RocketChat · rocketchat-github-ci · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
diff --git a/.changeset/big-corners-tie.md b/.changeset/big-corners-tie.md
@@ -0,0 +1,7 @@
+---
+'@rocket.chat/model-typings': patch
+'@rocket.chat/models': patch
+'@rocket.chat/meteor': patch
+---
+
+Ensures OAuth tokens are cleaned up after user deactivation
diff --git a/.changeset/bump-patch-1778764022832.md b/.changeset/bump-patch-1778764022832.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Bump @rocket.chat/meteor version.
diff --git a/.changeset/fix-presence-comma-ids.md b/.changeset/fix-presence-comma-ids.md
@@ -0,0 +1,6 @@
+---
+'@rocket.chat/meteor': patch
+'@rocket.chat/rest-typings': patch
+---
+
+Fixes the `users.presence` endpoint returning an empty array when called with multiple comma-separated IDs, caused by `ajvQuery` coercing the string into a single-element array after the OpenAPI migration
diff --git a/.changeset/good-rules-lie.md b/.changeset/good-rules-lie.md
@@ -0,0 +1,7 @@
+---
+'@rocket.chat/model-typings': patch
+'@rocket.chat/models': patch
+'@rocket.chat/meteor': patch
+---
+
+Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
-Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
+Fixes users.presence handling for multiple IDs and strengthens autotranslate input validation and room-access enforcement.
-Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle
+Fixes users.presence handling for multiple IDs and strengthens autotranslate input validation and room-access enforcement.
diff --git a/.changeset/neat-trams-juggle.md b/.changeset/neat-trams-juggle.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Ensures the Meteor method for translateMessage validates access and types
diff --git a/.changeset/perky-tires-invite.md b/.changeset/perky-tires-invite.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Ensures the visitor token is not present in the visitors.info response
diff --git a/.changeset/shaggy-kiwis-burn.md b/.changeset/shaggy-kiwis-burn.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Ensures the autotranslate.translateMessage endpoint checks for room access
@@ -1,13 +1,15 @@
 import type { IMessage, ISupportedLanguage } from '@rocket.chat/core-typings';
-import { Messages } from '@rocket.chat/models';
+import { Messages, Rooms } from '@rocket.chat/models';
 import {
 	ajv,
 	validateUnauthorizedErrorResponse,
 	validateBadRequestErrorResponse,
+	validateForbiddenErrorResponse,
 	isAutotranslateSaveSettingsParamsPOST,
 	isAutotranslateGetSupportedLanguagesParamsGET,
 } from '@rocket.chat/rest-typings';
 
+import { canAccessRoomAsync } from '../../../authorization/server';
 import { getSupportedLanguages } from '../../../autotranslate/server/functions/getSupportedLanguages';
 import { saveAutoTranslateSettings } from '../../../autotranslate/server/functions/saveSettings';
 import { translateMessage } from '../../../autotranslate/server/functions/translateMessage';
@@ -124,6 +126,7 @@ const autotranslateEndpoints = API.v1
 				}),
 				400: validateBadRequestErrorResponse,
 				401: validateUnauthorizedErrorResponse,
+				403: validateForbiddenErrorResponse,
 			},
 		},
 		async function action() {
@@ -139,6 +142,11 @@ const autotranslateEndpoints = API.v1
 				return API.v1.failure('Message not found.');
 			}
 
+			const room = await Rooms.findOneById(message.rid);
+			if (!room || !(await canAccessRoomAsync(room, { _id: this.userId }))) {
+				return API.v1.forbidden();
+			}
+
 			const translatedMessage = await translateMessage(targetLanguage, message);
 
 			if (!translatedMessage) {

@@ -1,6 +1,6 @@
 import { MeteorError, Team, api, Calendar } from '@rocket.chat/core-services';
 import type { IExportOperation, ILoginToken, IPersonalAccessToken, IUser, UserStatus } from '@rocket.chat/core-typings';
-import { Users, Subscriptions, Sessions } from '@rocket.chat/models';
+import { Users, Subscriptions, Sessions, OAuthAccessTokens, OAuthRefreshTokens, OAuthAuthCodes } from '@rocket.chat/models';
 import {
 	isUserCreateParamsPOST,
 	isUserSetActiveStatusParamsPOST,
@@ -548,9 +548,26 @@ API.v1.post(
 		const lastLoggedIn = new Date();
 		lastLoggedIn.setDate(lastLoggedIn.getDate() - daysIdle);
 
-		// since we're deactiving users that are not logged in, there is no need to send data through WS
+		const ids = await Users.findActiveNotLoggedInAfterWithRole(lastLoggedIn, role, { projection: { _id: 1 } })
+			.map(({ _id }: { _id: string }) => _id)
+			.toArray();
+
 		const { modifiedCount: count } = await Users.setActiveNotLoggedInAfterWithRole(lastLoggedIn, role, false);
 
+		await Promise.all([
+			OAuthAccessTokens.deleteByUserIds(ids),
+			OAuthRefreshTokens.deleteByUserIds(ids),
+			OAuthAuthCodes.deleteByUserIds(ids),
+		]);
+
+		ids.forEach((_id) => {
+			void notifyOnUserChange({
+				clientAction: 'updated',
+				id: _id,
+				diff: { 'services.resume.loginTokens': [], 'active': false },
+			});
+		});
+
 		return API.v1.success({
 			count,
 		});

diff --git a/apps/meteor/app/autotranslate/server/methods/translateMessage.ts b/apps/meteor/app/autotranslate/server/methods/translateMessage.ts
@@ -1,7 +1,10 @@
 import type { IMessage } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
+import { Messages, Rooms } from '@rocket.chat/models';
+import { check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 
+import { canAccessRoomAsync } from '../../../authorization/server';
 import { translateMessage } from '../functions/translateMessage';
 
 declare module '@rocket.chat/ddp-client' {
@@ -13,6 +16,22 @@ declare module '@rocket.chat/ddp-client' {
 
 Meteor.methods<ServerMethods>({
 	async 'autoTranslate.translateMessage'(message, targetLanguage) {
-		return translateMessage(targetLanguage, message);
+		const userId = Meteor.userId();
+		if (!userId) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
+				method: 'autoTranslate.translateMessage',
+			});
+		}
+		check(message?._id, String);
+		check(targetLanguage, String);
+		const msg = await Messages.findOneById(message._id);
+		if (!msg) {
+			throw new Meteor.Error('error-message-not-found', 'Message not found');
+		}
+		const room = await Rooms.findOneById(msg.rid);
+		if (!room || !(await canAccessRoomAsync(room, { _id: userId }))) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed');
+		}
+		return translateMessage(targetLanguage, msg);
 	},
 });
diff --git a/apps/meteor/app/lib/server/functions/setUserActiveStatus.ts b/apps/meteor/app/lib/server/functions/setUserActiveStatus.ts
@@ -1,6 +1,6 @@
 import type { IUser, IUserEmail } from '@rocket.chat/core-typings';
 import { isUserFederated, isDirectMessageRoom } from '@rocket.chat/core-typings';
-import { Rooms, Users, Subscriptions } from '@rocket.chat/models';
+import { Rooms, Users, Subscriptions, OAuthAccessTokens, OAuthRefreshTokens, OAuthAuthCodes } from '@rocket.chat/models';
 import { Accounts } from 'meteor/accounts-base';
 import { check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
@@ -121,6 +121,11 @@ export async function setUserActiveStatus(
 
 	if (active === false) {
 		await Users.unsetLoginTokens(userId);
+		await Promise.all([
+			OAuthAccessTokens.deleteByUserId(userId),
+			OAuthRefreshTokens.deleteByUserId(userId),
+			OAuthAuthCodes.deleteByUserId(userId),
+		]);
 		await Rooms.setDmReadOnlyByUserId(userId, undefined, true, false);
 
 		void notifyOnUserChange({ clientAction: 'updated', id: userId, diff: { 'services.resume.loginTokens': [], active } });

@@ -6,7 +6,7 @@ import { callbacks } from '../../../../../server/lib/callbacks';
 import { canAccessRoomAsync } from '../../../../authorization/server/functions/canAccessRoom';
 
 export async function findVisitorInfo({ visitorId }: { visitorId: IVisitor['_id'] }) {
-	const visitor = await LivechatVisitors.findOneEnabledById(visitorId);
+	const visitor = await LivechatVisitors.findOneEnabledById(visitorId, { projection: { token: 0 } });
 	if (!visitor) {
 		throw new Error('visitor-not-found');
 	}

diff --git a/apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts b/apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts
@@ -34,9 +34,9 @@ export async function oAuth2ServerAuth(partialRequest: { authorization?: string;
 		return;
 	}
 
-	const user = await Users.findOneById(accessToken.userId);
+	const user = await Users.findOneActiveById(accessToken.userId);
 
-	if (user == null) {
+	if (!user) {
 		return;
 	}
 
@@ -54,8 +54,8 @@ oauth2server.app.get('/oauth/userinfo', async (req: Request, res: Response) => {
 	if (token == null) {
 		return res.status(401).send('Invalid Token');
 	}
-	const user = await Users.findOneById(token.userId);
-	if (user == null) {
+	const user = await Users.findOneActiveById(token.userId);
+	if (!user) {
 		return res.status(401).send('Invalid Token');
 	}
 	return res.send({

diff --git a/apps/meteor/package.json b/apps/meteor/package.json
@@ -68,9 +68,9 @@
 		"@aws-sdk/client-s3": "^3.862.0",
 		"@aws-sdk/lib-storage": "^3.862.0",
 		"@aws-sdk/s3-request-presigner": "^3.862.0",
-		"@babel/core": "~7.28.6",
-		"@babel/preset-env": "~7.28.6",
-		"@babel/runtime": "~7.28.6",
+		"@babel/core": "~7.29.0",
+		"@babel/preset-env": "~7.29.5",
+		"@babel/runtime": "~7.29.2",
 		"@bugsnag/js": "~7.20.2",
 		"@bugsnag/plugin-react": "~7.19.0",
 		"@datastructures-js/priority-queue": "^6.3.5",
@@ -85,8 +85,8 @@
 		"@noble/ed25519": "^3.0.0",
 		"@node-oauth/oauth2-server": "~5.2.1",
 		"@opentelemetry/api": "^1.9.1",
-		"@opentelemetry/exporter-trace-otlp-grpc": "^0.54.2",
-		"@opentelemetry/sdk-node": "^0.54.2",
+		"@opentelemetry/exporter-trace-otlp-grpc": "^0.217.0",
+		"@opentelemetry/sdk-node": "^0.217.0",
 		"@parse/node-apn": "^8.1.0",
 		"@react-aria/toolbar": "^3.0.0-nightly.5042",
 		"@react-pdf/renderer": "^4.3.2",
@@ -282,7 +282,7 @@
 		"react-stately": "~3.17.0",
 		"react-virtuoso": "~4.12.8",
 		"reflect-metadata": "^0.2.2",
-		"sanitize-html": "~2.16.0",
+		"sanitize-html": "~2.17.4",
 		"semver": "^7.6.3",
 		"sharp": "^0.33.5",
 		"sodium-native": "^4.3.3",

@@ -8,7 +8,7 @@ import type {
 	Token,
 	User,
 } from '@node-oauth/oauth2-server';
-import { OAuthApps, OAuthAuthCodes, OAuthAccessTokens, OAuthRefreshTokens } from '@rocket.chat/models';
+import { OAuthApps, OAuthAuthCodes, OAuthAccessTokens, OAuthRefreshTokens, Users } from '@rocket.chat/models';
 
 export type ModelConfig = {
 	debug?: boolean;
@@ -53,6 +53,11 @@ export class Model implements AuthorizationCodeModel, RefreshTokenModel {
 			throw new Error('Invalid clientId');
 		}
 
+		const user = await Users.findOneActiveById(token.userId, { projection: { _id: 1 } });
+		if (!user) {
+			return;
+		}
+
 		const result: Token = {
 			accessToken: token.accessToken,
 			client,
@@ -228,6 +233,11 @@ export class Model implements AuthorizationCodeModel, RefreshTokenModel {
 			throw new Error('Invalid clientId');
 		}
 
+		const user = await Users.findOneActiveById(token.userId, { projection: { _id: 1 } });
+		if (!user) {
+			throw new Error('Invalid token');
+		}
+
 		const result: RefreshToken = {
 			// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
 			refreshToken: token.refreshToken!,