Draft
Conversation
Co-authored-by: Kevin Aleman <kaleman960@gmail.com>
…iaCallHistoryContextualbar` (#38854)
Co-authored-by: Khizarshah01 <5263975+Khizarshah01@users.noreply.github.com> Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
…ints (#38861) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: ggazzo <5263975+ggazzo@users.noreply.github.com> Co-authored-by: Guilherme Gazzo <guilhermegazzo@gmail.com> Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: ggazzo <5263975+ggazzo@users.noreply.github.com>
…38864) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: ggazzo <guilherme@gazzo.xyz>
#38760) Co-authored-by: Kevin Aleman <11577696+KevLehman@users.noreply.github.com>
Co-authored-by: Kevin Aleman <kaleman960@gmail.com>
Co-authored-by: Guilherme Gazzo <guilhermegazzo@gmail.com> Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
…nd add Contextualbar bug fixes (#38610) Co-authored-by: gabriellsh <40830821+gabriellsh@users.noreply.github.com>
Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Co-authored-by: Kevin Aleman <kaleman960@gmail.com>
…UserInfoActions (#38859)
Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Douglas Fabris <devfabris@gmail.com> Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com> Co-authored-by: Kevin Aleman <kaleman960@gmail.com> Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
… parser (#38958) Co-authored-by: ggazzo <5263975+ggazzo@users.noreply.github.com>
…r custom-sounds and emoji-custom endpoints (#38531) Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Douglas Fabris <devfabris@gmail.com>
Co-authored-by: Tasso Evangelista <tasso.evangelista@rocket.chat> Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Contributor
|
Looks like this PR is not ready to merge, because of the following issues:
Please fix the issues and try again If you have any trouble, please check the PR guidelines |
Contributor
|
Important Review skippedToo many files! This PR contains 293 files, which is 143 over the limit of 150. ⛔ Files ignored due to path filters (7)
📒 Files selected for processing (293)
You can disable this status message by setting the Use the checkbox below for a quick retry:
Tip Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs). Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🦋 Changeset detectedLatest commit: 468fd59 The changes in this PR will be included in the next version bump. This PR includes no changesetsWhen changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
9 issues found across 866 files
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="apps/meteor/app/api/server/v1/commands.ts">
<violation number="1" location="apps/meteor/app/api/server/v1/commands.ts:79">
P2: `commands.get` always returns `params`, but `cmd.params` can be `undefined`, which violates the declared response schema (`params` must be string when present). Return `params` only when it is a string.</violation>
</file>
<file name=".github/workflows/dedupe-issues.yml">
<violation number="1" location=".github/workflows/dedupe-issues.yml:35">
P2: The Statsig "duplicate_comment_added" event is logged unconditionally (`if: always()`), so failures/non-comment runs are recorded as successful duplicate comments.</violation>
<violation number="2" location=".github/workflows/dedupe-issues.yml:59">
P2: `jq` numeric coercion on a string input can hard-fail the workflow for manual dispatches with non-numeric `issue_number` values.</violation>
</file>
<file name="apps/meteor/app/api/server/ApiClass.ts">
<violation number="1" location="apps/meteor/app/api/server/ApiClass.ts:832">
P1: Bug: When no `x-auth-token` header is present (unauthenticated routes), `authToken` is `null`, so `String(null)` produces `"null"` and `_hashLoginToken` hashes that meaningless string. The old `&&` guard prevented this. Restore the guard to avoid setting a bogus token on unauthenticated requests.</violation>
</file>
<file name="apps/meteor/app/api/server/v1/emoji-custom.ts">
<violation number="1" location="apps/meteor/app/api/server/v1/emoji-custom.ts:170">
P2: `API.v1.failure()` without an error payload does not match the new 400 AJV schema, so error responses can fail validation on this endpoint.</violation>
</file>
<file name=".github/workflows/auto-close-duplicates.yml">
<violation number="1" location=".github/workflows/auto-close-duplicates.yml:2">
P1: `description` is not a valid top-level key in a GitHub Actions workflow, which can make the workflow invalid and prevent it from running.</violation>
</file>
<file name="apps/meteor/app/api/server/v1/im.ts">
<violation number="1" location="apps/meteor/app/api/server/v1/im.ts:162">
P1: `dm.close`/`im.close` now incorrectly require `userId` in the request body, which breaks existing clients and adds an unused parameter. These endpoints should only require `roomId` and use authenticated `this.userId`.</violation>
</file>
<file name="apps/meteor/app/api/server/helpers/getUserInfo.ts">
<violation number="1" location="apps/meteor/app/api/server/helpers/getUserInfo.ts:30">
P2: This adds duplicate version-update banner filtering logic instead of reusing a shared helper, increasing maintenance risk and drift.
(Based on your team's feedback about preferring existing helpers over duplicated logic.) [FEEDBACK_USED]</violation>
</file>
<file name="apps/meteor/app/api/server/definition.ts">
<violation number="1" location="apps/meteor/app/api/server/definition.ts:229">
P1: Unauthenticated route context now types `user` as non-nullable, but runtime still assigns `null`; restore nullable typing to prevent unsafe assumptions.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| this.user = user!; | ||
| this.userId = this.user?._id; | ||
| const authToken = this.request.headers.get('x-auth-token'); | ||
| this.token = Accounts._hashLoginToken(String(authToken))!; |
Contributor
There was a problem hiding this comment.
P1: Bug: When no x-auth-token header is present (unauthenticated routes), authToken is null, so String(null) produces "null" and _hashLoginToken hashes that meaningless string. The old && guard prevented this. Restore the guard to avoid setting a bogus token on unauthenticated requests.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/ApiClass.ts, line 832:
<comment>Bug: When no `x-auth-token` header is present (unauthenticated routes), `authToken` is `null`, so `String(null)` produces `"null"` and `_hashLoginToken` hashes that meaningless string. The old `&&` guard prevented this. Restore the guard to avoid setting a bogus token on unauthenticated requests.</comment>
<file context>
@@ -825,13 +825,11 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
+ this.user = user!;
+ this.userId = this.user?._id;
+ const authToken = this.request.headers.get('x-auth-token');
+ this.token = Accounts._hashLoginToken(String(authToken))!;
const shouldPreventAnonymousRead = !this.user && options.authOrAnonRequired && !settings.get('Accounts_AllowAnonymousRead');
</file context>
Suggested change
| this.token = Accounts._hashLoginToken(String(authToken))!; | |
| this.token = (authToken && Accounts._hashLoginToken(String(authToken)))!; |
| @@ -0,0 +1,31 @@ | |||
| name: Auto-close duplicate issues | |||
| description: Auto-closes issues that are duplicates of existing issues | |||
Contributor
There was a problem hiding this comment.
P1: description is not a valid top-level key in a GitHub Actions workflow, which can make the workflow invalid and prevent it from running.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/auto-close-duplicates.yml, line 2:
<comment>`description` is not a valid top-level key in a GitHub Actions workflow, which can make the workflow invalid and prevent it from running.</comment>
<file context>
@@ -0,0 +1,31 @@
+name: Auto-close duplicate issues
+description: Auto-closes issues that are duplicates of existing issues
+on:
+ schedule:
</file context>
Suggested change
| description: Auto-closes issues that are duplicates of existing issues | |
| run-name: Auto-close duplicate issues |
| type: 'string', | ||
| }, | ||
| }, | ||
| required: ['roomId', 'userId'], |
Contributor
There was a problem hiding this comment.
P1: dm.close/im.close now incorrectly require userId in the request body, which breaks existing clients and adds an unused parameter. These endpoints should only require roomId and use authenticated this.userId.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/v1/im.ts, line 162:
<comment>`dm.close`/`im.close` now incorrectly require `userId` in the request body, which breaks existing clients and adds an unused parameter. These endpoints should only require `roomId` and use authenticated `this.userId`.</comment>
<file context>
@@ -144,6 +149,43 @@ const dmDeleteEndpointsProps = {
+ type: 'string',
+ },
+ },
+ required: ['roomId', 'userId'],
+ additionalProperties: false,
+};
</file context>
Suggested change
| required: ['roomId', 'userId'], | |
| required: ['roomId'], |
| : { | ||
| user?: IUser | null; | ||
| userId?: string | undefined; | ||
| user?: IUser; |
Contributor
There was a problem hiding this comment.
P1: Unauthenticated route context now types user as non-nullable, but runtime still assigns null; restore nullable typing to prevent unsafe assumptions.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/definition.ts, line 229:
<comment>Unauthenticated route context now types `user` as non-nullable, but runtime still assigns `null`; restore nullable typing to prevent unsafe assumptions.</comment>
<file context>
@@ -226,8 +226,8 @@ export type ActionThis<TMethod extends Method, TPathPattern extends PathPattern,
: {
- user?: IUser | null;
- userId?: string | undefined;
+ user?: IUser;
+ userId?: string;
readonly token?: string;
</file context>
| command: { | ||
| command: cmd.command, | ||
| description: cmd.description, | ||
| params: cmd.params, |
Contributor
There was a problem hiding this comment.
P2: commands.get always returns params, but cmd.params can be undefined, which violates the declared response schema (params must be string when present). Return params only when it is a string.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/v1/commands.ts, line 79:
<comment>`commands.get` always returns `params`, but `cmd.params` can be `undefined`, which violates the declared response schema (`params` must be string when present). Return `params` only when it is a string.</comment>
<file context>
@@ -1,35 +1,86 @@
+ command: {
+ command: cmd.command,
+ description: cmd.description,
+ params: cmd.params,
+ clientOnly: cmd.clientOnly,
+ providesPreview: cmd.providesPreview,
</file context>
Suggested change
| params: cmd.params, | |
| ...(typeof cmd.params === 'string' ? { params: cmd.params } : {}), |
| value: 1, | ||
| metadata: { | ||
| repository: $repo, | ||
| issue_number: ($issue_number | tonumber), |
Contributor
There was a problem hiding this comment.
P2: jq numeric coercion on a string input can hard-fail the workflow for manual dispatches with non-numeric issue_number values.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/dedupe-issues.yml, line 59:
<comment>`jq` numeric coercion on a string input can hard-fail the workflow for manual dispatches with non-numeric `issue_number` values.</comment>
<file context>
@@ -0,0 +1,83 @@
+ value: 1,
+ metadata: {
+ repository: $repo,
+ issue_number: ($issue_number | tonumber),
+ triggered_by: $triggered_by,
+ workflow_run_id: "${{ github.run_id }}",
</file context>
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| - name: Log duplicate comment event to Statsig | ||
| if: always() |
Contributor
There was a problem hiding this comment.
P2: The Statsig "duplicate_comment_added" event is logged unconditionally (if: always()), so failures/non-comment runs are recorded as successful duplicate comments.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/dedupe-issues.yml, line 35:
<comment>The Statsig "duplicate_comment_added" event is logged unconditionally (`if: always()`), so failures/non-comment runs are recorded as successful duplicate comments.</comment>
<file context>
@@ -0,0 +1,83 @@
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Log duplicate comment event to Statsig
+ if: always()
+ env:
+ STATSIG_API_KEY: ${{ secrets.STATSIG_API_KEY }}
</file context>
| await uploadEmojiCustomWithBuffer(this.userId, fileBuffer, mimetype, emojiData); | ||
| } catch (err) { | ||
| SystemLogger.error({ err }); | ||
| return API.v1.failure(); |
Contributor
There was a problem hiding this comment.
P2: API.v1.failure() without an error payload does not match the new 400 AJV schema, so error responses can fail validation on this endpoint.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/v1/emoji-custom.ts, line 170:
<comment>`API.v1.failure()` without an error payload does not match the new 400 AJV schema, so error responses can fail validation on this endpoint.</comment>
<file context>
@@ -103,45 +104,73 @@ API.v1.addRoute(
+ await uploadEmojiCustomWithBuffer(this.userId, fileBuffer, mimetype, emojiData);
+ } catch (err) {
+ SystemLogger.error({ err });
+ return API.v1.failure();
+ }
</file context>
| return accumulator; | ||
| }; | ||
|
|
||
| const filterOutdatedVersionUpdateBanners = (banners: NonNullable<IUser['banners']>): IUser['banners'] => { |
Contributor
There was a problem hiding this comment.
P2: This adds duplicate version-update banner filtering logic instead of reusing a shared helper, increasing maintenance risk and drift.
(Based on your team's feedback about preferring existing helpers over duplicated logic.)
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/helpers/getUserInfo.ts, line 30:
<comment>This adds duplicate version-update banner filtering logic instead of reusing a shared helper, increasing maintenance risk and drift.
(Based on your team's feedback about preferring existing helpers over duplicated logic.) </comment>
<file context>
@@ -25,6 +27,23 @@ const getUserPreferences = async (me: IUser): Promise<Record<string, unknown>> =
return accumulator;
};
+const filterOutdatedVersionUpdateBanners = (banners: NonNullable<IUser['banners']>): IUser['banners'] => {
+ return Object.fromEntries(
+ Object.entries(banners).filter(([id]) => {
</file context>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
You can see below a preview of the release change log:
8.3.0
Engine versions
22.16.01.43.58.01.60.1Minor Changes
(#38978 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat autotranslate translateMessage API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation
(#39225 by @sezallagwal) Add OpenAPI support for the chat.followMessage and chat.unfollowMessage API endpoints by migrating to a modern chained route definition syntax and utilizing AJV schemas for body and response validation.
(#39227 by @sezallagwal) Add OpenAPI support for the chat.starMessage and chat.unStarMessage API endpoints by migrating to a modern chained route definition syntax and utilizing AJV schemas for body and response validation.
(#38957 by @Verifieddanny) Migrated rooms.leave endpoint to new OpenAPI pattern with AJV validation
(#38549 by @Rohitgiri02) migrated rooms.delete endpoint to new OpenAPI pattern with AJV validation
(#39094 by @ahmed-n-abdeltwab) Adds OpenAPI support for the Rocket.Chat e2e.updateGroupKey endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#36402 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat users.getAvatarSuggestion API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#38881 by @smirk-dev) adds
instances.getAPI endpoint to new chained pattern with response schemas(#38883 by @smirk-dev) Migrates
ldap.testConnectionandldap.testSearchREST API endpoints from legacyaddRoutepattern to the new chained.post()API pattern with typed response schemas and AJV body validation (replacing Meteorcheck()).(#38882 by @smirk-dev) Migrates
presence.getConnectionsandpresence.enableBroadcastREST API endpoints from legacyaddRoutepattern to the new chained.get()/.post()API pattern with typed response schemas.(#38610) Fixes Custom Sounds Contextualbar state and refresh behavior
(#36779 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat e2e.fetchMyKeys endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#36916 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat custom-user-status.list API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation
(#39219 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat e2e endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#38610) Adds new
custom-sounds.getOneREST endpoint to retrieve a single custom sound by_idand updates client to consume it.Patch Changes
(#39010) Fixes an authorization issue that allowed users to confirm uploads from other users
(#38531) Fixes a cross-resource access issue that allowed users to retrieve emojis from the Custom Sounds endpoint and sounds from the Custom Emojis endpoint when using the FileSystem storage mode.
(#38662 by @TheRazorbill) Fixes wrong i18n key in RegisterWorkspace confirmation step so the text is translated instead of showing a missing key.
(#38983 by @copilot-swe-agent) Fixes incoming webhook messages ignoring literal
\nescape sequences, and fixes theMarkdownTextdocumentvariant not rendering newlines as line breaks.(#38989) chore(eslint): Upgrades ESLint and its configuration
(#39003) Fix marking a message as sent before the request finishes
(#36786 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat e2e.getUsersOfRoomWithoutKey endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#38932) Fixes version update banner showing outdated versions after server upgrade.
(#38760 by @Khizarshah01) Limits
Outgoing webhookmaximum response size to 10mb.(#36882 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat push.test API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#39250) Fixes
inquiries.takenot failing when attempting to take a chat while over chat limits(#38852) Fixes an issue where
Productionflag was not being respected when initializing Push Notifications configuration(#38944 by @Khizarshah01) Limits Omnichannel webhook maximum response size to 10mb.
(#38954) Fixes reactivity of Custom Sounds and Custom Emojis storage settings
(#35995 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat rooms.favorite APIs endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#36523 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat emoji-custom.create API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#36953 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat commands.get API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
(#38974 by @ahmed-n-abdeltwab) Add OpenAPI support for the Rocket.Chat dm.close/im.close API endpoints by migrating to a modern chained route definition syntax and utilizing shared AJV schemas for validation to enhance API documentation and ensure type safety through response validation.
Updated dependencies [602b20a, d1bf2cc, 02b1e6e, 9a70095, a4e3c16, 539659a, b1b1d6c, 5518503, a4341ec, 4025314, 85c0ac7, 803b807, 1361a1f, 2a27010, 37acece, d8baf39, ddc0ed3, 722df6f, 78b3fe3, 98a6c58, 29b453e, 39f2e87, c117492, 7c73241]: