fix: users.presence ignoring comma-separated IDs after OpenAPI migration

[ricardogarim]

Proposed changes

Regression in 8.4.0: GET /v1/users.presence?ids=id1,id2,id3 returns an empty array when called with multiple comma-separated IDs. Single ID works fine. This breaks user presence on mobile, where everyone appears offline.

Root cause: PR #39553 (OpenAPI migration) added ajvQuery validation with anyOf: [string, array]. Combined with ajvQuery's coerceTypes: 'array', AJV coerces "id1,id2" into ["id1,id2"] (single-element array), skipping the .split(',') logic.

The endpoint accepts three formats:

• ?ids=userId1 - single ID (string)
• ?ids=userId1&ids=userId2 - repeated params (array)
• ?ids=userId1,userId2 - comma-separated (string, but AJV coerces to ["userId1,userId2"] — broken case)

Fix:

• Replaced anyOf with type: ['string', 'array'] to avoid AJV coercion issues (ajv#1140)

Issue(s)

• Regression introduced by chore: convert endpoints do openApi #39553
• CORE-2194

Steps to test or reproduce

1. GET /v1/users.presence?ids=<userId> - single ID, returns the user
2. GET /v1/users.presence?ids=<userId1>,<userId2> - comma-separated, returns empty (before fix), returns both (after fix)
3. GET /v1/users.presence?ids=<userId1>&ids=<userId2> - repeated params, returns both

Summary by CodeRabbit

• Bug Fixes
  • Fixed the users.presence endpoint to correctly handle multiple comma-separated user IDs instead of returning an empty array.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This PR fixes the users.presence endpoint's handling of comma-separated IDs by refactoring the JSON schema for the ids parameter from an anyOf structure to a unified type: ['string', 'array'] definition, preventing AJV from incorrectly coercing comma-separated query strings into single-element arrays. The changeset documents the fix and marks patch releases.

Changes

Fix users.presence comma-separated ID handling

Layer / File(s)	Summary
Type definition schema update packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts	JSON schema for properties.ids refactored to use type: ['string', 'array'] plus items: { type: 'string' }, preserving support for both single strings and arrays while avoiding AJV coercion issues.
Fix documentation and release record .changeset/fix-presence-comma-ids.md	Changeset entry documents the AJV coercion regression and records patch releases for @rocket.chat/meteor and @rocket.chat/rest-typings.

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main fix: addressing the regression where comma-separated IDs were being ignored in the users.presence endpoint after the OpenAPI migration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• CORE-2194: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[changeset-bot]

🦋 Changeset detected

Latest commit: ee2fc11

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/api-client	Patch
@rocket.chat/core-services	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/http-router	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/livechat	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/cron	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/ui-composer	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/apps	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/license	Patch
@rocket.chat/pdf-worker	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.61%. Comparing base (082c2ec) to head (ee2fc11).
⚠️ Report is 7 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #40513   +/-   ##
========================================
  Coverage    69.60%   69.61%           
========================================
  Files         3323     3324    +1     
  Lines       122610   122651   +41     
  Branches     21872    21874    +2     
========================================
+ Hits         85347    85379   +32     
+ Misses       33933    33928    -5     
- Partials      3330     3344   +14     

Flag	Coverage Δ
e2e	59.13% <ø> (+0.09%)	⬆️
e2e-api	46.25% <ø> (-0.06%)	⬇️
unit	70.33% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

🧹 Nitpick comments (1)

apps/meteor/app/api/server/v1/users.ts (1)

1541-1543: ⚡ Quick win

Consider filtering out empty strings after splitting.

The normalization logic correctly handles both string and array inputs by wrapping, flattening, and splitting on commas. However, edge cases like ids="" or ids="id1,,id3" (double comma) will produce empty strings in the userIds array after splitting. While the MongoDB query will simply not match empty IDs (not a correctness issue), filtering out empty strings would make the logic more robust.

♻️ Suggested improvement

-const userIds = [ids].flat().flatMap((id) => id.split(','));
+const userIds = [ids].flat().flatMap((id) => id.split(',')).filter((id) => id.trim());

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/app/api/server/v1/users.ts` around lines 1541 - 1543, When
building userIds from ids (the line initializing userIds and the call to
Users.findNotOfflineByIds), filter out empty strings and whitespace-only entries
after splitting to avoid passing "" into the DB query; update the normalization
pipeline that produces userIds (e.g., after .split(',')) to trim each id and
remove falsy or empty values (for example via a .map(trim) then .filter(id => id
!== '') or equivalent) before passing userIds into Users.findNotOfflineByIds.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/meteor/app/api/server/v1/users.ts`:
- Around line 1541-1543: When building userIds from ids (the line initializing
userIds and the call to Users.findNotOfflineByIds), filter out empty strings and
whitespace-only entries after splitting to avoid passing "" into the DB query;
update the normalization pipeline that produces userIds (e.g., after
.split(',')) to trim each id and remove falsy or empty values (for example via a
.map(trim) then .filter(id => id !== '') or equivalent) before passing userIds
into Users.findNotOfflineByIds.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6efb4b70-34a9-40a0-a9ee-7f55e270465a

📥 Commits

Reviewing files that changed from the base of the PR and between 1015c10 and fb643e9.

📒 Files selected for processing (3)

• .changeset/fix-presence-comma-ids.md
• apps/meteor/app/api/server/v1/users.ts
• packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• .changeset/fix-presence-comma-ids.md

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts
• apps/meteor/app/api/server/v1/users.ts

🧠 Learnings (8)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts
• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts
• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts
• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-05-11T23:14:59.316Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 40469
File: packages/rest-typings/src/v1/users.ts:337-337
Timestamp: 2026-05-11T23:14:59.316Z
Learning: In Rocket.Chat REST endpoint typings (e.g., packages/rest-typings/src/v1/users.ts and other rest-typings files), keep the established convention of deriving field types from the domain model (e.g., use IUser indexed access like IUser['statusExpiresAt']) rather than swapping individual fields to serialized primitives (like string) in an ad-hoc way. If a truly different “serialized” representation is needed, perform the refactor consistently across the codebase (not just a single endpoint/field) and ensure all related REST typings stay aligned with the shared serialization types.

Applied to files:

• packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-03-15T14:31:25.380Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39647
File: apps/meteor/app/api/server/v1/users.ts:710-757
Timestamp: 2026-03-15T14:31:25.380Z
Learning: Do not flag this type/schema misalignment in the OpenAPI/migration review for apps/meteor/app/api/server/v1/users.ts. The UserCreateParamsPOST type intentionally uses non-optional fields: fields: string and settings?: IUserSettings without an AJV schema entry, carried over from the original rest-typings (PR `#39647`). Treat this as a known pre-existing divergence and document it as a separate follow-up fix; do not block or mark it as a review issue during the migration.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-03-16T23:33:11.443Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: apps/meteor/app/api/server/v1/users.ts:862-869
Timestamp: 2026-03-16T23:33:11.443Z
Learning: In rockets OpenAPI/AJV migration reviews for RocketChat/Rocket.Chat, when reviewing migrations that involve apps/meteor/app/api/server/v1/users.ts, do not require or flag a missing query AJV schema for the fields consumed by parseJsonQuery() (i.e., fields, sort, query) as part of this endpoint's migration PR. The addition of global query-param schemas for parseJsonQuery() usage is a cross-cutting concern and out of scope for individual endpoint migrations. Only flag violations related to the specific scope of the migration, not the absence of a query schema for parseJsonQuery() in this file.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

🔇 Additional comments (2)

packages/rest-typings/src/v1/users/UsersPresenceParamsGET.ts (2)

13-14: PR description claims schema changed to type: 'string', but implementation uses type: ['string', 'array'].

The PR objectives state: "Change ids schema to type: 'string' (consistent with groups, channels, im, settings endpoints)." However, the actual implementation on line 13 uses type: ['string', 'array'], not type: 'string'. The schema still accepts both strings and arrays, which differs from the stated objective. The fix works because type: ['string', 'array'] prevents AJV's coerceTypes: 'array' from coercing the string "id1,id2" into a single-element array ["id1,id2"], while the server-side normalization on line 1541 of the users.ts file handles both input forms.

---

13-14: LGTM!

[ggazzo]

Since this behavior is 'special' , can we create a test to ensure that it won't change?

[KevLehman]

hope CI is green

[ricardogarim]

/patch

[dionisio-bot]

Pull request #40527 added to Project: "Patch 8.4.2"