fix: clean up OAuth tokens after user deactivation

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/VLN-384

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Bug Fixes
  • OAuth tokens are revoked when an account is deactivated or auto-deactivated for idleness; tokens and userinfo become invalid for inactive users.
• Tests
  • Added end-to-end tests validating token revocation for explicit deactivation and idle deactivation.
• Chores
  • Updated models/typings and server logic to remove OAuth tokens for deactivated users.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: e372080

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/model-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/meteor	Patch
@rocket.chat/apps	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/omnichannel-services	Patch
rocketchat-services	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/presence	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/license	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-composer	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Adds model typings and implementations to delete OAuth access/refresh tokens and auth codes by user, deletes tokens during user deactivation (manual and idle), requires tokens' users to be active during validation, and adds end-to-end tests and a changeset noting version bumps.

Changes

OAuth token revocation on user deactivation

Layer / File(s)	Summary
Model typings: deletion contracts packages/model-typings/src/models/IOAuthAccessTokensModel.ts, packages/model-typings/src/models/IOAuthAuthCodesModel.ts, packages/model-typings/src/models/IOAuthRefreshTokensModel.ts	Added deleteByUserId(userId: string): Promise<DeleteResult> and deleteByUserIds(userIds: string[]): Promise<DeleteResult> to OAuth token/auth-code model interfaces; import DeleteResult from mongodb.
Model implementations: deletion & indexes packages/models/src/models/OAuthAccessTokens.ts, packages/models/src/models/OAuthAuthCodes.ts, packages/models/src/models/OAuthRefreshTokens.ts	Implemented deleteByUserId and deleteByUserIds (use deleteMany with userId / $in) and added a userId index in each model's modelIndexes().
Token validation: require active user apps/meteor/server/oauth2-server/model.ts, apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts	OAuth model getAccessToken/getRefreshToken now resolve the token's user via Users.findOneActiveById (projecting _id) and return/throw when the user is missing/inactive. oAuth2ServerAuth and /oauth/userinfo use findOneActiveById and reject tokens for inactive users.
Deactivation paths: token cleanup apps/meteor/app/lib/server/functions/setUserActiveStatus.ts, apps/meteor/app/api/server/v1/users.ts	On user deactivation, code calls OAuthAccessTokens.deleteByUserId(s), OAuthRefreshTokens.deleteByUserId(s), and OAuthAuthCodes.deleteByUserId(s) (concurrently) after unsetting login tokens. users.deactivateIdle deletes tokens for deactivated IDs before emitting notifications.
End-to-end tests: revocation scenarios apps/meteor/tests/end-to-end/api/oauth-server.ts	Added authorizeAndExchange helper and two test suites: [user deactivation revokes OAuth tokens] and [users.deactivateIdle revokes OAuth tokens] verifying access-token rejection, refresh-token grant failure after deactivation, and behavior after reactivation and fresh authorization.
Release note / version bumps .changeset/big-corners-tie.md	Patch bumps for @rocket.chat/model-typings, @rocket.chat/models, and @rocket.chat/meteor with note that OAuth tokens are cleaned up on user deactivation.

Sequence Diagram

sequenceDiagram
  participant Client as Client
  participant OAuth as OAuth Server
  participant Tokens as OAuth Token Collections (Access/Refresh/AuthCode)
  participant Users as Users Model

  Client->>OAuth: /oauth/authorize -> /oauth/token (auth code flow)
  OAuth->>Tokens: create/validate tokens
  Tokens-->>OAuth: return access_token / refresh_token
  OAuth-->>Client: issue tokens

  Note right of Users: Later, user is deactivated

  Users->>Tokens: deleteByUserId(userId)
  Tokens-->>Users: deletion result

  Client->>OAuth: use access_token (API or /oauth/userinfo)
  OAuth->>Users: findOneActiveById(accessToken.userId)
  alt user inactive or missing
    Users-->>OAuth: null
    OAuth-->>Client: 401 Invalid Token
  else user active
    OAuth->>Tokens: validate token existence/expiry
    OAuth-->>Client: return requested resource
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• KevLehman
• tassoevan

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: clean up OAuth tokens after user deactivation' clearly and directly summarizes the main change across the changeset—implementing OAuth token cleanup when users are deactivated.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 16.66667% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.66%. Comparing base (fa8413f) to head (ae61cd3).
⚠️ Report is 5 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #40524   +/-   ##
========================================
  Coverage    69.65%   69.66%           
========================================
  Files         3327     3325    -2     
  Lines       122755   122803   +48     
  Branches     21875    21846   -29     
========================================
+ Hits         85505    85545   +40     
- Misses       33916    33918    +2     
- Partials      3334     3340    +6     

Flag	Coverage Δ
e2e	59.19% <ø> (-0.01%)	⬇️
e2e-api	46.32% <16.66%> (+0.02%)	⬆️
unit	70.37% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

apps/meteor/tests/end-to-end/api/oauth-server.ts (1)

9-39: ⚡ Quick win

Cover the authorization-code cleanup path too.

authorizeAndExchange always consumes the code immediately, so these new suites only prove access-token and refresh-token revocation. Since this PR also deletes pending auth codes, please add a variant that returns the issued code so a test can deactivate the user before /oauth/token and assert the authorization_code grant is rejected.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/end-to-end/api/oauth-server.ts` around lines 9 - 39, The
test helper authorizeAndExchange currently posts to /oauth/authorize and
immediately redeems the authorization code, preventing tests from exercising
code-revocation cleanup; add a variant (e.g., authorizeOnly or add a boolean
flag to authorizeAndExchange) that performs the POST to /oauth/authorize, parses
and returns the raw authorization code (the 'code' from URL searchParams)
without calling /oauth/token, so tests can deactivate the user before token
exchange and assert the authorization_code grant is rejected; keep the original
authorizeAndExchange behavior intact for existing tests.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/tests/end-to-end/api/oauth-server.ts`:
- Around line 392-397: The test calls the users.deactivateIdle RPC too broadly
(daysIdle: 0 and default 'user' role) which can deactivate unrelated accounts;
change the fixture and the test to use a unique discriminator and pass that to
users.deactivateIdle instead of the generic role—e.g., ensure the created
idleUser is assigned a dedicated role or tag (referenced by idleUser.roles or a
new idleUser.fixtureRole) and call users.deactivateIdle with that specific role
or with an explicit user identifier (use idleUser._id or idleUser.roles?.[0] ??
'e2e-fixture-user' as the argument) so only the test fixture is targeted.
- Around line 319-333: The test "should reject the refresh token grant after
user deactivation" uses a loose assertion (res.status !== 200); change it to
assert the exact HTTP status and OAuth error payload the server should return
for a revoked/deleted refresh token (e.g.,
expect(res.status).to.equal(<expected_status>) and
expect(res.body.error).to.equal('invalid_grant') and assert any expected
error_description or absence of access_token). Update the assertions in this
test and the similar block referenced (lines 409-423) to use the specific status
code and exact OAuth error fields instead of not-equal checks, using the
variables userRefreshToken, deactivationClientId, and deactivationClientSecret
to locate the request code paths.

---

Nitpick comments:
In `@apps/meteor/tests/end-to-end/api/oauth-server.ts`:
- Around line 9-39: The test helper authorizeAndExchange currently posts to
/oauth/authorize and immediately redeems the authorization code, preventing
tests from exercising code-revocation cleanup; add a variant (e.g.,
authorizeOnly or add a boolean flag to authorizeAndExchange) that performs the
POST to /oauth/authorize, parses and returns the raw authorization code (the
'code' from URL searchParams) without calling /oauth/token, so tests can
deactivate the user before token exchange and assert the authorization_code
grant is rejected; keep the original authorizeAndExchange behavior intact for
existing tests.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2bde60a9-06a2-4adc-b100-09567f21c5ae

📥 Commits

Reviewing files that changed from the base of the PR and between 055ca13 and 432314a.

📒 Files selected for processing (12)

• .changeset/big-corners-tie.md
• apps/meteor/app/api/server/v1/users.ts
• apps/meteor/app/lib/server/functions/setUserActiveStatus.ts
• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• apps/meteor/server/oauth2-server/model.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts
• packages/model-typings/src/models/IOAuthAccessTokensModel.ts
• packages/model-typings/src/models/IOAuthAuthCodesModel.ts
• packages/model-typings/src/models/IOAuthRefreshTokensModel.ts
• packages/models/src/models/OAuthAccessTokens.ts
• packages/models/src/models/OAuthAuthCodes.ts
• packages/models/src/models/OAuthRefreshTokens.ts

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/model-typings/src/models/IOAuthAuthCodesModel.ts
• apps/meteor/app/lib/server/functions/setUserActiveStatus.ts
• packages/model-typings/src/models/IOAuthRefreshTokensModel.ts
• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• packages/models/src/models/OAuthAuthCodes.ts
• apps/meteor/app/api/server/v1/users.ts
• packages/model-typings/src/models/IOAuthAccessTokensModel.ts
• packages/models/src/models/OAuthAccessTokens.ts
• packages/models/src/models/OAuthRefreshTokens.ts
• apps/meteor/server/oauth2-server/model.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

🧠 Learnings (8)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• packages/model-typings/src/models/IOAuthAuthCodesModel.ts
• apps/meteor/app/lib/server/functions/setUserActiveStatus.ts
• packages/model-typings/src/models/IOAuthRefreshTokensModel.ts
• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• packages/models/src/models/OAuthAuthCodes.ts
• apps/meteor/app/api/server/v1/users.ts
• packages/model-typings/src/models/IOAuthAccessTokensModel.ts
• packages/models/src/models/OAuthAccessTokens.ts
• packages/models/src/models/OAuthRefreshTokens.ts
• apps/meteor/server/oauth2-server/model.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• packages/model-typings/src/models/IOAuthAuthCodesModel.ts
• apps/meteor/app/lib/server/functions/setUserActiveStatus.ts
• packages/model-typings/src/models/IOAuthRefreshTokensModel.ts
• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• packages/models/src/models/OAuthAuthCodes.ts
• apps/meteor/app/api/server/v1/users.ts
• packages/model-typings/src/models/IOAuthAccessTokensModel.ts
• packages/models/src/models/OAuthAccessTokens.ts
• packages/models/src/models/OAuthRefreshTokens.ts
• apps/meteor/server/oauth2-server/model.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• packages/model-typings/src/models/IOAuthAuthCodesModel.ts
• apps/meteor/app/lib/server/functions/setUserActiveStatus.ts
• packages/model-typings/src/models/IOAuthRefreshTokensModel.ts
• apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
• packages/models/src/models/OAuthAuthCodes.ts
• apps/meteor/app/api/server/v1/users.ts
• packages/model-typings/src/models/IOAuthAccessTokensModel.ts
• packages/models/src/models/OAuthAccessTokens.ts
• packages/models/src/models/OAuthRefreshTokens.ts
• apps/meteor/server/oauth2-server/model.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/big-corners-tie.md

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-03-15T14:31:25.380Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39647
File: apps/meteor/app/api/server/v1/users.ts:710-757
Timestamp: 2026-03-15T14:31:25.380Z
Learning: Do not flag this type/schema misalignment in the OpenAPI/migration review for apps/meteor/app/api/server/v1/users.ts. The UserCreateParamsPOST type intentionally uses non-optional fields: fields: string and settings?: IUserSettings without an AJV schema entry, carried over from the original rest-typings (PR `#39647`). Treat this as a known pre-existing divergence and document it as a separate follow-up fix; do not block or mark it as a review issue during the migration.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-03-16T23:33:11.443Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: apps/meteor/app/api/server/v1/users.ts:862-869
Timestamp: 2026-03-16T23:33:11.443Z
Learning: In rockets OpenAPI/AJV migration reviews for RocketChat/Rocket.Chat, when reviewing migrations that involve apps/meteor/app/api/server/v1/users.ts, do not require or flag a missing query AJV schema for the fields consumed by parseJsonQuery() (i.e., fields, sort, query) as part of this endpoint's migration PR. The addition of global query-param schemas for parseJsonQuery() usage is a cross-cutting concern and out of scope for individual endpoint migrations. Only flag violations related to the specific scope of the migration, not the absence of a query schema for parseJsonQuery() in this file.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

🔇 Additional comments (11)

packages/model-typings/src/models/IOAuthAccessTokensModel.ts (1)

2-2: LGTM!

Also applies to: 9-10

packages/model-typings/src/models/IOAuthAuthCodesModel.ts (1)

2-2: LGTM!

Also applies to: 8-9

packages/model-typings/src/models/IOAuthRefreshTokensModel.ts (1)

2-2: LGTM!

Also applies to: 8-9

packages/models/src/models/OAuthAccessTokens.ts (1)

3-3: LGTM!

Also applies to: 16-16, 36-42

packages/models/src/models/OAuthAuthCodes.ts (1)

3-3: LGTM!

Also applies to: 13-13, 23-29

packages/models/src/models/OAuthRefreshTokens.ts (1)

3-3: LGTM!

Also applies to: 13-13, 23-29

apps/meteor/app/lib/server/functions/setUserActiveStatus.ts (1)

3-3: LGTM!

Also applies to: 124-126

apps/meteor/app/api/server/v1/users.ts (1)

3-3: LGTM!

Also applies to: 557-560

.changeset/big-corners-tie.md (1)

1-8: LGTM!

apps/meteor/server/oauth2-server/model.ts (1)

11-11: LGTM!

Also applies to: 56-59, 236-239

apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts (1)

39-39: LGTM!

Also applies to: 58-58

[coderabbitai]

🧹 Nitpick comments (2)

apps/meteor/tests/end-to-end/api/oauth-server.ts (2)

25-25: ⚡ Quick win

Guard missing authorization code instead of force-casting.

location.searchParams.get('code') as string can hide a bad redirect payload and fail later with a less actionable error. Assert presence here and fail fast.

Proposed change

-	const code = location.searchParams.get('code') as string;
+	const code = location.searchParams.get('code');
+	expect(code, 'authorization response must include code').to.be.a('string');

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/end-to-end/api/oauth-server.ts` at line 25, Replace the
force-cast of the OAuth code so the test fails fast when absent: instead of
using "location.searchParams.get('code') as string" directly, read the value
from location.searchParams.get('code'), assert or throw if it's null/undefined
(e.g., with an explicit check or expect/assert), and only then assign it to the
"code" variable for downstream use in the oauth-server.ts test logic; reference
the call to location.searchParams.get('code') and the "code" variable when
making the change.

---

300-304: ⚡ Quick win

Remove inline implementation comments in this test file.

These added comments should be removed to match repository style guidance for TS/JS implementation code.

As per coding guidelines: "Avoid code comments in the implementation".

Also applies to: 342-342, 392-396

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/tests/end-to-end/api/oauth-server.ts` around lines 300 - 304,
Remove the inline implementation comments immediately before the token
verification and deactivation calls — specifically delete the comment lines that
precede the request.get(api('me')).auth(userAccessToken...) and the
request.post(api('users.setActiveStatus')).set(credentials).send({ userId:
testUser._id, activeStatus: false }) calls; also remove the same style of inline
comments found near the other request calls in this test file (the other
occurrences around the api('me') / users.setActiveStatus request blocks). Leave
only the test code statements and ensure no leftover // comments remain in those
blocks.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/meteor/tests/end-to-end/api/oauth-server.ts`:
- Line 25: Replace the force-cast of the OAuth code so the test fails fast when
absent: instead of using "location.searchParams.get('code') as string" directly,
read the value from location.searchParams.get('code'), assert or throw if it's
null/undefined (e.g., with an explicit check or expect/assert), and only then
assign it to the "code" variable for downstream use in the oauth-server.ts test
logic; reference the call to location.searchParams.get('code') and the "code"
variable when making the change.
- Around line 300-304: Remove the inline implementation comments immediately
before the token verification and deactivation calls — specifically delete the
comment lines that precede the request.get(api('me')).auth(userAccessToken...)
and the request.post(api('users.setActiveStatus')).set(credentials).send({
userId: testUser._id, activeStatus: false }) calls; also remove the same style
of inline comments found near the other request calls in this test file (the
other occurrences around the api('me') / users.setActiveStatus request blocks).
Leave only the test code statements and ensure no leftover // comments remain in
those blocks.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 11850977-f285-455d-988e-50c34ad0984a

📥 Commits

Reviewing files that changed from the base of the PR and between e372080 and 948e84d.

📒 Files selected for processing (1)

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

🔇 Additional comments (1)

apps/meteor/tests/end-to-end/api/oauth-server.ts (1)

320-334: Refresh-token rejection assertions are still too loose.

The status !== 200 checks can pass on unrelated server failures and miss revocation regressions.

Also applies to: 409-423

[cubic-dev-ai]

1 issue found across 12 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/api/server/v1/users.ts">

<violation number="1" location="apps/meteor/app/api/server/v1/users.ts:557">
P1: OAuth token cleanup uses a pre-update ID snapshot, so concurrent state changes can revoke tokens for users who were not actually deactivated.

(Based on your team's feedback about concurrency-related behavioral changes and race conditions.) [FEEDBACK_USED]</violation>
</file>

_{Tip: cubic used a learning from your PR history. Let your coding agent read cubic learnings directly with the cubic MCP.
Re-trigger cubic}

[julio-rocketchat]

/backport 8.4.2

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.2.4-40524
git cherry-pick f7d47dd3517ec14ca2ec5c3c95fcdf9e1e2fb8b0
// solve the conflict
git push

after that just run /backport 8.2.4 again

[julio-rocketchat]

/backport 8.2.4

[dionisio-bot]

Pull request #40629 added to Project: "Patch 8.2.4"

[julio-rocketchat]

/backport 8.1.5

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.1.5-40524
git cherry-pick f7d47dd3517ec14ca2ec5c3c95fcdf9e1e2fb8b0
// solve the conflict
git push

after that just run /backport 8.1.5 again

[julio-rocketchat]

/backport 8.1.5

[dionisio-bot]

Pull request #40630 added to Project: "Patch 8.1.5"

[julio-rocketchat]

/backport 8.0.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-8.0.6-40524
git cherry-pick f7d47dd3517ec14ca2ec5c3c95fcdf9e1e2fb8b0
// solve the conflict
git push

after that just run /backport 8.0.6 again

[julio-rocketchat]

/backport 8.0.6

[dionisio-bot]

Pull request #40631 added to Project: "Patch 8.0.6"

[julio-rocketchat]

/backport 7.13.8

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.13.8-40524
git cherry-pick f7d47dd3517ec14ca2ec5c3c95fcdf9e1e2fb8b0
// solve the conflict
git push

after that just run /backport 7.13.8 again

[julio-rocketchat]

/backport 7.13.8

[dionisio-bot]

Pull request #40632 added to Project: "Patch 7.13.8"

[julio-rocketchat]

/backport 7.10.12

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.10.12-40524
git cherry-pick f7d47dd3517ec14ca2ec5c3c95fcdf9e1e2fb8b0
// solve the conflict
git push

after that just run /backport 7.10.12 again

[julio-rocketchat]

/backport 7.10.12

[dionisio-bot]

Pull request #40633 added to Project: "Patch 7.10.12"