Merge pull request #30226 from RocketChat/release-6.3.3

Release 6.3.3

.changeset/bump-patch-1693432529972.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Bump @rocket.chat/meteor version.

.changeset/hip-hounds-ring.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Added ability to disable private app installation via envvar (DISABLE_PRIVATE_APP_INSTALLATION)

.changeset/moody-comics-cheat.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/release-action': minor
+---
+
+Add back "Engine Versions" to the release notes

.changeset/shiny-garlics-carry.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fix CORS headers not being set for assets

.changeset/ten-games-roll.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Removed an unused authentication flow

apps/meteor/app/cors/server/cors.ts

@@ -79,7 +79,7 @@ WebApp.rawConnectHandlers.use(function (_req: http.IncomingMessage, res: http.Se
 const _staticFilesMiddleware = WebAppInternals.staticFilesMiddleware;
 
 // @ts-expect-error - accessing internal property of webapp
-WebAppInternals._staticFilesMiddleware = function (
+WebAppInternals.staticFilesMiddleware = function (
 	staticFiles: StaticFiles,
 	req: http.IncomingMessage,
 	res: http.ServerResponse,

apps/meteor/client/views/marketplace/AppInstallPage.js

@@ -76,23 +76,23 @@ function AppInstallPage() {
 			} else {
 				app = await uploadAppEndpoint(fileData);
 			}
+
+			router.navigate({
+				name: 'marketplace',
+				params: {
+					context: 'private',
+					page: 'info',
+					id: appId || app.app.id,
+				},
+			});
+
+			reload();
 		} catch (e) {
 			handleAPIError(e);
+		} finally {
+			setInstalling(false);
+			setModal(null);
 		}
-
-		router.navigate({
-			name: 'marketplace',
-			params: {
-				context: 'private',
-				page: 'info',
-				id: appId || app.app.id,
-			},
-		});
-
-		reload();
-
-		setInstalling(false);
-		setModal(null);
 	};
 
 	const cancelAction = useCallback(() => {

apps/meteor/client/views/marketplace/helpers/handleAPIError.ts

@@ -1,3 +1,4 @@
+import { t } from '../../../../app/utils/lib/i18n';
 import { dispatchToastMessage } from '../../../lib/toast';
 
 const shouldHandleErrorAsWarning = (message: string): boolean => {
@@ -6,15 +7,12 @@ const shouldHandleErrorAsWarning = (message: string): boolean => {
 	return warnings.includes(message);
 };
 
-export const handleAPIError = (error: unknown): void => {
-	if (error instanceof Error) {
-		const { message } = error;
+export const handleAPIError = (errorObject: unknown): void => {
+	const { message = '', error = '' } = errorObject as { message?: string; error?: string };
 
-		if (shouldHandleErrorAsWarning(message)) {
-			dispatchToastMessage({ type: 'warning', message });
-			return;
-		}
-
-		dispatchToastMessage({ type: 'error', message });
+	if (shouldHandleErrorAsWarning(message)) {
+		return dispatchToastMessage({ type: 'warning', message: t(message) });
 	}
+
+	dispatchToastMessage({ type: 'error', message: t(`Apps_Error_${error}`) });
 };

apps/meteor/ee/server/apps/communication/rest.ts

@@ -383,6 +383,11 @@ export class AppsRestApi {
 						return API.v1.failure({ error: 'Failed to get a file to install for the App. ' });
 					}
 
+					// Used mostly in Cloud hosting for security reasons
+					if (!marketplaceInfo && orchestrator.shouldDisablePrivateAppInstallation()) {
+						return API.v1.internalError('private_app_install_disabled');
+					}
+
 					const user = orchestrator
 						?.getConverters()
 						?.get('users')
@@ -666,6 +671,7 @@ export class AppsRestApi {
 				async post() {
 					let buff;
 					let permissionsGranted;
+					let isPrivateAppUpload = false;
 
 					if (this.bodyParams.url) {
 						const response = await fetch(this.bodyParams.url);
@@ -708,6 +714,8 @@ export class AppsRestApi {
 							return API.v1.internalError();
 						}
 					} else {
+						isPrivateAppUpload = true;
+
 						const app = await getUploadFormData(
 							{
 								request: this.request,
@@ -732,6 +740,10 @@ export class AppsRestApi {
 						return API.v1.failure({ error: 'Failed to get a file to install for the App. ' });
 					}
 
+					if (isPrivateAppUpload && orchestrator.shouldDisablePrivateAppInstallation()) {
+						return API.v1.internalError('private_app_install_disabled');
+					}
+
 					const aff = await manager.update(buff, permissionsGranted);
 					const info: IAppInfo & { status?: AppStatus } = aff.getAppInfo();
 

apps/meteor/ee/server/apps/orchestrator.js

@@ -26,6 +26,8 @@ function isTesting() {
 	return process.env.TEST_MODE === 'true';
 }
 
+const DISABLED_PRIVATE_APP_INSTALLATION = ['yes', 'true'].includes(String(process.env.DISABLE_PRIVATE_APP_INSTALLATION).toLowerCase());
+
 let appsSourceStorageType;
 let appsSourceStorageFilesystemPath;
 
@@ -137,6 +139,10 @@ export class AppServerOrchestrator {
 		return !isTesting();
 	}
 
+	shouldDisablePrivateAppInstallation() {
+		return DISABLED_PRIVATE_APP_INSTALLATION;
+	}
+
 	/**
 	 * @returns {Logger}
 	 */

apps/meteor/packages/rocketchat-i18n/i18n/en.i18n.json

@@ -521,6 +521,7 @@
   "Apps_disabled_when_Enterprise_trial_ended_description": "Workspaces on Community Edition can have up to 5 marketplace apps and 3 private apps enabled. Ask your workspace admin to reenable apps.",
   "Apps_disabled_when_Enterprise_trial_ended_description_admin": "Workspaces on Community Edition can have up to 5 marketplace apps and 3 private apps enabled. Reenable the apps you require.",
   "Apps_Engine_Version": "Apps Engine Version",
+  "Apps_Error_private_app_install_disabled": "Private app installation and updates are disabled in this workspace",
   "Apps_Essential_Alert": "This app is essential for the following events:",
   "Apps_Essential_Disclaimer": "Events listed above will be disrupted if this app is disabled. If you want Rocket.Chat to work without this app's functionality, you need to uninstall it",
   "Apps_Framework_Source_Package_Storage_Type": "Apps' Source Package Storage type",
@@ -622,6 +623,7 @@
   "Apps_Manual_Update_Modal_Title": "This app is already installed",
   "Apps_Manual_Update_Modal_Body": "Do you want to update it?",
   "Apps_User_Already_Exists": "The username \"{{username}}\" is already being used. Rename or remove the user using it to install this App",
+
   "AutoLinker": "AutoLinker",
   "Apps_WhatIsIt": "Apps: What Are They?",
   "Apps_WhatIsIt_paragraph1": "A new icon in the administration area! What does this mean and what are Apps?",

apps/meteor/server/methods/registerUser.ts

@@ -95,15 +95,7 @@ Meteor.methods<ServerMethods>({
 
 		let userId;
 		try {
-			// Check if user has already been imported and never logged in. If so, set password and let it through
-			const importedUser = await Users.findOneByEmailAddress(formData.email);
-
-			if (importedUser?.importIds?.length && !importedUser.lastLogin) {
-				await Accounts.setPasswordAsync(importedUser._id, userData.password);
-				userId = importedUser._id;
-			} else {
-				userId = await Accounts.createUserAsync(userData);
-			}
+			userId = await Accounts.createUserAsync(userData);
 		} catch (e) {
 			if (e instanceof Meteor.Error) {
 				throw e;

apps/meteor/tests/end-to-end/api/32-assets.ts

@@ -0,0 +1,17 @@
+import { describe, it } from 'mocha';
+
+import { request } from '../../data/api-data.js';
+
+describe('assets', function () {
+	this.retries(0);
+
+	it('should always have CORS headers for assets', async () => {
+		await request.get('/assets/favicon.svg').expect('Content-Type', 'image/svg+xml').expect('Access-Control-Allow-Origin', '*').expect(200);
+
+		await request
+			.get('/fonts/rocketchat.woff2')
+			.expect('Content-Type', 'font/woff2')
+			.expect('Access-Control-Allow-Origin', '*')
+			.expect(200);
+	});
+});

packages/release-action/src/bumpNextVersion.ts

@@ -7,7 +7,7 @@ import * as github from '@actions/github';
 
 import { setupOctokit } from './setupOctokit';
 import { createNpmFile } from './createNpmFile';
-import { getChangelogEntry, bumpFileVersions, readPackageJson } from './utils';
+import { getChangelogEntry, bumpFileVersions, readPackageJson, getEngineVersionsMd } from './utils';
 import { fixWorkspaceVersionsBeforePublish } from './fixWorkspaceVersionsBeforePublish';
 import { commitChanges, createBranch, createTag, pushNewBranch } from './gitUtils';
 
@@ -49,7 +49,7 @@ export async function bumpNextVersion({
 		throw new Error('Could not find changelog entry for version newVersion');
 	}
 
-	const prBody = changelogEntry.content;
+	const prBody = (await getEngineVersionsMd(cwd)) + changelogEntry.content;
 
 	const finalVersion = newVersion.split('-')[0];
 

packages/release-action/src/getMetadata.ts

@@ -0,0 +1,41 @@
+import { readFile } from 'fs/promises';
+import path from 'path';
+
+import { getExecOutput } from '@actions/exec';
+
+import { readPackageJson } from './utils';
+
+export async function getMongoVersion(cwd: string) {
+	try {
+		const workflows = await readFile(path.join(cwd, '.github/workflows/ci.yml'), 'utf8');
+
+		const mongoMatch = workflows.match(/compatibleMongoVersions\\": \[([^\]]+)\]/);
+		if (!mongoMatch) {
+			return [];
+		}
+
+		return mongoMatch[1].replace(/["'\\ ]/g, '').split(',');
+	} catch (e) {
+		console.error(e);
+	}
+	return [];
+}
+
+export async function getNodeNpmVersions(cwd: string): Promise<{ node: string; yarn: string; npm: string }> {
+	const packageJson = await readPackageJson(cwd);
+
+	return packageJson.engines;
+}
+
+export async function getAppsEngineVersion() {
+	try {
+		const result = await getExecOutput('yarn why @rocket.chat/apps-engine --json');
+
+		const match = result.stdout.match(/"@rocket\.chat\/meteor@workspace:apps\/meteor".*"@rocket\.chat\/apps\-engine@[^#]+#npm:([^"]+)"/);
+		if (match) {
+			return match[1];
+		}
+	} catch (e) {
+		console.error(e);
+	}
+}

packages/release-action/src/publishRelease.ts

@@ -7,7 +7,7 @@ import * as core from '@actions/core';
 
 import { createNpmFile } from './createNpmFile';
 import { setupOctokit } from './setupOctokit';
-import { bumpFileVersions, createBumpFile, getChangelogEntry, readPackageJson } from './utils';
+import { bumpFileVersions, createBumpFile, getChangelogEntry, getEngineVersionsMd, readPackageJson } from './utils';
 import { fixWorkspaceVersionsBeforePublish } from './fixWorkspaceVersionsBeforePublish';
 import { checkoutBranch, commitChanges, createTag, getCurrentBranch, mergeBranch, pushChanges } from './gitUtils';
 
@@ -73,7 +73,7 @@ export async function publishRelease({
 		throw new Error('Could not find changelog entry for version newVersion');
 	}
 
-	const releaseBody = changelogEntry.content;
+	const releaseBody = (await getEngineVersionsMd(cwd)) + changelogEntry.content;
 
 	core.info('update version in all files to new');
 	await bumpFileVersions(cwd, currentVersion, newVersion);

packages/release-action/src/utils.ts

@@ -6,6 +6,8 @@ import remarkParse from 'remark-parse';
 import remarkStringify from 'remark-stringify';
 import mdastToString from 'mdast-util-to-string';
 
+import { getAppsEngineVersion, getMongoVersion, getNodeNpmVersions } from './getMetadata';
+
 export const BumpLevels = {
 	dep: 0,
 	patch: 1,
@@ -103,3 +105,17 @@ Bump ${pkgName} version.
 
 	await writeFile(filePath, data, 'utf8');
 }
+
+export async function getEngineVersionsMd(cwd: string) {
+	const { node } = await getNodeNpmVersions(cwd);
+	const appsEngine = await getAppsEngineVersion();
+	const mongo = await getMongoVersion(cwd);
+
+	return `### Engine versions
+
+- Node: \`${node}\`
+- MongoDB: \`${mongo.join(', ')}\`
+- Apps-Engine: \`${appsEngine}\`
+
+`;
+}

yarn.lock

@@ -9898,9 +9898,9 @@ __metadata:
     "@rocket.chat/icons": "*"
     "@rocket.chat/prettier-config": "*"
     "@rocket.chat/styled": "*"
-    "@rocket.chat/ui-contexts": 1.0.1
+    "@rocket.chat/ui-contexts": 1.0.2
     "@rocket.chat/ui-kit": "*"
-    "@rocket.chat/ui-video-conf": 1.0.1
+    "@rocket.chat/ui-video-conf": 1.0.2
     "@tanstack/react-query": "*"
     react: "*"
     react-dom: "*"
@@ -9982,14 +9982,14 @@ __metadata:
     ts-jest: ~29.0.5
     typescript: ~5.1.3
   peerDependencies:
-    "@rocket.chat/core-typings": 6.3.1
+    "@rocket.chat/core-typings": 6.3.2
     "@rocket.chat/css-in-js": "*"
     "@rocket.chat/fuselage": "*"
     "@rocket.chat/fuselage-tokens": "*"
     "@rocket.chat/message-parser": "*"
     "@rocket.chat/styled": "*"
-    "@rocket.chat/ui-client": 1.0.1
-    "@rocket.chat/ui-contexts": 1.0.1
+    "@rocket.chat/ui-client": 1.0.2
+    "@rocket.chat/ui-contexts": 1.0.2
     katex: "*"
     react: "*"
   languageName: unknown
@@ -11048,7 +11048,7 @@ __metadata:
     "@rocket.chat/fuselage": "*"
     "@rocket.chat/fuselage-hooks": "*"
     "@rocket.chat/icons": "*"
-    "@rocket.chat/ui-contexts": 1.0.1
+    "@rocket.chat/ui-contexts": 1.0.2
     react: ~17.0.2
   languageName: unknown
   linkType: soft
@@ -11202,7 +11202,7 @@ __metadata:
     "@rocket.chat/fuselage-hooks": "*"
     "@rocket.chat/icons": "*"
     "@rocket.chat/styled": "*"
-    "@rocket.chat/ui-contexts": 1.0.1
+    "@rocket.chat/ui-contexts": 1.0.2
     react: ^17.0.2
     react-dom: ^17.0.2
   languageName: unknown
@@ -11268,7 +11268,7 @@ __metadata:
     typescript: ~5.1.3
   peerDependencies:
     "@rocket.chat/layout": "*"
-    "@rocket.chat/ui-contexts": 1.0.1
+    "@rocket.chat/ui-contexts": 1.0.2
     "@tanstack/react-query": "*"
     react: "*"
     react-hook-form: "*"