Merge branch 'develop' into apps-modal-rename

.changeset/four-cherries-kneel.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Allow to use the token from `room.v` when requesting transcript instead of visitor token. Visitors may change their tokens at any time, rendering old conversations impossible to access for them (or for APIs depending on token) as the visitor token won't match the `room.v` token.

.changeset/healthy-rivers-nail.md

@@ -0,0 +1,8 @@
+---
+"@rocket.chat/meteor": minor
+"@rocket.chat/i18n": minor
+"@rocket.chat/livechat": minor
+---
+
+Added new setting `Allow visitors to finish conversations` that allows admins to decide if omnichannel visitors can close a conversation or not. This doesn't affect agent's capabilities of room closing, neither apps using the livechat bridge to close rooms.
+However, if currently your integration relies on `livechat/room.close` endpoint for closing conversations, it's advised to use the authenticated version `livechat/room.closeByUser` of it before turning off this setting.

.changeset/tiny-geckos-kiss.md

@@ -0,0 +1,6 @@
+---
+'@rocket.chat/i18n': minor
+'@rocket.chat/meteor': minor
+---
+
+Added a new setting which allows workspace admins to disable email two factor authentication for SSO (OAuth) users. If enabled, SSO users won't be asked for email two factor authentication.

apps/meteor/app/2fa/server/code/EmailCheck.spec.ts

@@ -0,0 +1,70 @@
+import { expect } from 'chai';
+import { describe, it } from 'mocha';
+import proxyquire from 'proxyquire';
+import sinon from 'sinon';
+
+const settingsMock = sinon.stub();
+
+const { EmailCheck } = proxyquire.noCallThru().load('./EmailCheck', {
+	'@rocket.chat/models': {
+		Users: {},
+	},
+	'meteor/accounts-base': {
+		Accounts: {
+			_bcryptRounds: () => '123',
+		},
+	},
+	'../../../../server/lib/i18n': {
+		i18n: {
+			t: (key: string) => key,
+		},
+	},
+	'../../../mailer/server/api': {
+		send: () => undefined,
+	},
+	'../../../settings/server': {
+		settings: {
+			get: settingsMock,
+		},
+	},
+});
+
+const normalUserMock = { services: { email2fa: { enabled: true } }, emails: [{ email: '[email protected]', verified: true }] };
+const normalUserWithUnverifiedEmailMock = {
+	services: { email2fa: { enabled: true } },
+	emails: [{ email: '[email protected]', verified: false }],
+};
+const OAuthUserMock = { services: { google: {} }, emails: [{ email: '[email protected]', verified: true }] };
+
+describe('EmailCheck', () => {
+	let emailCheck: typeof EmailCheck;
+	beforeEach(() => {
+		settingsMock.reset();
+
+		emailCheck = new EmailCheck();
+	});
+
+	it('should return EmailCheck is enabled for a normal user', () => {
+		settingsMock.returns(true);
+
+		const isEmail2FAEnabled = emailCheck.isEnabled(normalUserMock);
+
+		expect(isEmail2FAEnabled).to.be.equal(true);
+	});
+
+	it('should return EmailCheck is not enabled for a normal user with unverified email', () => {
+		settingsMock.returns(true);
+
+		const isEmail2FAEnabled = emailCheck.isEnabled(normalUserWithUnverifiedEmailMock);
+
+		expect(isEmail2FAEnabled).to.be.equal(false);
+	});
+
+	it('should return EmailCheck is not enabled for a OAuth user with setting being false', () => {
+		settingsMock.returns(true);
+
+		const isEmail2FAEnabled = emailCheck.isEnabled(OAuthUserMock);
+
+		expect(isEmail2FAEnabled).to.be.equal(false);
+	});
+});

apps/meteor/app/2fa/server/code/EmailCheck.ts

@@ -1,4 +1,4 @@
-import type { IUser } from '@rocket.chat/core-typings';
+import { isOAuthUser, type IUser } from '@rocket.chat/core-typings';
 import { Users } from '@rocket.chat/models';
 import { Random } from '@rocket.chat/random';
 import bcrypt from 'bcrypt';
@@ -24,6 +24,10 @@ export class EmailCheck implements ICodeCheck {
 			return false;
 		}
 
+		if (!settings.get('Accounts_twoFactorAuthentication_email_available_for_OAuth_users') && isOAuthUser(user)) {
+			return false;
+		}
+
 		if (!user.services?.email2fa?.enabled) {
 			return false;
 		}

apps/meteor/app/2fa/server/code/index.ts

@@ -45,14 +45,10 @@ function getAvailableMethodNames(user: IUser): string[] {
 export async function getUserForCheck(userId: string): Promise<IUser | null> {
 	return Users.findOneById(userId, {
 		projection: {
-			'emails': 1,
-			'language': 1,
-			'createdAt': 1,
-			'services.totp': 1,
-			'services.email2fa': 1,
-			'services.emailCode': 1,
-			'services.password': 1,
-			'services.resume.loginTokens': 1,
+			emails: 1,
+			language: 1,
+			createdAt: 1,
+			services: 1,
 		},
 	});
 }

apps/meteor/app/api/server/v1/misc.ts

@@ -1,6 +1,6 @@
 import crypto from 'crypto';
 
-import type { IUser } from '@rocket.chat/core-typings';
+import { isOAuthUser, type IUser } from '@rocket.chat/core-typings';
 import { Settings, Users } from '@rocket.chat/models';
 import {
 	isShieldSvgProps,
@@ -26,7 +26,7 @@ import { hasPermissionAsync } from '../../../authorization/server/functions/hasP
 import { passwordPolicy } from '../../../lib/server';
 import { notifyOnSettingChangedById } from '../../../lib/server/lib/notifyListener';
 import { settings } from '../../../settings/server';
-import { getDefaultUserFields } from '../../../utils/server/functions/getDefaultUserFields';
+import { getBaseUserFields } from '../../../utils/server/functions/getBaseUserFields';
 import { isSMTPConfigured } from '../../../utils/server/functions/isSMTPConfigured';
 import { getURL } from '../../../utils/server/getURL';
 import { API } from '../api';
@@ -176,15 +176,19 @@ API.v1.addRoute(
 	{ authRequired: true },
 	{
 		async get() {
-			const fields = getDefaultUserFields();
-			const { services, ...user } = (await Users.findOneById(this.userId, { projection: fields })) as IUser;
+			const userFields = { ...getBaseUserFields(), services: 1 };
+			const { services, ...user } = (await Users.findOneById(this.userId, { projection: userFields })) as IUser;
 
 			return API.v1.success(
 				await getUserInfo({
 					...user,
+					isOAuthUser: isOAuthUser({ ...user, services }),
 					...(services && {
 						services: {
-							...services,
+							...(services.github && { github: services.github }),
+							...(services.gitlab && { gitlab: services.gitlab }),
+							...(services.email2fa?.enabled && { email2fa: { enabled: services.email2fa.enabled } }),
+							...(services.totp?.enabled && { totp: { enabled: services.totp.enabled } }),
 							password: {
 								// The password hash shouldn't be leaked but the client may need to know if it exists.
 								exists: Boolean(services?.password?.bcrypt),

apps/meteor/app/livechat/imports/server/rest/appearance.ts

@@ -51,6 +51,7 @@ API.v1.addRoute(
 				'Livechat_background',
 				'Livechat_widget_position',
 				'Livechat_hide_system_messages',
+				'Omnichannel_allow_visitors_to_close_conversation',
 			];
 
 			const valid = settings.every((setting) => validSettingList.includes(setting._id));

apps/meteor/app/livechat/server/api/lib/appearance.ts

@@ -28,6 +28,7 @@ export async function findAppearance(): Promise<{ appearance: ISetting[] }> {
 				'Livechat_background',
 				'Livechat_widget_position',
 				'Livechat_hide_system_messages',
+				'Omnichannel_allow_visitors_to_close_conversation',
 			],
 		},
 	};

apps/meteor/app/livechat/server/api/lib/livechat.ts

@@ -142,6 +142,7 @@ export async function settings({ businessUnit = '' }: { businessUnit?: string }
 			hiddenSystemMessages: initSettings.Livechat_hide_system_messages,
 			livechatLogo: initSettings.Assets_livechat_widget_logo,
 			hideWatermark: initSettings.Livechat_hide_watermark || false,
+			visitorsCanCloseChat: initSettings.Omnichannel_allow_visitors_to_close_conversation,
 		},
 		theme: {
 			title: initSettings.Livechat_title,

apps/meteor/app/livechat/server/api/v1/contact.ts

@@ -92,7 +92,7 @@ API.v1.addRoute(
 	{ authRequired: true, permissionsRequired: ['create-livechat-contact'], validateParams: isPOSTOmnichannelContactsProps },
 	{
 		async post() {
-			if (!process.env.TEST_MODE) {
+			if (process.env.TEST_MODE?.toUpperCase() !== 'TRUE') {
 				throw new Meteor.Error('error-not-allowed', 'This endpoint is only allowed in test mode');
 			}
 			const contactId = await createContact({ ...this.bodyParams, unknown: false });
@@ -106,7 +106,7 @@ API.v1.addRoute(
 	{ authRequired: true, permissionsRequired: ['update-livechat-contact'], validateParams: isPOSTUpdateOmnichannelContactsProps },
 	{
 		async post() {
-			if (!process.env.TEST_MODE) {
+			if (process.env.TEST_MODE?.toUpperCase() !== 'TRUE') {
 				throw new Meteor.Error('error-not-allowed', 'This endpoint is only allowed in test mode');
 			}
 

apps/meteor/app/livechat/server/api/v1/room.ts

@@ -107,6 +107,10 @@ API.v1.addRoute(
 		async post() {
 			const { rid, token } = this.bodyParams;
 
+			if (!rcSettings.get('Omnichannel_allow_visitors_to_close_conversation')) {
+				throw new Error('error-not-allowed-to-close-conversation');
+			}
+
 			const visitor = await findGuest(token);
 			if (!visitor) {
 				throw new Error('invalid-token');

apps/meteor/app/livechat/server/lib/Contacts.ts

@@ -44,8 +44,8 @@ type RegisterContactProps = {
 
 type CreateContactParams = {
 	name: string;
-	emails: string[];
-	phones: string[];
+	emails?: string[];
+	phones?: string[];
 	unknown: boolean;
 	customFields?: Record<string, string | unknown>;
 	contactManager?: string;

apps/meteor/app/livechat/server/lib/LivechatTyped.ts

@@ -71,6 +71,7 @@ import * as Mailer from '../../../mailer/server/api';
 import { metrics } from '../../../metrics/server';
 import { settings } from '../../../settings/server';
 import { businessHourManager } from '../business-hour';
+import { createContact } from './Contacts';
 import { parseAgentCustomFields, updateDepartmentAgents, validateEmail, normalizeTransferredByData } from './Helper';
 import { QueueManager } from './QueueManager';
 import { RoutingManager } from './RoutingManager';
@@ -664,6 +665,16 @@ class LivechatClass {
 			}
 		}
 
+		if (process.env.TEST_MODE?.toUpperCase() === 'TRUE') {
+			const contactId = await createContact({
+				name: name ?? (visitorDataToUpdate.username as string),
+				emails: email ? [email] : [],
+				phones: phone ? [phone.number] : [],
+				unknown: true,
+			});
+			visitorDataToUpdate.contactId = contactId;
+		}
+
 		const upsertedLivechatVisitor = await LivechatVisitors.updateOneByIdOrToken(visitorDataToUpdate, {
 			upsert: true,
 			returnDocument: 'after',
@@ -1068,6 +1079,7 @@ class LivechatClass {
 			'Livechat_background',
 			'Assets_livechat_widget_logo',
 			'Livechat_hide_watermark',
+			'Omnichannel_allow_visitors_to_close_conversation',
 		] as const;
 
 		type SettingTypes = (typeof validSettings)[number] | 'Livechat_Show_Connecting';

apps/meteor/app/livechat/server/lib/sendTranscript.ts

@@ -3,12 +3,13 @@ import {
 	type IUser,
 	type MessageTypesValues,
 	type IOmnichannelSystemMessage,
+	type ILivechatVisitor,
 	isFileAttachment,
 	isFileImageAttachment,
 } from '@rocket.chat/core-typings';
 import colors from '@rocket.chat/fuselage-tokens/colors';
 import { Logger } from '@rocket.chat/logger';
-import { LivechatRooms, LivechatVisitors, Messages, Uploads, Users } from '@rocket.chat/models';
+import { LivechatRooms, Messages, Uploads, Users } from '@rocket.chat/models';
 import { check } from 'meteor/check';
 import moment from 'moment-timezone';
 
@@ -41,16 +42,12 @@ export async function sendTranscript({
 
 	const room = await LivechatRooms.findOneById(rid);
 
-	const visitor = await LivechatVisitors.getVisitorByToken(token, {
-		projection: { _id: 1, token: 1, language: 1, username: 1, name: 1 },
-	});
-
-	if (!visitor) {
-		throw new Error('error-invalid-token');
+	const visitor = room?.v as ILivechatVisitor;
+	if (token !== visitor?.token) {
+		throw new Error('error-invalid-visitor');
 	}
 
-	// @ts-expect-error - Visitor typings should include language?
-	const userLanguage = visitor?.language || settings.get('Language') || 'en';
+	const userLanguage = settings.get<string>('Language') || 'en';
 	const timezone = getTimezone(user);
 	logger.debug(`Transcript will be sent using ${timezone} as timezone`);
 
@@ -59,7 +56,7 @@ export async function sendTranscript({
 	}
 
 	// allow to only user to send transcripts from their own chats
-	if (room.t !== 'l' || !room.v || room.v.token !== token) {
+	if (room.t !== 'l') {
 		throw new Error('error-invalid-room');
 	}
 

apps/meteor/app/utils/server/functions/getBaseUserFields.ts

@@ -0,0 +1,34 @@
+type UserFields = {
+	[k: string]: number;
+};
+
+export const getBaseUserFields = (): UserFields => ({
+	'name': 1,
+	'username': 1,
+	'nickname': 1,
+	'emails': 1,
+	'status': 1,
+	'statusDefault': 1,
+	'statusText': 1,
+	'statusConnection': 1,
+	'bio': 1,
+	'avatarOrigin': 1,
+	'utcOffset': 1,
+	'language': 1,
+	'settings': 1,
+	'enableAutoAway': 1,
+	'idleTimeLimit': 1,
+	'roles': 1,
+	'active': 1,
+	'defaultRoom': 1,
+	'customFields': 1,
+	'requirePasswordChange': 1,
+	'requirePasswordChangeReason': 1,
+	'statusLivechat': 1,
+	'banners': 1,
+	'oauth.authorizedClients': 1,
+	'_updatedAt': 1,
+	'avatarETag': 1,
+	'extension': 1,
+	'openBusinessHours': 1,
+});

apps/meteor/app/utils/server/functions/getDefaultUserFields.ts

@@ -1,39 +1,14 @@
-type DefaultUserFields = {
+import { getBaseUserFields } from './getBaseUserFields';
+
+type UserFields = {
 	[k: string]: number;
 };
 
-export const getDefaultUserFields = (): DefaultUserFields => ({
-	'name': 1,
-	'username': 1,
-	'nickname': 1,
-	'emails': 1,
-	'status': 1,
-	'statusDefault': 1,
-	'statusText': 1,
-	'statusConnection': 1,
-	'bio': 1,
-	'avatarOrigin': 1,
-	'utcOffset': 1,
-	'language': 1,
-	'settings': 1,
-	'enableAutoAway': 1,
-	'idleTimeLimit': 1,
-	'roles': 1,
-	'active': 1,
-	'defaultRoom': 1,
-	'customFields': 1,
-	'requirePasswordChange': 1,
-	'requirePasswordChangeReason': 1,
+export const getDefaultUserFields = (): UserFields => ({
+	...getBaseUserFields(),
 	'services.github': 1,
 	'services.gitlab': 1,
 	'services.password.bcrypt': 1,
 	'services.totp.enabled': 1,
 	'services.email2fa.enabled': 1,
-	'statusLivechat': 1,
-	'banners': 1,
-	'oauth.authorizedClients': 1,
-	'_updatedAt': 1,
-	'avatarETag': 1,
-	'extension': 1,
-	'openBusinessHours': 1,
 });