feat(rest-typings): migrate four user endpoints to Ajv validation

[Harshit2405-2004]

Proposed changes

This PR migrates four legacy user endpoints to strict Ajv schema validation via @rocket.chat/rest-typings.

Endpoints migrated:

• users.getAvatar
• users.deleteOwnAccount
• users.resetAvatar
• users.forgotPassword

Changes

• Added new typescript schema definitions for the parameter validations in packages/rest-typings/src/v1/users.
• Exported validation props into the shared API boundaries.
• Injected validateParams into the API.v1.addRoute specifications for the affected users REST endpoints.
• Removed redundant imperative validation checks (e.g., if (!password)) within the route handlers themselves that are now guaranteed natively by Ajv middleware.

This aligns with the ongoing effort of the "Fast-Track 3" strategy to introduce rigorous typing/parameters onto the legacy monolith endpoints.
F�i�x�e�s� �#�3�9�2�2�3�
�
�

Summary by CodeRabbit

• Refactor

  • User REST endpoints (getAvatar, deleteOwnAccount, resetAvatar, forgotPassword) now enforce explicit parameter validation for stricter input checks and clearer error responses.
  • forgotPassword behavior adjusted to rely on validation for required fields rather than inline checks.

• Chores

  • Added standardized parameter types and validators for user-related API operations; documentation/migrations updated.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 49e031f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/rest-typings	Patch
@rocket.chat/meteor	Patch
@rocket.chat/api-client	Patch
@rocket.chat/core-services	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/http-router	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/livechat	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/cron	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/apps	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/license	Patch
@rocket.chat/pdf-worker	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds AJV-based input validation for four user-related API endpoints by introducing new parameter types and validators and applying them via validateParams on the routes: getAvatar, deleteOwnAccount, resetAvatar, and forgotPassword. The explicit email presence check in forgotPassword was removed.

Changes

Cohort / File(s)	Summary
API Route Handler apps/meteor/app/api/server/v1/users.ts	Import four new validators (isUsersGetAvatarProps, isUsersDeleteOwnAccountProps, isUsersResetAvatarProps, isUsersForgotPasswordProps) and attach them to the corresponding routes via validateParams. Remove explicit email presence check in forgotPassword.
Rest-Typings Main packages/rest-typings/src/v1/users.ts	Add and export new validators and re-export new parameter type modules for avatar, delete-own-account, and forgot-password endpoints.
Parameter Type Definitions packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts, packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts, packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts	Introduce UsersGetAvatarParamsGET (optional userId, username, user), UsersDeleteOwnAccountParamsPOST (password required, confirmRelinquish optional), and UsersForgotPasswordParamsPOST (email required).
Changeset .changeset/add-users-rest-param-validations.md	Add changeset documenting migration of four endpoints to AJV schema validation and bumping package versions.
Workflow tweak .github/workflows/dedupe-issues.yml	Minor workflow change: update model arg and set continue-on-error: true for a run step.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: chore

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: migrating four user REST endpoints to Ajv validation, which matches the core focus of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/app/api/server/v1/users.ts (1)

369-388: ⚠️ Potential issue | 🟡 Minor

Unused variable result.

The result variable is assigned but never used. Remove the assignment or use the return value.

Proposed fix

-			const result = await deleteUserOwnAccount(this.userId, password, confirmRelinquish);
+			await deleteUserOwnAccount(this.userId, password, confirmRelinquish);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/app/api/server/v1/users.ts` around lines 369 - 388, The local
variable result is assigned from deleteUserOwnAccount in the post handler but
never used; remove the unused assignment or return/forward its value. Update the
API.v1.addRoute post() to either call await deleteUserOwnAccount(this.userId,
password, confirmRelinquish) without assigning to result, or return
API.v1.success(result) / include result in the response as appropriate so that
the deleteUserOwnAccount return value is consumed.

🧹 Nitpick comments (3)

packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts (1)

7-18: Duplicate validator definition (same pattern as UsersDeleteOwnAccountParamsPOST).

The isUsersForgotPasswordProps validator is defined both here and in packages/rest-typings/src/v1/users.ts (lines 44-51). Consolidate to one location to avoid compiling the same schema twice.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts` around
lines 7 - 18, The validator UsersForgotPasswordProps is duplicated—remove the
local UsersForgotPasswordParamsPostSchema and the ajv.compile call for
isUsersForgotPasswordProps here and instead import and re-export the single
canonical validator (or schema) defined in users.ts; update references to use
the existing isUsersForgotPasswordProps (or the shared
UsersForgotPasswordParamsPostSchema/UsersForgotPasswordParamsPOST) so the schema
is compiled only once and no duplicate ajv.compile occurs.

packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts (1)

11-31: Duplicate validator definition (same pattern as other files).

The isUsersGetAvatarProps validator is defined both here and in packages/rest-typings/src/v1/users.ts (lines 23-32). Consolidate to one location.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts` around lines
11 - 31, There is a duplicate AJV validator defined here
(UsersGetAvatarParamsGetSchema and isUsersGetAvatarProps) that also exists in
the other module; remove the local schema/compile in this file and instead
import and re-export the single canonical validator (isUsersGetAvatarProps) from
the central location where the validator is intended to live (e.g., the other
users module), or move the schema+compile to a shared module and update both
files to import it; ensure you delete UsersGetAvatarParamsGetSchema and the
ajv.compile call from this file and replace them with an import/export of the
single isUsersGetAvatarProps symbol.

packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts (1)

8-23: Duplicate validator definition detected.

This file defines isUsersDeleteOwnAccountProps validator, but the same validator with identical schema is also defined in packages/rest-typings/src/v1/users.ts (lines 34-42 per relevant code snippets). This duplication means the schema is compiled twice.

Consider keeping the validator definition in only one location - either here (and re-export from users.ts) or in users.ts alone (following the existing pattern for other validators like isUsersInfoProps).

Option A: Keep validator here, remove from users.ts

In packages/rest-typings/src/v1/users.ts, remove the duplicate definition and just re-export:

-export const isUsersDeleteOwnAccountProps = ajv.compile<UsersDeleteOwnAccountParamsPOST>({
-	type: 'object',
-	properties: {
-		password: { type: 'string' },
-		confirmRelinquish: { type: 'boolean', nullable: true },
-	},
-	required: ['password'],
-	additionalProperties: false,
-});
+export { isUsersDeleteOwnAccountProps } from './users/UsersDeleteOwnAccountParamsPOST';

Option B: Remove validator from this file, keep in users.ts

 import { ajv } from '../Ajv';

 export type UsersDeleteOwnAccountParamsPOST = {
     password: string;
     confirmRelinquish?: boolean;
 };
-
-const UsersDeleteOwnAccountParamsPostSchema = {
-    type: 'object',
-    properties: {
-        password: {
-            type: 'string',
-        },
-        confirmRelinquish: {
-            type: 'boolean',
-            nullable: true,
-        }
-    },
-    required: ['password'],
-    additionalProperties: false,
-};
-
-export const isUsersDeleteOwnAccountProps = ajv.compile<UsersDeleteOwnAccountParamsPOST>(UsersDeleteOwnAccountParamsPostSchema);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts` around
lines 8 - 23, The file defines a duplicate AJV validator:
UsersDeleteOwnAccountParamsPostSchema and isUsersDeleteOwnAccountProps are also
compiled in users.ts; pick one location and remove the other to avoid compiling
the same schema twice. Either (A) keep the schema and compiled validator here
(UsersDeleteOwnAccountParamsPOST => UsersDeleteOwnAccountParamsPostSchema and
isUsersDeleteOwnAccountProps) and delete the duplicate compile in users.ts and
add a re-export from users.ts, or (B) remove
UsersDeleteOwnAccountParamsPostSchema and isUsersDeleteOwnAccountProps from this
file and import/re-export the single isUsersDeleteOwnAccountProps from users.ts
(follow the existing pattern used for isUsersInfoProps). Ensure only one
ajv.compile call exists for isUsersDeleteOwnAccountProps.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/rest-typings/src/v1/users.ts`:
- Around line 20-52: This file defines isUsersGetAvatarProps,
isUsersDeleteOwnAccountProps, and isUsersForgotPasswordProps but the same
validators are also exported from the individual ./users/* files causing
duplicate exports; follow the repo pattern and keep the validator definitions
here and remove them from the per-endpoint files: delete the validator
declarations for isUsersGetAvatarProps, isUsersDeleteOwnAccountProps, and
isUsersForgotPasswordProps from their respective files (e.g., the files that
currently export those validators alongside types from
./users/UsersGetAvatarParamsGET, ./users/UsersDeleteOwnAccountParamsPOST,
./users/UsersForgotPasswordParamsPOST), leaving only the type exports there, and
ensure the central file continues to export the three validator constants so
there are no duplicate exports.

---

Outside diff comments:
In `@apps/meteor/app/api/server/v1/users.ts`:
- Around line 369-388: The local variable result is assigned from
deleteUserOwnAccount in the post handler but never used; remove the unused
assignment or return/forward its value. Update the API.v1.addRoute post() to
either call await deleteUserOwnAccount(this.userId, password, confirmRelinquish)
without assigning to result, or return API.v1.success(result) / include result
in the response as appropriate so that the deleteUserOwnAccount return value is
consumed.

---

Nitpick comments:
In `@packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts`:
- Around line 8-23: The file defines a duplicate AJV validator:
UsersDeleteOwnAccountParamsPostSchema and isUsersDeleteOwnAccountProps are also
compiled in users.ts; pick one location and remove the other to avoid compiling
the same schema twice. Either (A) keep the schema and compiled validator here
(UsersDeleteOwnAccountParamsPOST => UsersDeleteOwnAccountParamsPostSchema and
isUsersDeleteOwnAccountProps) and delete the duplicate compile in users.ts and
add a re-export from users.ts, or (B) remove
UsersDeleteOwnAccountParamsPostSchema and isUsersDeleteOwnAccountProps from this
file and import/re-export the single isUsersDeleteOwnAccountProps from users.ts
(follow the existing pattern used for isUsersInfoProps). Ensure only one
ajv.compile call exists for isUsersDeleteOwnAccountProps.

In `@packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts`:
- Around line 7-18: The validator UsersForgotPasswordProps is duplicated—remove
the local UsersForgotPasswordParamsPostSchema and the ajv.compile call for
isUsersForgotPasswordProps here and instead import and re-export the single
canonical validator (or schema) defined in users.ts; update references to use
the existing isUsersForgotPasswordProps (or the shared
UsersForgotPasswordParamsPostSchema/UsersForgotPasswordParamsPOST) so the schema
is compiled only once and no duplicate ajv.compile occurs.

In `@packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts`:
- Around line 11-31: There is a duplicate AJV validator defined here
(UsersGetAvatarParamsGetSchema and isUsersGetAvatarProps) that also exists in
the other module; remove the local schema/compile in this file and instead
import and re-export the single canonical validator (isUsersGetAvatarProps) from
the central location where the validator is intended to live (e.g., the other
users module), or move the schema+compile to a shared module and update both
files to import it; ensure you delete UsersGetAvatarParamsGetSchema and the
ajv.compile call from this file and replace them with an import/export of the
single isUsersGetAvatarProps symbol.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c30636 and f227c81.

📒 Files selected for processing (5)

• apps/meteor/app/api/server/v1/users.ts
• packages/rest-typings/src/v1/users.ts
• packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts
• packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts
• packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts
• packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts
• packages/rest-typings/src/v1/users.ts
• packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts
• apps/meteor/app/api/server/v1/users.ts

🧠 Learnings (6)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts
• packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts
• packages/rest-typings/src/v1/users.ts
• packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts
• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts
• packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts
• packages/rest-typings/src/v1/users.ts
• packages/rest-typings/src/v1/users/UsersForgotPasswordParamsPOST.ts
• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

🧬 Code graph analysis (3)

packages/rest-typings/src/v1/users/UsersDeleteOwnAccountParamsPOST.ts (1)

packages/rest-typings/src/v1/users.ts (1)

• isUsersDeleteOwnAccountProps (35-43)

packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts (1)

packages/rest-typings/src/v1/users.ts (1)

• isUsersGetAvatarProps (24-33)

apps/meteor/app/api/server/v1/users.ts (2)

packages/rest-typings/src/v1/users.ts (5)

• isUsersGetAvatarProps (24-33)
• isUsersDeleteOwnAccountProps (35-43)
• isUsersResetAvatarProps (131-131)
• isUsersForgotPasswordProps (45-52)
• UsersEndpoints (160-404)

packages/rest-typings/src/index.ts (1)

• Endpoints (48-93)

🔇 Additional comments (5)

apps/meteor/app/api/server/v1/users.ts (4)

24-27: LGTM!

The new validator imports are correctly added and follow the existing import pattern.

---

88-107: LGTM!

The users.getAvatar route correctly integrates validateParams: isUsersGetAvatarProps for Ajv validation.

---

736-762: LGTM!

The users.resetAvatar route correctly integrates validateParams: isUsersResetAvatarProps.

---

910-930: LGTM!

The users.forgotPassword route correctly integrates validateParams: isUsersForgotPasswordProps. The removal of the explicit email check is appropriate since Ajv now enforces the required email field.

packages/rest-typings/src/v1/users.ts (1)

416-418: LGTM!

The re-exports for the new parameter modules follow the existing pattern.

[cubic-dev-ai]

3 issues found across 5 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/api/server/v1/users.ts">

<violation number="1" location="apps/meteor/app/api/server/v1/users.ts:377">
P1: Ajv schema for users.deleteOwnAccount lacks minLength constraint on password field. The original imperative check `if (!password)` rejected all falsy values including empty strings. The new schema only requires password to be a string type but doesn't enforce minimum length (minLength: 1), so empty strings pass validation and reach deleteUserOwnAccount() causing potential auth failures. Add minLength: 1 to the password property in the schema.</violation>

<violation number="2" location="apps/meteor/app/api/server/v1/users.ts:914">
P2: Schema validation gap: isUsersForgotPasswordProps accepts empty email strings</violation>
</file>

<file name="packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts">

<violation number="1" location="packages/rest-typings/src/v1/users/UsersGetAvatarParamsGET.ts:11">
P2: Ajv schema allows `null` values via `nullable: true`, but the TypeScript type only allows `string | undefined`. This creates an unsound type guard where validated payloads may contain `null` values that downstream code doesn't expect, potentially causing runtime errors.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/dedupe-issues.yml (1)

25-31: Please split this CI workflow tweak into a separate PR.

This change is operationally unrelated to the REST-typings endpoint migration and makes scope/risk review noisier. Recommend isolating it in a dedicated CI PR.

Based on learnings: In Rocket.Chat PR reviews, maintain strict scope boundaries when a PR is focused on specific endpoints; avoid unrelated changes unless explicitly requested.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/dedupe-issues.yml around lines 25 - 31, This PR includes
an unrelated CI step ("Run Claude Code slash command" using
anthropics/claude-code-base-action@beta and model: 'claude-3-5-sonnet-20241022')
that should be split into a separate PR; revert or remove that workflow block
from this commit so the REST-typings endpoint migration PR only contains
endpoint/migration changes, then create a dedicated PR that adds the CI tweak
(include the workflow step, secrets usage, and prompt) with a clear commit
message/PR title like "ci: add dedupe issues Claude action" so reviewers can
evaluate scope and risk independently.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/dedupe-issues.yml:
- Line 27: The workflow currently sets continue-on-error: true which masks all
failures (including the Claude dedupe step); remove or change that global
continue-on-error setting so failures surface—either delete the
continue-on-error: true line or set it to false, or scope continue-on-error only
to specific non-critical steps rather than the whole job/step; look for the
continue-on-error key in the workflow (the existing entry on line with
continue-on-error: true) and replace it with a safer policy (false or per-step
usage) so dedupe/Claude failures are not suppressed.

---

Nitpick comments:
In @.github/workflows/dedupe-issues.yml:
- Around line 25-31: This PR includes an unrelated CI step ("Run Claude Code
slash command" using anthropics/claude-code-base-action@beta and model:
'claude-3-5-sonnet-20241022') that should be split into a separate PR; revert or
remove that workflow block from this commit so the REST-typings endpoint
migration PR only contains endpoint/migration changes, then create a dedicated
PR that adds the CI tweak (include the workflow step, secrets usage, and prompt)
with a clear commit message/PR title like "ci: add dedupe issues Claude action"
so reviewers can evaluate scope and risk independently.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 57f2327 and 7a75a9d.

📒 Files selected for processing (1)

• .github/workflows/dedupe-issues.yml

📜 Review details

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

[Harshit2405-2004]

@ggazzo I have addressed all the issues and Sorry for this inconvenience.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.89%. Comparing base (3c30636) to head (272dcd1).
⚠️ Report is 15 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #39222      +/-   ##
===========================================
+ Coverage    70.76%   70.89%   +0.12%     
===========================================
  Files         3195     3208      +13     
  Lines       113106   113422     +316     
  Branches     20522    20555      +33     
===========================================
+ Hits         80041    80411     +370     
+ Misses       31018    30966      -52     
+ Partials      2047     2045       -2     

Flag	Coverage Δ
unit	71.59% <ø> (+0.16%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ggazzo]