chore: add hono as router

[ggazzo]

https://rocketchat.atlassian.net/browse/ARCH-1485

hono is a new router designed to replace express.
it is based on new language features and made 100% to be used with typescript

• Better typings

• Improved way to implement middlewares

• Multiple architectures (node/bun/deno)

• Faster (!/?)

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

---

This pull request introduces significant changes to the Rocket.Chat codebase by integrating the Hono framework as the primary router, replacing the existing Express setup. The changes span multiple files and focus on improving type safety, request handling, and middleware functionality. Key updates include:

• Refactoring the API server implementation to enhance request handling, rate limiting, and authentication flows.
• Migrating various middleware components from Express to Hono, including CORS, logging, metrics, and tracer functionalities, while maintaining core functionalities and improving type safety.
• Updating header access methods across multiple API endpoints to use the get() method, enhancing security and consistency with modern web standards.
• Introducing a Hono adapter for Express requests to facilitate request conversion and response mapping.
• Improving file upload handling by transitioning from Express request handling to the Web Streams API.
• Enhancing request validation and error handling in several integrations, including Twilio and livechat endpoints.
• Modifying test files to align with the new request handling approach and improve type safety.

Overall, this pull request aims to modernize the Rocket.Chat codebase by adopting the Hono framework, improving maintainability, and ensuring better type safety and security across the application.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: ff2508b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

PR Preview Action v1.6.0
🚀 View preview at https://RocketChat.github.io/Rocket.Chat/pr-preview/pr-35078/
Built to branch gh-pages at 2025-04-08 18:53 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[codecov]

Codecov Report

Attention: Patch coverage is 97.56098% with 1 line in your changes missing coverage. Please review.

Project coverage is 59.64%. Comparing base (939cc28) to head (ff2508b).
Report is 3 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #35078      +/-   ##
===========================================
+ Coverage    59.63%   59.64%   +0.01%     
===========================================
  Files         2832     2832              
  Lines        68301    68322      +21     
  Branches     15131    15133       +2     
===========================================
+ Hits         40730    40750      +20     
- Misses       24962    24963       +1     
  Partials      2609     2609              

Flag	Coverage Δ
unit	75.62% <97.56%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ggazzo]

@kody start-review

[kody-ai]

Code Review Completed! 🔥

The code review was successfully completed based on your current configurations.

Kody Guide: Usage and Configuration

Interacting with Kody

• Request a Review: Ask Kody to review your PR manually by adding a comment with the @kody start-review command at the root of your PR.

• Provide Feedback: Help Kody learn and improve by reacting to its comments with a 👍 for helpful suggestions or a 👎 if improvements are needed.

Current Kody Configuration

Review Options

The following review options are enabled or disabled:

Options	Enabled
Security	✅
Code Style	✅
Kody Rules	✅
Refactoring	✅
Error Handling	✅
Maintainability	✅
Potential Issues	✅
Documentation And Comments	✅
Performance And Optimization	✅
Breaking Changes	❌

Access your configuration settings here.

​

[Copilot]

Copilot reviewed 46 out of 46 changed files in this pull request and generated 1 comment.

[kody-ai]

const token = request.headers.get('x-auth-token')?.trim();
const userId = request.headers.get('x-user-id')?.trim();

Multiple instances of missing input validation for critical parameters, potentially leading to security vulnerabilities or runtime errors.

This issue appears in multiple locations:

• apps/meteor/app/api/server/helpers/getLoggedInUser.ts: Lines 6-7
• apps/meteor/app/integrations/server/api/api.js: Lines 243-243
• apps/meteor/server/services/omnichannel-integrations/providers/twilio.ts: Lines 248-250
• apps/meteor/server/services/omnichannel-integrations/providers/voxtelesys.ts: Lines 165-167
  Please add validation checks for critical parameters to ensure they are not null, undefined, or malformed before processing.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

// Import the necessary types from the '@rocket.chat/rest-typings' package or define custom types if needed.
import type { Request, Response } from '@rocket.chat/rest-typings';

// Or, if using custom types:
// interface Request { /* ... */ }
// interface Response { /* ... */ }

The removal of the explicit 'express' import and the associated types 'Request' and 'Response' might lead to issues with type checking and code completion. While the 'WebApp' object might provide similar functionality, it's crucial to ensure type safety. Consider adding explicit types for request and response objects within the affected methods to maintain type correctness and avoid potential runtime errors.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

export type ErrorStatusCodes = 500 | 510;

The ErrorStatusCodes type now excludes 509 from the range. This could potentially cause issues if 509 is a valid error code in the system. Consider documenting this exclusion or ensuring it's intentional.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

let reader;
try {
  const error = unknown;
  reader = webReadableStream.getReader();
} catch (error: unknown) {
  this.destroy(error);
  return;
}

Add error handling for the webReadableStream.getReader() operation to catch potential stream reading errors.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

+	nodeReadableStream.pipe(bb);
+
+	try {
+		return new Promise<UploadResultWithOptionalFile<K>>((resolve, reject) => {
+			returnResult = resolve;
+	} finally {
+		nodeReadableStream.destroy();
+		bb.removeAllListeners();
+	}

The code pipes a Node.js Readable stream to the 'busboy' instance but doesn't remove the listener or close the stream when finished or in case of errors. This can lead to memory leaks. Add a 'close' event listener to the Readable stream and/or 'busboy' to ensure proper cleanup. Consider using a try/finally block to guarantee execution of the cleanup logic.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

const CORSOriginSetting = String(settings.get('API_CORS_Origin') ?? '*');

Add validation for CORSOriginSetting to ensure it's not null or undefined before processing.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

try {
	const honoRes = await hono.request(
		expressReq.originalUrl,
		{
			...req,
			...(['POST', 'PUT', 'DELETE'].includes(expressReq.method) && { body: expressReq as unknown as ReadableStream }),
			headers: new Headers(Object.fromEntries(Object.entries(expressReq.headers)) as Record<string, string>),
		},
		{
			incoming: expressReq,
		},
	);
	const responseText = await honoRes.text().catch((error) => {
		console.error('Error reading response:', error);
		throw error;
	});
	res.status(honoRes.status);
	honoRes.headers.forEach((value, key) => res.setHeader(key, value));
	res.send(Buffer.from(responseText));
} catch (error) {
	console.error('Hono adapter error:', error);
	res.status(500).send('Internal Server Error');
}

Add error handling for the Hono request and response processing to prevent unhandled promise rejections.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

const userAgent = this.request.headers.get('user-agent') || '';
if (!/^[\w\d\s\-\.\/\:;()\[\]{}@!?=+]*$/.test(userAgent)) {
  throw new Error('Invalid user-agent header');
}
useragent: userAgent,

Add validation for user-agent header to ensure it matches expected format and prevent potential injection attacks.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​

[kody-ai]

express.json({
				limit: '1mb',
			}),
			express.urlencoded({
				extended: true,
				limit: '1mb',
			}),

The 50MB limit for JSON and URL-encoded data is quite high and could lead to potential memory exhaustion attacks. Consider reducing this limit to a more reasonable size.

_{Talk to Kody by mentioning @kody}

_{Was this suggestion helpful? React with 👍 or 👎 to help Kody learn from this interaction.}

​

​