen-rc
Repo: RocketChat/Rocket.Chat PR: 39386
File: apps/meteor/server/services/push/tokenManagement/findDocumentToUpdate.ts:12-15
Timestamp: 2026-03-09T21:20:07.542Z
Learning: In `apps/meteor/server/services/push/tokenManagement/findDocumentToUpdate.ts`, the early return `if (data.voipToken) return null` (Lines 13-15) is intentionally correct. VoIP token updates always include an `_id`, so they are handled by the `_id` lookup block above (Lines 5-9) and never reach this guard. The guard is only a safety net for edge cases where `_id` is absent or no document was found, preventing an incorrect `token + appName` fallback match for VoIP-only payloads.

Applied to files:

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Applied to files:

• .changeset/unlucky-impalas-matter.md

🔇 Additional comments (2)

apps/meteor/app/custom-oauth/server/custom_oauth_server.js (2)

138-145: LGTM!

The SSRF validation bypass is appropriate here since tokenPath is admin-configured, and the security comment clearly documents this trust model. This enables OAuth flows with internal identity providers in enterprise environments.

---

178-180: LGTM!

Consistent with the token fetch change—disabling SSRF validation for the admin-configured identityPath is appropriate. The security comment accurately captures the rationale.