RocketChat · kodiakhq · Dec 11, 2025 · Dec 9, 2025 · Dec 9, 2025 · Dec 11, 2025
diff --git a/.changeset/cold-chairs-taste.md b/.changeset/cold-chairs-taste.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fixes an issue where its not being possible to change the password in account security page
diff --git a/apps/meteor/app/2fa/server/code/index.ts b/apps/meteor/app/2fa/server/code/index.ts
@@ -9,6 +9,7 @@ import { EmailCheck } from './EmailCheck';
 import type { ICodeCheck } from './ICodeCheck';
 import { PasswordCheckFallback } from './PasswordCheckFallback';
 import { TOTPCheck } from './TOTPCheck';
+import { normalizeHeaders } from '../../../lib/server/functions/getModifiedHttpHeaders';
 import { settings } from '../../../settings/server';
 
 export interface ITwoFactorOptions {
@@ -184,9 +185,11 @@ export async function checkCodeForUser({ user, code, method, options = {}, conne
 		throw new Meteor.Error('totp-user-not-found', 'TOTP User not found');
 	}
 
-	if (!code && !method && connection?.httpHeaders?.['x-2fa-code'] && connection.httpHeaders['x-2fa-method']) {
-		code = connection.httpHeaders['x-2fa-code'];
-		method = connection.httpHeaders['x-2fa-method'];
+	const headers = normalizeHeaders(connection?.httpHeaders);
+
+	if (!code && !method && headers?.['x-2fa-code'] && headers['x-2fa-method']) {
+		code = headers['x-2fa-code'];
+		method = headers['x-2fa-method'];
 	}
 
 	if (connection && isAuthorizedForToken(connection, existingUser, options)) {

diff --git a/apps/meteor/app/lib/server/functions/getModifiedHttpHeaders.ts b/apps/meteor/app/lib/server/functions/getModifiedHttpHeaders.ts
@@ -1,12 +1,14 @@
-export const getModifiedHttpHeaders = (httpHeaders: Headers | Record<string, string>) => {
-	let modifiedHttpHeaders: { [k: string]: string };
-
+export const normalizeHeaders = (httpHeaders?: Headers | Record<string, string>) => {
 	if (httpHeaders instanceof Headers) {
-		modifiedHttpHeaders = { ...Object.fromEntries(httpHeaders.entries()) };
-	} else {
-		modifiedHttpHeaders = { ...httpHeaders };
+		return { ...Object.fromEntries(httpHeaders.entries()) };
 	}
 
+	return { ...httpHeaders };
+};
+
+export const getModifiedHttpHeaders = (httpHeaders: Headers | Record<string, string>) => {
+	const modifiedHttpHeaders = normalizeHeaders(httpHeaders);
+
 	if ('x-auth-token' in modifiedHttpHeaders) {
 		modifiedHttpHeaders['x-auth-token'] = '[redacted]';
 	}

@@ -38,8 +38,7 @@ test.describe.serial('account-security', () => {
 		await poAccountSecurity.toastMessage.waitForDisplay();
 	});
 
-	// FIXME: This test should pass as soon as we provide the fix
-	test.skip('should be able to change password', async ({ api }) => {
+	test('should be able to change password', async ({ api }) => {
 		await test.step('change password', async () => {
 			await poAccountSecurity.changePassword(RANDOM_PASSWORD, RANDOM_PASSWORD, ADMIN_CREDENTIALS.password);
 			await expect(poAccountSecurity.inputNewPassword).toHaveValue('');