Release 8.4.2

.changeset/bump-patch-1778764022832.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Bump @rocket.chat/meteor version.

.changeset/fix-presence-comma-ids.md

@@ -0,0 +1,6 @@
+---
+'@rocket.chat/meteor': patch
+'@rocket.chat/rest-typings': patch
+---
+
+Fixes the `users.presence` endpoint returning an empty array when called with multiple comma-separated IDs, caused by `ajvQuery` coercing the string into a single-element array after the OpenAPI migration

.changeset/good-rules-lie.md

@@ -0,0 +1,7 @@
+---
+'@rocket.chat/model-typings': patch
+'@rocket.chat/models': patch
+'@rocket.chat/meteor': patch
+---
+
+Ensures that deactivated users have their login tokens cleaned up in users.deactivateidle

.changeset/neat-trams-juggle.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Ensures the Meteor method for translateMessage validates access and types

.changeset/perky-tires-invite.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Ensures the visitor token is not present in the visitors.info response

.changeset/shaggy-kiwis-burn.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Ensures the autotranslate.translateMessage endpoint checks for room access

apps/meteor/app/api/server/v1/autotranslate.ts

@@ -1,13 +1,15 @@
 import type { IMessage, ISupportedLanguage } from '@rocket.chat/core-typings';
-import { Messages } from '@rocket.chat/models';
+import { Messages, Rooms } from '@rocket.chat/models';
 import {
 	ajv,
 	validateUnauthorizedErrorResponse,
 	validateBadRequestErrorResponse,
+	validateForbiddenErrorResponse,
 	isAutotranslateSaveSettingsParamsPOST,
 	isAutotranslateGetSupportedLanguagesParamsGET,
 } from '@rocket.chat/rest-typings';
 
+import { canAccessRoomAsync } from '../../../authorization/server';
 import { getSupportedLanguages } from '../../../autotranslate/server/functions/getSupportedLanguages';
 import { saveAutoTranslateSettings } from '../../../autotranslate/server/functions/saveSettings';
 import { translateMessage } from '../../../autotranslate/server/functions/translateMessage';
@@ -124,6 +126,7 @@ const autotranslateEndpoints = API.v1
 				}),
 				400: validateBadRequestErrorResponse,
 				401: validateUnauthorizedErrorResponse,
+				403: validateForbiddenErrorResponse,
 			},
 		},
 		async function action() {
@@ -139,6 +142,11 @@ const autotranslateEndpoints = API.v1
 				return API.v1.failure('Message not found.');
 			}
 
+			const room = await Rooms.findOneById(message.rid);
+			if (!room || !(await canAccessRoomAsync(room, { _id: this.userId }))) {
+				return API.v1.forbidden();
+			}
+
 			const translatedMessage = await translateMessage(targetLanguage, message);
 
 			if (!translatedMessage) {

apps/meteor/app/api/server/v1/users.ts

@@ -548,9 +548,20 @@ API.v1.post(
 		const lastLoggedIn = new Date();
 		lastLoggedIn.setDate(lastLoggedIn.getDate() - daysIdle);
 
-		// since we're deactiving users that are not logged in, there is no need to send data through WS
+		const ids = await Users.findActiveNotLoggedInAfterWithRole(lastLoggedIn, role, { projection: { _id: 1 } })
+			.map(({ _id }: { _id: string }) => _id)
+			.toArray();
+
 		const { modifiedCount: count } = await Users.setActiveNotLoggedInAfterWithRole(lastLoggedIn, role, false);
 
+		ids.forEach((_id) => {
+			void notifyOnUserChange({
+				clientAction: 'updated',
+				id: _id,
+				diff: { 'services.resume.loginTokens': [], 'active': false },
+			});
+		});
+
 		return API.v1.success({
 			count,
 		});

apps/meteor/app/autotranslate/server/methods/translateMessage.ts

@@ -1,7 +1,10 @@
 import type { IMessage } from '@rocket.chat/core-typings';
 import type { ServerMethods } from '@rocket.chat/ddp-client';
+import { Messages, Rooms } from '@rocket.chat/models';
+import { check } from 'meteor/check';
 import { Meteor } from 'meteor/meteor';
 
+import { canAccessRoomAsync } from '../../../authorization/server';
 import { translateMessage } from '../functions/translateMessage';
 
 declare module '@rocket.chat/ddp-client' {
@@ -13,6 +16,22 @@ declare module '@rocket.chat/ddp-client' {
 
 Meteor.methods<ServerMethods>({
 	async 'autoTranslate.translateMessage'(message, targetLanguage) {
-		return translateMessage(targetLanguage, message);
+		const userId = Meteor.userId();
+		if (!userId) {
+			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
+				method: 'autoTranslate.translateMessage',
+			});
+		}
+		check(message?._id, String);
+		check(targetLanguage, String);
+		const msg = await Messages.findOneById(message._id);
+		if (!msg) {
+			throw new Meteor.Error('error-message-not-found', 'Message not found');
+		}
+		const room = await Rooms.findOneById(msg.rid);
+		if (!room || !(await canAccessRoomAsync(room, { _id: userId }))) {
+			throw new Meteor.Error('error-not-allowed', 'Not allowed');
+		}
+		return translateMessage(targetLanguage, msg);
 	},
 });

apps/meteor/app/livechat/server/api/lib/visitors.ts

@@ -6,7 +6,7 @@ import { callbacks } from '../../../../../server/lib/callbacks';
 import { canAccessRoomAsync } from '../../../../authorization/server/functions/canAccessRoom';
 
 export async function findVisitorInfo({ visitorId }: { visitorId: IVisitor['_id'] }) {
-	const visitor = await LivechatVisitors.findOneEnabledById(visitorId);
+	const visitor = await LivechatVisitors.findOneEnabledById(visitorId, { projection: { token: 0 } });
 	if (!visitor) {
 		throw new Error('visitor-not-found');
 	}

apps/meteor/package.json

@@ -68,9 +68,9 @@
 		"@aws-sdk/client-s3": "^3.862.0",
 		"@aws-sdk/lib-storage": "^3.862.0",
 		"@aws-sdk/s3-request-presigner": "^3.862.0",
-		"@babel/core": "~7.28.6",
-		"@babel/preset-env": "~7.28.6",
-		"@babel/runtime": "~7.28.6",
+		"@babel/core": "~7.29.0",
+		"@babel/preset-env": "~7.29.5",
+		"@babel/runtime": "~7.29.2",
 		"@bugsnag/js": "~7.20.2",
 		"@bugsnag/plugin-react": "~7.19.0",
 		"@datastructures-js/priority-queue": "^6.3.5",
@@ -85,8 +85,8 @@
 		"@noble/ed25519": "^3.0.0",
 		"@node-oauth/oauth2-server": "~5.2.1",
 		"@opentelemetry/api": "^1.9.1",
-		"@opentelemetry/exporter-trace-otlp-grpc": "^0.54.2",
-		"@opentelemetry/sdk-node": "^0.54.2",
+		"@opentelemetry/exporter-trace-otlp-grpc": "^0.217.0",
+		"@opentelemetry/sdk-node": "^0.217.0",
 		"@parse/node-apn": "^8.1.0",
 		"@react-aria/toolbar": "^3.0.0-nightly.5042",
 		"@react-pdf/renderer": "^4.3.2",
@@ -282,7 +282,7 @@
 		"react-stately": "~3.17.0",
 		"react-virtuoso": "~4.12.8",
 		"reflect-metadata": "^0.2.2",
-		"sanitize-html": "~2.16.0",
+		"sanitize-html": "~2.17.4",
 		"semver": "^7.6.3",
 		"sharp": "^0.33.5",
 		"sodium-native": "^4.3.3",

apps/meteor/tests/end-to-end/api/autotranslate.ts

@@ -3,7 +3,7 @@ import type { IMessage, IRoom, IUser } from '@rocket.chat/core-typings';
 import { expect } from 'chai';
 import { before, describe, after, it } from 'mocha';
 
-import { getCredentials, api, request, credentials } from '../../data/api-data';
+import { getCredentials, api, request, credentials, methodCall } from '../../data/api-data';
 import { sendSimpleMessage } from '../../data/chat.helper';
 import { updatePermission, updateSetting } from '../../data/permissions.helper';
 import { createRoom, deleteRoom } from '../../data/rooms.helper';
@@ -374,6 +374,152 @@ describe('AutoTranslate', () => {
 					})
 					.end(done);
 			});
+
+			describe('room access check', () => {
+				let userA: TestUser<IUser>;
+				let userB: TestUser<IUser>;
+				let credA: Credentials;
+				let credB: Credentials;
+				let privateRoom: IRoom;
+				let privateMessage: IMessage;
+
+				before(async () => {
+					await updateSetting('AutoTranslate_Enabled', true);
+
+					userA = await createUser();
+					userB = await createUser();
+
+					credA = await login(userA.username, password);
+					credB = await login(userB.username, password);
+
+					privateRoom = (
+						await createRoom({
+							type: 'p',
+							name: `test-autotranslate-access-${Date.now()}`,
+							credentials: credA,
+						})
+					).body.group;
+
+					const msgRes = await sendSimpleMessage({
+						roomId: privateRoom._id,
+						text: 'Isso é um teste',
+						userCredentials: credA,
+					});
+					privateMessage = msgRes.body.message;
+				});
+
+				after(async () => {
+					await Promise.all([
+						updateSetting('AutoTranslate_Enabled', false),
+						deleteUser(userA),
+						deleteUser(userB),
+						deleteRoom({ type: 'p', roomId: privateRoom._id }),
+					]);
+				});
+
+				it('should return 403 forbidden when the user is not a member of the room', (done) => {
+					void request
+						.post(api('autotranslate.translateMessage'))
+						.set(credB)
+						.send({
+							messageId: privateMessage._id,
+						})
+						.expect('Content-Type', 'application/json')
+						.expect(403)
+						.expect((res) => {
+							expect(res.body).to.have.a.property('success', false);
+						})
+						.end(done);
+				});
+			});
+		});
+
+		describe('[autoTranslate.translateMessage method]', () => {
+			let userA: TestUser<IUser>;
+			let userB: TestUser<IUser>;
+			let credA: Credentials;
+			let credB: Credentials;
+			let privateRoom: IRoom;
+			let privateMessage: IMessage;
+
+			before(async () => {
+				await updateSetting('AutoTranslate_Enabled', true);
+
+				userA = await createUser();
+				userB = await createUser();
+
+				credA = await login(userA.username, password);
+				credB = await login(userB.username, password);
+
+				privateRoom = (
+					await createRoom({
+						type: 'p',
+						name: `test-autotranslate-method-${Date.now()}`,
+						credentials: credA,
+					})
+				).body.group;
+
+				const msgRes = await sendSimpleMessage({
+					roomId: privateRoom._id,
+					text: 'Isso é um teste',
+					userCredentials: credA,
+				});
+				privateMessage = msgRes.body.message;
+			});
+
+			after(async () => {
+				await Promise.all([
+					updateSetting('AutoTranslate_Enabled', false),
+					deleteUser(userA),
+					deleteUser(userB),
+					deleteRoom({ type: 'p', roomId: privateRoom._id }),
+				]);
+			});
+
+			it('should fail when messageId is not a string', (done) => {
+				void request
+					.post(methodCall('autoTranslate.translateMessage'))
+					.set(credA)
+					.send({
+						message: JSON.stringify({
+							msg: 'method',
+							id: 'id',
+							method: 'autoTranslate.translateMessage',
+							params: [{ _id: { $gt: '' } }, 'en'],
+						}),
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.a.property('success', false);
+						const parsedBody = JSON.parse(res.body.message);
+						expect(parsedBody).to.have.a.property('error');
+					})
+					.end(done);
+			});
+
+			it('should return error-not-allowed when the caller is not a member of the room', (done) => {
+				void request
+					.post(methodCall('autoTranslate.translateMessage'))
+					.set(credB)
+					.send({
+						message: JSON.stringify({
+							msg: 'method',
+							id: 'id',
+							method: 'autoTranslate.translateMessage',
+							params: [{ _id: privateMessage._id }, 'en'],
+						}),
+					})
+					.expect('Content-Type', 'application/json')
+					.expect(400)
+					.expect((res) => {
+						expect(res.body).to.have.a.property('success', false);
+						const parsedBody = JSON.parse(res.body.message);
+						expect(parsedBody).to.have.a.property('error');
+						expect(parsedBody.error).to.have.a.property('error', 'error-not-allowed');
+					})
+					.end(done);
+			});
 		});
 
 		describe('Autoenable setting', () => {

apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts

@@ -567,6 +567,18 @@ describe('LIVECHAT - visitors', () => {
 					expect(res.body.visitor._id).to.be.equal(visitor._id);
 				});
 		});
+		it('should not return the visitor token', async () => {
+			await request
+				.get(api('livechat/visitors.info'))
+				.query({ visitorId: visitor._id })
+				.set(credentials)
+				.expect('Content-Type', 'application/json')
+				.expect(200)
+				.expect((res: Response) => {
+					expect(res.body).to.have.property('success', true);
+					expect(res.body.visitor).to.not.have.property('token');
+				});
+		});
 	});
 
 	describe('livechat/visitors.pagesVisited', () => {