fix: Roles based mandatory two factor to check all cases #37338

yash-rajpal · 2025-10-29T17:56:16Z

Proposed changes (including videos or screenshots)

Currently the role-based mandatory 2FA doesn't check for all conditions properly and just checks if user has some kind of 2FA which leaves a few corner cases to not work as expected.

Issue(s)

Steps to test or reproduce

Configure role based mandatory 2FA for some user.
Configure email 2FA for this user.
Disable email 2FA in settings
Expect the client to enforce mandatory setting up of TOTP 2FA

Further comments

CORE-1508

Summary by CodeRabbit

Bug Fixes
- Improved mandatory role-based two-factor authentication to always verify which 2FA methods are available before enforcing setup.
Tests
- Added end-to-end tests covering enforcement behavior when email and/or TOTP 2FA are enabled or disabled, ensuring correct redirects and UI visibility.

dionisio-bot · 2025-10-29T17:56:20Z

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

changeset-bot · 2025-10-29T17:56:20Z

🦋 Changeset detected

Latest commit: 82182cf

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/models	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

coderabbitai · 2025-10-29T17:56:44Z

Walkthrough

The patch updates mandatory role-based 2FA enforcement to verify which 2FA methods are enabled before requiring user setup. It adds feature-flag checks for email and TOTP, validates the mandatory2fa role, adjusts presence checks to the enabled methods, and adds E2E tests for configurations with different method combinations.

Changes

Cohort / File(s)	Summary
Configuration & Versioning `\.changeset/tall-flies-jump\.md`	Adds a changeset documenting a patch that ensures available 2FA methods are verified before enforcement.
2FA Enforcement Logic `apps/meteor/client/views/hooks/useRequire2faSetup\.ts`	Introduces feature flags (`email2faEnabled`, `totp2faEnabled`) and precomputed `is2FAEnabled`; validates `mandatory2fa` role; computes `hasEmail2FA`/`hasTotp2FA` from user services; updates return logic to require setup only when no enabled method is present for the user.
E2E Test Coverage `apps/meteor/tests/e2e/enforce-2FA\.spec\.ts`	Adds tests that toggle `Accounts_TwoFactorAuthentication_By_Email_Enabled` and TOTP settings via API and assert redirects/UI for cases: (1) email disabled, TOTP enabled; (2) both email and TOTP disabled.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Hook as useRequire2faSetup
    participant Settings as 2FA Settings
    participant UserProfile as User Data

    User->>Hook: request "require 2FA setup?"
    Hook->>Settings: read email2faEnabled, totp2faEnabled
    Hook->>Hook: compute is2FAEnabled = email or totp
    Hook->>UserProfile: check user exists & has mandatory2fa role
    alt user lacks mandatory2fa role or not logged in
        Hook-->>User: return false (no enforcement)
    else user has mandatory2fa role and is2FAEnabled
        Hook->>UserProfile: read hasEmail2FA, hasTotp2FA
        alt user has none of the enabled methods
            Hook-->>User: return true (setup required)
        else
            Hook-->>User: return false (setup not required)
        end
    end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pay attention to: useRequire2faSetup.ts branching and boolean logic inversion; correctness of feature-flag evaluation; coverage and teardown in the new E2E tests.

Suggested reviewers

lucas-a-pelegrino

Poem

🐰 I hopped through flags and roles so bright,
I checked each method in the moonlit night,
If carrots (TOTP) shine and email hides,
I nudge the user to where safety bides. 🥕🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "fix: Roles based mandatory two factor to check all cases" directly relates to the main change in the pull request. The changes modify the role-based mandatory 2FA enforcement logic to check multiple conditions (whether each 2FA method is configured and whether the user has it set up) rather than just checking if any 2FA exists. The title accurately captures that this is about improving role-based mandatory 2FA checks to handle more cases, though "check all cases" could be more specific about what corner cases are being addressed.
Linked Issues Check	✅ Passed	The code changes directly implement the requirement from CORE-1508: when Email 2FA is disabled and TOTP is enabled, users with role-based mandatory 2FA must be required to have TOTP configured. The modifications to useRequire2faSetup.ts now check which 2FA methods are configured and enabled (email2faEnabled, totp2faEnabled), determine what the user has set up (hasEmail2FA, hasTotp2FA), and enforce setup of any enabled method the user lacks. The test suite validates this exact scenario with dedicated test cases for when email 2FA is disabled while TOTP remains enabled. All coding requirements from the issue are met.
Out of Scope Changes Check	✅ Passed	All changes in the pull request are directly scoped to addressing CORE-1508. The modifications focus specifically on improving mandatory role-based 2FA enforcement logic by checking configured methods against user capabilities, implementing proper enforcement when Email 2FA is disabled and TOTP is enabled, and adding targeted test coverage for these scenarios. No unrelated changes or technical improvements outside the stated objectives are present in the changeset.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch fix/mandatory2fa

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e322bcf and 9c93b5b.

📒 Files selected for processing (1)

apps/meteor/client/views/hooks/useRequire2faSetup.ts (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

GitHub Check: 🔎 Code Check / Code Lint
GitHub Check: 🔎 Code Check / TypeScript
GitHub Check: 🔨 Test Unit / Unit Tests
GitHub Check: 🔨 Test Storybook / Test Storybook
GitHub Check: 📦 Meteor Build - coverage
GitHub Check: CodeQL-Build
GitHub Check: CodeQL-Build

🔇 Additional comments (1)

apps/meteor/client/views/hooks/useRequire2faSetup.ts (1)

6-28: Thorough 2FA enforcement matches workspace settings

The consolidated guard ensures we only redirect mandatory-role users when at least one enabled method (email or TOTP) is available, and the per-method checks cleanly cover the “email disabled, TOTP required” gap that triggered CORE-1508. Well done tightening the logic around the actual admin switches.(docs.rocket.chat)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov · 2025-10-29T18:15:24Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.93%. Comparing base (79c67c7) to head (82182cf).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #37338      +/-   ##
===========================================
+ Coverage    67.91%   67.93%   +0.02%     
===========================================
  Files         3357     3357              
  Lines       114897   114905       +8     
  Branches     20750    20754       +4     
===========================================
+ Hits         78028    78059      +31     
+ Misses       34186    34166      -20     
+ Partials      2683     2680       -3

Flag	Coverage Δ
e2e	`57.53% <100.00%> (+0.11%)`	⬆️
unit	`71.96% <ø> (-0.02%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

apps/meteor/client/views/hooks/useRequire2faSetup.ts (1)

18-21: Drop the debug console log

console.log in production code is noisy and leaks role details in browser consoles. Please remove it before merging.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 1acf6a3 and e322bcf.

📒 Files selected for processing (3)

.changeset/tall-flies-jump.md (1 hunks)
apps/meteor/client/views/hooks/useRequire2faSetup.ts (1 hunks)
apps/meteor/tests/e2e/enforce-2FA.spec.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

apps/meteor/tests/e2e/**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

apps/meteor/tests/e2e/**/*.spec.ts: All Playwright test files must be located under apps/meteor/tests/e2e/ and use the .spec.ts extension (e.g., login.spec.ts)
Use descriptive test names that clearly communicate expected behavior
Use test.beforeAll() and test.afterAll() for setup and teardown
Use test.step() to organize complex test scenarios
Group related tests in the same file
Utilize Playwright fixtures (test, page, expect) consistently
Prefer web-first assertions (e.g., toBeVisible, toHaveText)
Use expect matchers (toEqual, toContain, toBeTruthy, toHaveLength, etc.) instead of assert statements
Maintain test isolation between test cases
Ensure a clean state for each test execution
Ensure tests run reliably in parallel without shared state conflicts

Files:

apps/meteor/tests/e2e/enforce-2FA.spec.ts

apps/meteor/tests/e2e/**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

apps/meteor/tests/e2e/**/*.{ts,tsx,js,jsx}: Write concise, technical TypeScript/JavaScript with accurate typing
Follow DRY by extracting reusable logic into helper functions or page objects
Avoid code comments in the implementation

Files:

apps/meteor/tests/e2e/enforce-2FA.spec.ts

apps/meteor/tests/e2e/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

apps/meteor/tests/e2e/**/*.{ts,tsx}: Avoid using page.locator(); prefer semantic locators like page.getByRole, page.getByLabel, page.getByText, and page.getByTitle
Store commonly used locators in variables/constants for reuse
Use page.waitFor() with specific conditions and avoid hardcoded timeouts
Implement proper wait strategies for dynamic content
Follow the Page Object Model pattern consistently

Files:

apps/meteor/tests/e2e/enforce-2FA.spec.ts

🧠 Learnings (14)