Merge branch 'develop' into chore/saml-tests

.changeset/brave-shrimps-marry.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Improved support for higlighted words in threads (rooms are now marked as unread and notifications are sent)

.changeset/chilled-cooks-end.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed an issue displaying the language selection preference empty when it should display 'Default' on the initial value

.changeset/eight-windows-report.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed a problem with the Fallback Forward Department functionality when transferring rooms, caused by a missing return. This provoked the system to transfer to fallback department, as expected, but then continue the process and transfer to the department with no agents anyways. Also, a duplicated "user joined" message was removed from "Forward to department" functionality.

.changeset/green-turkeys-fry.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fixed toolbox sub-menu not being displayed when in smaller resolutions

.changeset/late-pots-travel.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": minor
+---
+
+fix: Loading state for `Marketplace` related lists

.changeset/lemon-shrimps-draw.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed error message when uploading a file that is not allowed

.changeset/thin-chairs-clean.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed the problem of displaying the wrong composer for archived room

.changeset/thin-socks-brush.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Removed an old behavior that allowed visitors to be created with an empty token on `livechat/visitor` endpoint.

.changeset/three-moles-look.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixed conversations in queue being limited to 50 items

.changeset/three-steaks-cry.md

@@ -0,0 +1,5 @@
+---
+"@rocket.chat/livechat": patch
+---
+
+Fixed a problem that caused Livechat Widget registration page to ignore the `showOnRegistration` flag for departments, showing all items.

.github/PULL_REQUEST_TEMPLATE.md

@@ -22,15 +22,13 @@
 -->
 
 ## Proposed changes (including videos or screenshots)
-<!-- CHANGELOG -->
 <!--
   Describe the big picture of your changes here to communicate to the maintainers why we should accept this pull request.
   If it fixes a bug or resolves a feature request, be sure to link to that issue below.
-  This description will appear in the release notes if we accept the contribution.
+  This description won't be displayed to our end users in the release notes, so feel free to add as much technical context as needed.
+  If the changes introduced in this pull request must be presented in the release notes, make sure to add a changeset file. Check our guidelines for adding a changeset to your pull request: https://developer.rocket.chat/contribute-to-rocket.chat/modes-of-contribution/participate-in-rocket.chat-development/development-workflow#4.-adding-changeset-to-your-pull-request 
 -->
 
-<!-- END CHANGELOG -->
-
 ## Issue(s)
 <!-- Link the issues being closed by or related to this PR. For example, you can use #594 if this PR closes issue number 594 -->
 

apps/meteor/CHANGELOG.md

@@ -1,5 +1,52 @@
 # @rocket.chat/meteor
 
+## 6.5.1
+
+### Patch Changes
+
+- c2b224fd82: Bump @rocket.chat/meteor version.
+- Bump @rocket.chat/meteor version.
+- c2b224fd82: Security improvements
+- c2b224fd82: Fixed issue with the new `custom-roles` license module not being checked throughout the application
+- c2b224fd82: fix: stop refetching banner data each 5 minutes
+- c2b224fd82: Fixed an issue allowing admin user cancelling subscription when license's trial param is provided
+- c2b224fd82: Fixed Country select component at Organization form from `onboarding-ui` package
+- c2b224fd82: fix Federation Regression, builds service correctly
+- c2b224fd82: fix: Wrong `Message Roundtrip Time` metric
+
+  Removes the wrong metric gauge named `rocketchat_messages_roundtrip_time` and replace it by a new summary metric named `rocketchat_messages_roundtrip_time_summary`. Add new percentiles `0.5, 0.95 and 1` to all summary metrics.
+
+- c2b224fd82: Exceeding API calls when sending OTR messages
+- c2b224fd82: Fixed a problem with the subscription creation on Omnichannel rooms.
+  Rooms were being created as seen, causing sound notifications to not work
+- c2b224fd82: Fixed a problem where chained callbacks' return value was being overrided by some callbacks returning something different, causing callbacks with lower priority to operate on invalid values
+- c2b224fd82: Fix desktop notification routing for direct rooms
+- c2b224fd82: Improved the experience of receiving conference calls on the mobile app by disabling the push notification for the "new call" message if a push is already being sent to trigger the phone's ringing tone.
+- c2b224fd82: Fixed verify the account through email link
+- c2b224fd82: Fixed the filter for file type in the list of room files
+- Updated dependencies [c2b224fd82]
+- Updated dependencies [c2b224fd82]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+  - @rocket.chat/[email protected]
+
 ## 6.5.0
 
 ### Minor Changes

apps/meteor/app/2fa/client/TOTPPassword.js

@@ -2,7 +2,7 @@ import { Accounts } from 'meteor/accounts-base';
 import { Meteor } from 'meteor/meteor';
 
 import { process2faReturn } from '../../../client/lib/2fa/process2faReturn';
-import { isTotpInvalidError, reportError } from '../../../client/lib/2fa/utils';
+import { isTotpInvalidError, isTotpMaxAttemptsError, reportError } from '../../../client/lib/2fa/utils';
 import { dispatchToastMessage } from '../../../client/lib/toast';
 import { t } from '../../utils/lib/i18n';
 
@@ -47,6 +47,14 @@ Meteor.loginWithPassword = function (email, password, cb) {
 			emailOrUsername: email,
 			onCode: (code) => {
 				Meteor.loginWithPasswordAndTOTP(email, password, code, (error) => {
+					if (isTotpMaxAttemptsError(error)) {
+						dispatchToastMessage({
+							type: 'error',
+							message: t('totp-max-attempts'),
+						});
+						cb();
+						return;
+					}
 					if (isTotpInvalidError(error)) {
 						dispatchToastMessage({
 							type: 'error',
@@ -55,7 +63,6 @@ Meteor.loginWithPassword = function (email, password, cb) {
 						cb();
 						return;
 					}
-
 					cb(error);
 				});
 			},

apps/meteor/app/2fa/server/code/EmailCheck.ts

@@ -69,26 +69,26 @@ ${t('If_you_didnt_try_to_login_in_your_account_please_ignore_this_email')}
 			return false;
 		}
 
-		if (!user.services || !Array.isArray(user.services?.emailCode)) {
+		if (!user.services?.emailCode) {
 			return false;
 		}
 
 		// Remove non digits
 		codeFromEmail = codeFromEmail.replace(/([^\d])/g, '');
 
-		await Users.removeExpiredEmailCodesOfUserId(user._id);
+		const { code, expire } = user.services.emailCode;
 
-		for await (const { code, expire } of user.services.emailCode) {
-			if (expire < new Date()) {
-				continue;
-			}
+		if (expire < new Date()) {
+			return false;
+		}
 
-			if (await bcrypt.compare(codeFromEmail, code)) {
-				await Users.removeEmailCodeByUserIdAndCode(user._id, code);
-				return true;
-			}
+		if (await bcrypt.compare(codeFromEmail, code)) {
+			await Users.removeEmailCodeOfUserId(user._id);
+			return true;
 		}
 
+		await Users.incrementInvalidEmailCodeAttempt(user._id);
+
 		return false;
 	}
 
@@ -109,7 +109,7 @@ ${t('If_you_didnt_try_to_login_in_your_account_please_ignore_this_email')}
 	}
 
 	public async processInvalidCode(user: IUser): Promise<IProcessInvalidCodeResult> {
-		await Users.removeExpiredEmailCodesOfUserId(user._id);
+		await Users.removeExpiredEmailCodeOfUserId(user._id);
 
 		// Generate new code if the there isn't any code with more than 5 minutes to expire
 		const expireWithDelta = new Date();
@@ -119,13 +119,15 @@ ${t('If_you_didnt_try_to_login_in_your_account_please_ignore_this_email')}
 
 		const emailOrUsername = user.username || emails[0];
 
-		const hasValidCode = user.services?.emailCode?.filter(({ expire }) => expire > expireWithDelta);
-		if (hasValidCode?.length) {
+		const hasValidCode =
+			user.services?.emailCode?.expire &&
+			user.services?.emailCode?.expire > expireWithDelta &&
+			!(await this.maxFaildedAttemtpsReached(user));
+		if (hasValidCode) {
 			return {
 				emailOrUsername,
 				codeGenerated: false,
-				codeCount: hasValidCode.length,
-				codeExpires: hasValidCode.map((i) => i.expire),
+				codeExpires: user.services?.emailCode?.expire,
 			};
 		}
 
@@ -136,4 +138,9 @@ ${t('If_you_didnt_try_to_login_in_your_account_please_ignore_this_email')}
 			emailOrUsername,
 		};
 	}
+
+	public async maxFaildedAttemtpsReached(user: IUser) {
+		const maxAttempts = settings.get<number>('Accounts_TwoFactorAuthentication_Max_Invalid_Email_Code_Attempts');
+		return (await Users.maxInvalidEmailCodeAttemptsReached(user._id, maxAttempts)) as boolean;
+	}
 }

apps/meteor/app/2fa/server/code/ICodeCheck.ts

@@ -2,8 +2,7 @@ import type { IUser } from '@rocket.chat/core-typings';
 
 export interface IProcessInvalidCodeResult {
 	codeGenerated: boolean;
-	codeCount?: number;
-	codeExpires?: Date[];
+	codeExpires?: Date;
 	emailOrUsername?: string;
 }
 
@@ -15,4 +14,6 @@ export interface ICodeCheck {
 	verify(user: IUser, code: string, force?: boolean): Promise<boolean>;
 
 	processInvalidCode(user: IUser): Promise<IProcessInvalidCodeResult>;
+
+	maxFaildedAttemtpsReached(user: IUser): Promise<boolean>;
 }

apps/meteor/app/2fa/server/code/PasswordCheckFallback.ts

@@ -41,4 +41,8 @@ export class PasswordCheckFallback implements ICodeCheck {
 			codeGenerated: false,
 		};
 	}
+
+	public async maxFaildedAttemtpsReached(_user: IUser): Promise<boolean> {
+		return false;
+	}
 }

apps/meteor/app/2fa/server/code/TOTPCheck.ts

@@ -38,4 +38,8 @@ export class TOTPCheck implements ICodeCheck {
 			codeGenerated: false,
 		};
 	}
+
+	public async maxFaildedAttemtpsReached(_user: IUser): Promise<boolean> {
+		return false;
+	}
 }

apps/meteor/app/2fa/server/code/index.ts

@@ -217,6 +217,15 @@ export async function checkCodeForUser({ user, code, method, options = {}, conne
 
 	const valid = await selectedMethod.verify(existingUser, code, options.requireSecondFactor);
 	if (!valid) {
+		const tooManyFailedAttempts = await selectedMethod.maxFaildedAttemtpsReached(existingUser);
+		if (tooManyFailedAttempts) {
+			throw new Meteor.Error('totp-max-attempts', 'TOTP Maximun Failed Attempts Reached', {
+				method: selectedMethod.name,
+				...data,
+				availableMethods,
+			});
+		}
+
 		throw new Meteor.Error('totp-invalid', 'TOTP Invalid', {
 			method: selectedMethod.name,
 			...data,

apps/meteor/app/2fa/server/loginHandler.ts

@@ -26,19 +26,14 @@ Accounts.registerLoginHandler('totp', function (options) {
 callbacks.add(
 	'onValidateLogin',
 	async (login) => {
-		if (login.methodName === 'verifyEmail') {
-			throw new Meteor.Error('verify-email', 'E-mail verified');
-		}
-
-		if (login.type === 'resume' || login.type === 'proxy' || (login.type === 'password' && login.methodName === 'resetPassword')) {
-			return login;
-		}
-		// CAS login doesn't yet support 2FA.
-		if (login.type === 'cas') {
-			return login;
-		}
-
-		if (!login.user) {
+		if (
+			!login.user ||
+			login.type === 'resume' ||
+			login.type === 'proxy' ||
+			login.type === 'cas' ||
+			(login.type === 'password' && login.methodName === 'resetPassword') ||
+			login.methodName === 'verifyEmail'
+		) {
 			return login;
 		}
 

apps/meteor/app/api/server/v1/misc.ts

@@ -538,7 +538,7 @@ API.v1.addRoute(
 				this.token ||
 				crypto
 					.createHash('md5')
-					.update(this.requestIp + this.request.headers['user-agent'])
+					.update(this.requestIp + this.user._id)
 					.digest('hex');
 
 			const rateLimiterInput = {
@@ -594,12 +594,7 @@ API.v1.addRoute(
 
 			const { method, params, id } = data;
 
-			const connectionId =
-				this.token ||
-				crypto
-					.createHash('md5')
-					.update(this.requestIp + this.request.headers['user-agent'])
-					.digest('hex');
+			const connectionId = this.token || crypto.createHash('md5').update(this.requestIp).digest('hex');
 
 			const rateLimiterInput = {
 				userId: this.userId || undefined,

apps/meteor/app/api/server/v1/oauthapps.ts

@@ -27,6 +27,10 @@ API.v1.addRoute(
 	{ authRequired: true, validateParams: isOauthAppsGetParams },
 	{
 		async get() {
+			if (!(await hasPermissionAsync(this.userId, 'manage-oauth-apps'))) {
+				return API.v1.unauthorized();
+			}
+
 			const oauthApp = await OAuthApps.findOneAuthAppByIdOrClientId(this.queryParams);
 
 			if (!oauthApp) {