refactor: Convert missing JavaScript modules to TypeScript

[tassoevan]

Proposed changes (including videos or screenshots)

It does a raw migration to TypeScript on modules current coded as JavaScript.

Issue(s)

Steps to test or reproduce

Further comments

Heavily AI-assisted, needs careful review.

Summary by CodeRabbit

• Bug Fixes

  • Enhanced email validation to prevent errors with missing addresses
  • Improved file type detection with asynchronous processing for better accuracy
  • Strengthened OAuth authentication and custom service configuration for improved security
  • Fixed null-safety issues in user profiles and subscription handling
  • Improved rate limiting configuration and validation

• Refactor

  • Modernized test infrastructure and improved code type safety throughout the application

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is targeting the wrong base branch. It should target 8.2.0, but it targets 8.3.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: e246502

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

This pull request migrates JavaScript test infrastructure to Jest, converts JavaScript modules to TypeScript with comprehensive type safety improvements, refactors converter classes to implement interfaces with explicit method signatures, and enhances OAuth and authentication flows with stricter typing and validation logic.

Changes

Cohort / File(s)	Summary
Test Configuration & Mocking apps/meteor/.mocharc.js, apps/meteor/.storybook/main.ts, apps/meteor/.storybook/mocks/meteor.{js,ts}, apps/meteor/jest.config.ts, apps/meteor/tests/mocks/server/meteor.ts	Removed Mocha test file patterns, updated Storybook stories glob to client-only, migrated JavaScript mocks to TypeScript with comprehensive Meteor API stubs, added Jest test patterns for multiple module categories, and created server-side Meteor test mocks.
2FA & Method Invocation apps/meteor/app/2fa/server/MethodInvocationOverride.{js,ts}, apps/meteor/app/2fa/server/code/PasswordCheckFallback.ts	Removed JavaScript 2FA override, added TypeScript MethodInvocation subclass extending DDPCommon with twoFactorChecked property preservation, added Meteor type import.
API & Authentication Startup apps/meteor/app/api/server/ApiClass.ts, apps/meteor/app/authentication/server/startup/index.ts	Corrected DDP invocation casting, massively expanded authentication startup with explicit type imports (UserStatus, IUser, ILoginAttempt), added LinkedInName type, strengthened settings typing with generics, added domain validation typing, and improved user creation/insertion flows.
App Bridge Infrastructure apps/meteor/app/apps/server/bridges/bridges.ts, apps/meteor/app/apps/server/bridges/uploads.ts	Added 23 private strongly-typed bridge fields to RealAppBridges with explicit interface implementations, updated constructor and getter signatures with explicit return types, made createUpload async with determineFileType await.
App Converter Suite apps/meteor/app/apps/server/converters/departments.{ts,spec.ts}, apps/meteor/app/apps/server/converters/messages.{ts,spec.ts}, apps/meteor/app/apps/server/converters/rooms.{ts,spec.ts}, apps/meteor/app/apps/server/converters/settings.{ts,spec.ts}, apps/meteor/app/apps/server/converters/users.ts	Migrated all converter classes to implement interfaces with explicit parameter/return type overloads, added comprehensive test suites, introduced generic type parameters for conversion methods, and strengthened null/undefined handling across bidirectional conversions.
App Converter Removals & Migrations apps/meteor/app/apps/server/converters/settings.js, apps/meteor/app/apps/server/converters/uploads.{js,ts}, apps/meteor/app/apps/server/converters/visitors.ts, apps/meteor/app/apps/server/converters/threads.ts	Removed JavaScript converter implementations and replaced with TypeScript, added type-safe overloads, refactored orchestrator dependencies to use IAppServerOrchestrator, and enhanced entity relationship resolution.
Custom OAuth Implementation apps/meteor/app/custom-oauth/server/custom_oauth_server.{d.ts,ts}, apps/meteor/app/custom-oauth/server/transform_helpers.{ts,spec.ts}	Removed declaration file, added comprehensive TypeScript implementation with Identity/ServiceData/OAuthQuery types, strengthened error handling and typing in OAuth handshake, added recursive property renaming with type generics, migrated tests to Jest.
File Storage & Emoji/Custom Sounds apps/meteor/app/custom-sounds/server/startup/custom-sounds.ts, apps/meteor/app/emoji-custom/server/{lib/insertOrUpdateEmoji.ts,startup/emoji-custom.ts}, apps/meteor/app/file/server/{file.server.ts,index.ts}	Added HTTP type imports (IncomingMessage, ServerResponse), refined RocketChatFile instance typing to union of GridFS|FileSystem, updated IRocketChatFileStore interface return types to unknown, made FileSystem absolutePath public, consolidated file module re-exports.
Google OAuth & Highlight Words apps/meteor/app/google-oauth/server/index.ts, apps/meteor/app/highlight-words/client/helper.spec.ts	Added RenderOptions and EndOfLoginDetails types, refactored OAuth property access with (as any) casts for internal properties, migrated tests from Chai to Jest, updated import paths.
Importer Infrastructure apps/meteor/app/importer/server/{classes/converters/UserConverter.ts,methods/uploadImportFile.ts,startup/{setImportsToInvalid.ts,store.ts}}	Added Meteor type imports and casting, removed contentType parameter from createWriteStream call, added explicit RocketChatImportFileInstance typing, strengthened ImportFile_FileSystemPath retrieval with validation.
IRC Bridge TypeScript Migration apps/meteor/app/irc/server/irc-bridge/{index.ts,localHandlers/*,peerHandlers/*}, apps/meteor/app/irc/server/servers/RFC2813/{types.ts,codes.ts,index.ts,parseMessage.ts,peerCommandHandlers.ts,localCommandHandlers.ts}	Massive TypeScript migration of IRC components with explicit types (QueueItem, BridgeConfig, PeerCommand), added ParsedMessage/CommandResult/Config types, refactored all handlers from JavaScript to TypeScript with strong typing, converted CommonJS to ESM, added method context (this: any) typing.
Library Function Typing apps/meteor/app/lib/server/functions/{createDirectRoom.ts,notifications/{email.ts,mobile.ts},parseUrlsInMessage.ts,saveUser/saveNewUser.ts,validateCustomFields.ts}	Made createDirectRoom options optional, expanded email notification function signatures with typed parameter objects, added AtLeast/RoomType type usage in mobile notifications, added email domain conditional validation, strengthened custom field validation typing.
Rate Limiting & Debug Infrastructure apps/meteor/app/lib/server/lib/{RateLimiter.ts,debug.ts,interceptDirectReplyEmails.ts,validateEmailDomain.ts}	Added explicit RateLimiter.limitMethod typing with Record<string, any> matchers, refactored debug.ts with typed boolean flags and RegExp filters, expanded interceptDirectReplyEmails with POP3Helper/DirectReplyIMAPInterceptor typing, added explicit email domain validation typing.
OAuth Server Integration apps/meteor/app/lib/server/oauth/{facebook.ts,google.ts,oauth.{js,ts},proxy.{js,ts},twitter.ts}	Removed JavaScript oauth.js and proxy.js, added TypeScript implementations with explicit getIdentity/getScopes typing, removed lodash usage in favor of Object.assign, added registerAccessTokenService function with access token handler registry, added proxy redirect override configuration.
Startup & Configuration apps/meteor/app/lib/server/startup/{rateLimiter.ts,robots.ts}, apps/meteor/server/configuration/{accounts_meld.ts,configureDirectReply.ts}, apps/meteor/server/lib/{callbacks.ts,cas/createNewUser.ts,compareUserPassword*.ts,spotlight.ts,compareUserPassword*.ts}	Added RateLimiterInput/RateLimiterReply types with explicit DDPRateLimiter typing, added robots.txt handler typing, enhanced accounts_meld with IEmailData/IServiceData interfaces, added isTruthy import usage, refactored callbacks to use ChainedCallbackSignatures for onValidateLogin, added comprehensive Spotlight search typing with ISearchRoomsParams/ISearchUsersParams.
Markdown Parsing apps/meteor/app/markdown/lib/{hljs.ts,markdown.{ts,spec.ts},parser/{filtered/filtered.ts,original/{code.ts,markdown.ts,original.{js,ts},token.ts}}}	Added explicit Token type imports across markdown modules, refactored parser structure from object-based to function-based (original/filtered), added generic type parameters to message handling, updated filtered parser signature to drop options parameter, migrated test from Chai to Jest with original/filtered test flows.
Mentions & Statistics apps/meteor/app/mentions/{lib/MentionsParser.spec.ts,server/Mentions.spec.ts}, apps/meteor/app/metrics/server/lib/statsTracker.{js,ts}, apps/meteor/app/statistics/server/{functions/sendUsageReport.spec.ts,lib/UAParserCustom.{ts,spec.ts}}	Migrated mentions tests from Chai to Jest with explicit typing, removed JavaScript StatsTracker, added TypeScript StatsTracker with dogstatsd integration, migrated statistics test from Mocha/Sinon to Jest, added PropConfig type with explicit UAParser typing.
Utils & Mailer apps/meteor/app/utils/lib/getURL.spec.ts, apps/meteor/app/mailer/server/api.ts	Migrated getURL tests to Jest, updated replace/replaceEscaped signatures with Record<string, any> typing.
Type Definitions apps/meteor/definition/externals/meteor/{accounts-base.d.ts,ddp-common.d.ts,ddp.d.ts,meteor.d.ts,google-oauth.d.ts}	Enhanced accounts-base with UserToActivateOptions/UserActivatedOptions types and insertUserDoc Promise return, refactored DDPCommon.MethodInvocation to constructor interface pattern, updated DDP._CurrentInvocation to EnvironmentVariable type, added Meteor.User extends IUser interface, strengthened Google oauth object typing.
Enterprise & Apps Engine apps/meteor/ee/app/api-enterprise/server/lib/canned-responses.ts, apps/meteor/ee/lib/misc/determineFileType.ts, apps/meteor/ee/server/apps/{communication/{rest.ts,uikit.ts,websockets.ts},orchestrator.ts}, packages/apps-engine/src/{definition/{livechat/IDepartment.ts,settings/ISetting.ts},server/bridges/index.ts}, packages/core-typings/src/{IRoom.ts,ISetting.ts}, packages/model-typings/src/models/IUsersModel.ts	Added canned-responses typing with userId parameter object, changed determineFileType to async FileType.fromBuffer, updated AppServerListener/Notifier to use IAppServerOrchestrator, enhanced orchestrator with ProxiedApp typing and AppInstallationSource enum, added departmentsAllowedToForward as array, added group? to ISetting, exported ThreadBridge, narrowed ISettingSelectOption.key to string, changed findOneByRolesAndType to single role ID parameter.
Removed Test Files apps/meteor/tests/unit/app/{apps/server/{messages.tests.js,mocks/models/BaseModel.mock.js},markdown/client.mocks.js,ui-utils/server.tests.js}, apps/meteor/tests/unit/app/markdown/client.mocks.js	Removed JavaScript unit tests and test mocks, migrated mock infrastructure to TypeScript.
Added Test Infrastructure apps/meteor/tests/unit/app/apps/server/mocks/models/{BaseModel.mock.ts,Messages.mock.ts,Rooms.mock.ts,Users.mock.ts}, apps/meteor/tests/unit/app/apps/server/mocks/orchestrator.mock.ts	Added generic TypeScript mock classes with proper typing for test infrastructure (BaseModelMock, typed room/message/user mocks), enhanced AppServerOrchestratorMock with optional chaining for manager methods.

Sequence Diagram(s)

sequenceDiagram
    participant Client as Client/App
    participant OAuth as Custom OAuth
    participant Config as OAuth Config
    participant External as External Provider
    participant User as User/Accounts
    
    Client->>OAuth: initiateLogin(serviceName, options)
    OAuth->>Config: loadServiceConfiguration(serviceName)
    Config-->>OAuth: config details
    OAuth->>External: requestAccessToken(code)
    External-->>OAuth: accessToken
    OAuth->>External: getIdentity(accessToken)
    External-->>OAuth: identity data
    OAuth->>OAuth: normalizeIdentity(identity)
    OAuth->>OAuth: registerService() / addHookToProcessUser()
    OAuth->>User: Accounts.updateOrCreateUserFromExternalService(serviceName, serviceData)
    User-->>OAuth: user result
    OAuth-->>Client: login complete

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

🐰 Whiskers twitching with delight,
TypeScript types now shine so bright,
OAuth flows now safely cast,
Converters typed from first to last,
IRC bridges hopping free,
Jest and Jest, for you and me! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.26% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'refactor: Convert missing JavaScript modules to TypeScript' accurately describes the main change in this pull request, which involves migrating multiple JavaScript files to TypeScript across the codebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 78.52459% with 131 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.09%. Comparing base (5518503) to head (e246502).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38357      +/-   ##
===========================================
+ Coverage    70.85%   71.09%   +0.24%     
===========================================
  Files         3208     3215       +7     
  Lines       113426   115286    +1860     
  Branches     20489    21107     +618     
===========================================
+ Hits         80363    81958    +1595     
- Misses       31012    31126     +114     
- Partials      2051     2202     +151     

Flag	Coverage Δ
e2e	60.37% <63.88%> (+0.01%)	⬆️
e2e-api	48.54% <31.03%> (-0.24%)	⬇️
unit	71.90% <82.78%> (+0.38%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.1GiB	1.1GiB	+11MiB
rocketchat	360MiB	349MiB	+11MiB
omnichannel-transcript-service	134MiB	134MiB	-159B
queue-worker-service	134MiB	134MiB	-26B
ddp-streamer-service	128MiB	128MiB	-180B
account-service	115MiB	115MiB	-177B
authorization-service	112MiB	112MiB	+301B
presence-service	112MiB	112MiB	+426B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 21:03", "12/22 18:54", "12/23 16:16", "12/24 19:38", "12/25 17:51", "12/26 13:18", "12/29 19:01", "12/30 20:52", "02/12 22:57", "02/13 22:38", "02/15 00:54 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]

Loading

Statistics (last 30 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.4GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.1GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-38357
• Baseline: develop
• Timestamp: 2026-02-15 00:54:55 UTC
• Historical data points: 30

---

Updated: Sun, 15 Feb 2026 00:54:56 GMT

[cubic-dev-ai]

6 issues found across 144 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/lib/server/oauth/twitter.ts">

<violation number="1" location="apps/meteor/app/lib/server/oauth/twitter.ts:53">
P2: The new truthiness check skips valid falsy profile fields; this changes behavior from the previous `_.pick`-based logic and can silently drop whitelisted data.</violation>
</file>

<file name="apps/meteor/app/authentication/server/startup/index.ts">

<violation number="1" location="apps/meteor/app/authentication/server/startup/index.ts:113">
P1: Unsafe type cast `as IUser & { name: string }` hides that `name` is optional on `IUser`. If `userModel.name` is `undefined`, `safeHtmlDots` will throw at runtime because it calls `.replace()` on the value. Use a fallback instead.

(Based on your team's feedback about avoiding unsafe type casts and validating values first.) [FEEDBACK_USED]</violation>
</file>

<file name="apps/meteor/app/apps/server/converters/visitors.ts">

<violation number="1" location="apps/meteor/app/apps/server/converters/visitors.ts:69">
P2: Avoid casting `visitor.status` to `UserStatus` without validation. Since app visitor status is a plain string, this cast can let unsupported values through; validate against allowed `UserStatus` values before assigning a default.</violation>
</file>

<file name="apps/meteor/app/lib/server/lib/validateEmailDomain.ts">

<violation number="1" location="apps/meteor/app/lib/server/lib/validateEmailDomain.ts:21">
P2: Avoid unsafe cast on settings value before calling `.split()`. Narrow to `string` (or provide a safe fallback) so non-string values cannot cause runtime failures.

(Based on your team's feedback about avoiding unsafe type casts for possibly invalid values.) [FEEDBACK_USED]</violation>
</file>

<file name="apps/meteor/app/custom-oauth/server/custom_oauth_server.ts">

<violation number="1" location="apps/meteor/app/custom-oauth/server/custom_oauth_server.ts:79">
P3: The `addAutopublishFields` property is now unused in `CustomOAuthOptions` since the code that consumed it (`Accounts.addAutopublishFields`) was removed from `configure()`. Remove the property from the type to avoid misleading future maintainers.

(Based on your team's feedback about removing unused types and configuration entries.) [FEEDBACK_USED]</violation>

<violation number="2" location="apps/meteor/app/custom-oauth/server/custom_oauth_server.ts:298">
P2: Behavioral change: `_OAuthCustom: true` and `serverURL` were not present in the old JS `serviceData` for access token registration — they were added solely to satisfy the `ServiceData` type. This changes what data is stored/returned during access-token-based OAuth login. Consider using a narrower inline type (e.g., `Partial<ServiceData> & { accessToken: string; expiresAt: number }`) or a dedicated type, rather than forcing these extra fields at runtime to match a type that was designed for the full OAuth flow.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Unsafe type cast as IUser & { name: string } hides that name is optional on IUser. If userModel.name is undefined, safeHtmlDots will throw at runtime because it calls .replace() on the value. Use a fallback instead.

(Based on your team's feedback about avoiding unsafe type casts and validating values first.)

View Feedback

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/authentication/server/startup/index.ts, line 113:

<comment>Unsafe type cast `as IUser & { name: string }` hides that `name` is optional on `IUser`. If `userModel.name` is `undefined`, `safeHtmlDots` will throw at runtime because it calls `.replace()` on the value. Use a fallback instead.

(Based on your team's feedback about avoiding unsafe type casts and validating values first.) </comment>

<file context>
@@ -108,13 +110,13 @@ Meteor.startup(() => {
 
 Accounts.emailTemplates.verifyEmail.html = function (userModel, url) {
-	const name = safeHtmlDots(userModel.name);
+	const name = safeHtmlDots((userModel as IUser & { name: string }).name);
 
 	return Mailer.replace(verifyEmailTemplate, { Verification_Url: url, name });
</file context>

Suggested change

	const name = safeHtmlDots((userModel as IUser & { name: string }).name);
	const name = safeHtmlDots((userModel as IUser).name ?? '');

[cubic-dev-ai]

P2: The new truthiness check skips valid falsy profile fields; this changes behavior from the previous _.pick-based logic and can silently drop whitelisted data.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/lib/server/oauth/twitter.ts, line 53:

<comment>The new truthiness check skips valid falsy profile fields; this changes behavior from the previous `_.pick`-based logic and can silently drop whitelisted data.</comment>

<file context>
@@ -38,13 +43,18 @@ registerAccessTokenService('twitter', async (options) => {
-	_.extend(serviceData, fields);
+	const fields: Record<string, any> = {};
+	for (const key of whitelistedFields) {
+		if (identity[key]) {
+			fields[key] = identity[key];
+		}
</file context>

Suggested change

	if (identity[key]) {
	fields[key] = identity[key];
	}
	if (Object.prototype.hasOwnProperty.call(identity, key)) {
	fields[key] = identity[key];
	}

[cubic-dev-ai]

P2: Avoid casting visitor.status to UserStatus without validation. Since app visitor status is a plain string, this cast can let unsupported values through; validate against allowed UserStatus values before assigning a default.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/apps/server/converters/visitors.ts, line 69:

<comment>Avoid casting `visitor.status` to `UserStatus` without validation. Since app visitor status is a plain string, this cast can let unsupported values through; validate against allowed `UserStatus` values before assigning a default.</comment>

<file context>
@@ -0,0 +1,78 @@
+			token: visitor.token,
+			phone: visitor.phone,
+			livechatData: visitor.livechatData,
+			status: (visitor.status as UserStatus | undefined) || UserStatus.ONLINE,
+			...(visitor.visitorEmails && { visitorEmails: visitor.visitorEmails }),
+			...(visitor.department && { department: visitor.department }),
</file context>

[cubic-dev-ai]

P2: Avoid unsafe cast on settings value before calling .split(). Narrow to string (or provide a safe fallback) so non-string values cannot cause runtime failures.

(Based on your team's feedback about avoiding unsafe type casts for possibly invalid values.)

View Feedback

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/lib/server/lib/validateEmailDomain.ts, line 21:

<comment>Avoid unsafe cast on settings value before calling `.split()`. Narrow to `string` (or provide a safe fallback) so non-string values cannot cause runtime failures.

(Based on your team's feedback about avoiding unsafe type casts for possibly invalid values.) </comment>

<file context>
@@ -9,16 +9,16 @@ import { settings } from '../../../settings/server';
 	}
 
-	emailDomainBlackList = value
+	emailDomainBlackList = (value as string)
 		.split(',')
 		.filter(Boolean)
</file context>

Suggested change

	emailDomainBlackList = (value as string)
	emailDomainBlackList = (typeof value === 'string' ? value : '')

[cubic-dev-ai]

P2: Behavioral change: _OAuthCustom: true and serverURL were not present in the old JS serviceData for access token registration — they were added solely to satisfy the ServiceData type. This changes what data is stored/returned during access-token-based OAuth login. Consider using a narrower inline type (e.g., Partial<ServiceData> & { accessToken: string; expiresAt: number }) or a dedicated type, rather than forcing these extra fields at runtime to match a type that was designed for the full OAuth flow.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/custom-oauth/server/custom_oauth_server.ts, line 298:

<comment>Behavioral change: `_OAuthCustom: true` and `serverURL` were not present in the old JS `serviceData` for access token registration — they were added solely to satisfy the `ServiceData` type. This changes what data is stored/returned during access-token-based OAuth login. Consider using a narrower inline type (e.g., `Partial<ServiceData> & { accessToken: string; expiresAt: number }`) or a dedicated type, rather than forcing these extra fields at runtime to match a type that was designed for the full OAuth flow.</comment>

<file context>
@@ -185,21 +284,20 @@ export class CustomOAuth {
+			const identity = await this.getIdentity(response.access_token);
 
-			const serviceData = {
+			const serviceData: ServiceData = {
 				_OAuthCustom: true,
-				serverURL: self.serverURL,
</file context>

[cubic-dev-ai]

P3: The addAutopublishFields property is now unused in CustomOAuthOptions since the code that consumed it (Accounts.addAutopublishFields) was removed from configure(). Remove the property from the type to avoid misleading future maintainers.

(Based on your team's feedback about removing unused types and configuration entries.)

View Feedback

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/custom-oauth/server/custom_oauth_server.ts, line 79:

<comment>The `addAutopublishFields` property is now unused in `CustomOAuthOptions` since the code that consumed it (`Accounts.addAutopublishFields`) was removed from `configure()`. Remove the property from the type to avoid misleading future maintainers.

(Based on your team's feedback about removing unused types and configuration entries.) </comment>

<file context>
@@ -20,11 +21,108 @@ import { settings } from '../../settings/server';
+	mergeRoles?: boolean;
+	rolesToSync?: string;
+	showButton?: boolean;
+	addAutopublishFields?: Record<string, any>;
+};
+
</file context>