fix: update /v1/users.logout to properly log out all user sessions

[ricardogarim]

As per CORE-1364, the general logout endpoint does not update the sessions collection, causing logged-out devices to remain visible in Manage Devices page.

Proposed changes (including videos or screenshots)

A new Sessions.logoutAllByUserId(userId, logoutBy) method was introduced, which sets logoutAt and logoutBy for all active sessions of the user. The /v1/users.logout endpoint now calls this method after removing login tokens, ensuring session state is consistently updated across the system.

Issue(s)

• CORE-1364

Steps to test or reproduce

1. Log in to Rocket.Chat from multiple devices or browsers
2. Go to Device Management
3. Confirm multiple active sessions are listed
4. Log out using the UI or call /api/v1/users.logout
5. Refresh the Device Management page

Before the fix:

• Logged-out sessions remain listed as active
• Sessions are missing a logoutAt timestamp

After the fix:

• All sessions are marked as logged out
• Logged-out sessions no longer appear as active

Summary by CodeRabbit

• Bug Fixes

  • Logging out other client sessions now properly invalidates all sessions for the targeted user, preventing stale active sessions.

• Chores

  • Added a release changeset entry to publish the patch across affected packages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 7d51add

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/model-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/meteor	Patch
@rocket.chat/apps	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/stream-hub-service	Patch
@rocket.chat/omnichannel-services	Patch
rocketchat-services	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/presence	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/freeswitch	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/license	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/ui-video-conf	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Adds a Sessions.logoutAllByUserId method and invokes it from the server logout route so sessions receive a logoutAt/logoutBy update when tokens are removed, ensuring sessions are marked as invalidated.

Changes

Cohort / File(s)	Summary
Changeset documentation \.changeset/slimy-ads-sing.md	Adds a changeset entry documenting a bug fix that addresses sessions not being marked as logged out after token removal.
API endpoint modification Users API apps/meteor/app/api/server/v1/users.ts	Added Sessions import and invokes Sessions.logoutAllByUserId(userId, this.userId) in the logout flow to terminate user sessions after removing tokens.
Model interface extension packages/model-typings/src/models/ISessionsModel.ts	Added method signature `logoutAllByUserId(userId: IUser['_id'], logoutBy: IUser['_id']): Promise<UpdateResult
Model implementation packages/models/src/models/Sessions.ts	Implemented async logoutAllByUserId(userId, logoutBy) to set logoutAt and logoutBy and update all sessions for the specified user that lack logoutAt.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Review should check: correct query filter to avoid touching already-logged-out sessions, atomicity/indices for the update, and typing consistency with model typings.
• Files to pay extra attention to:
  • packages/models/src/models/Sessions.ts (update query and update payload)
  • apps/meteor/app/api/server/v1/users.ts (ensure correct integration point and error handling)
  • packages/model-typings/src/models/ISessionsModel.ts (signature alignment)

Suggested reviewers

• lucas-a-pelegrino
• pierre-lehnen-rc

Poem

🐰 I hopped through code at break of day,

logoutAt set, the stale mice play away.
Tokens cleared, the session list now small,
Hooray — no ghosts upon the wall.
🥕 — a rabbit, checking sessions one and all

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding proper session logout functionality to /v1/users.logout endpoint.
Linked Issues check	✅ Passed	The pull request fully addresses CORE-1364 by implementing Sessions.logoutAllByUserId() method and integrating it into /v1/users.logout to mark sessions as logged out.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the logout session issue: adding the new method to Sessions model, updating the API route, and creating the changeset entry.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/logout-sessions

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 516e919 and cf9b629.

📒 Files selected for processing (1)

• apps/meteor/app/api/server/v1/users.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/api/server/v1/users.ts

🧠 Learnings (3)

📚 Learning: 2025-09-19T15:15:04.642Z

Learnt from: rodrigok
Repo: RocketChat/Rocket.Chat PR: 36991
File: apps/meteor/server/services/federation/infrastructure/rocket-chat/adapters/Settings.ts:219-221
Timestamp: 2025-09-19T15:15:04.642Z
Learning: The Federation_Matrix_homeserver_domain setting in apps/meteor/server/services/federation/infrastructure/rocket-chat/adapters/Settings.ts is part of the old federation system and is being deprecated/removed, so configuration issues with this setting should not be flagged for improvement.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2025-11-04T16:49:19.107Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37377
File: apps/meteor/ee/server/hooks/federation/index.ts:86-88
Timestamp: 2025-11-04T16:49:19.107Z
Learning: In Rocket.Chat's federation system (apps/meteor/ee/server/hooks/federation/), permission checks follow two distinct patterns: (1) User-initiated federation actions (creating rooms, adding users to federated rooms, joining from invites) should throw MeteorError to inform users they lack 'access-federation' permission. (2) Remote server-initiated federation events should silently skip/ignore when users lack permission. The beforeAddUserToRoom hook only executes for local user-initiated actions, so throwing an error there is correct. Remote federation events are handled separately by the federation Matrix package with silent skipping logic.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

📚 Learning: 2025-10-28T16:53:42.761Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 37205
File: ee/packages/federation-matrix/src/FederationMatrix.ts:296-301
Timestamp: 2025-10-28T16:53:42.761Z
Learning: In the Rocket.Chat federation-matrix integration (ee/packages/federation-matrix/), the createRoom method from rocket.chat/federation-sdk will support a 4-argument signature (userId, roomName, visibility, displayName) in newer versions. Code using this 4-argument call is forward-compatible with planned library updates and should not be flagged as an error.

Applied to files:

• apps/meteor/app/api/server/v1/users.ts

🧬 Code graph analysis (1)

apps/meteor/app/api/server/v1/users.ts (1)

packages/models/src/index.ts (1)

• Sessions (209-209)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🔇 Additional comments (2)

apps/meteor/app/api/server/v1/users.ts (2)

3-3: LGTM! Proper import addition.

The Sessions model is correctly imported alongside existing models and is necessary for the new logout functionality.

---

1286-1287: Sessions properly marked as logged out.

The call to Sessions.logoutAllByUserId correctly updates session records after tokens are removed. The ordering is appropriate—tokens are removed first (line 1282), then sessions are marked as logged out (line 1286).

The method signature correctly accepts the target user ID and the actor ID as parameters. The implementation sets logoutAt and logoutBy fields on all sessions for the target user that haven't already been logged out, making this update idempotent.

One consideration: if this call fails after unsetLoginTokens succeeds, tokens would be removed but sessions wouldn't be marked as logged out. However, since tokens being removed is the primary logout mechanism and sessions become functionally invalid, this is acceptable. The Sessions update is supplementary for UI/audit purposes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	358MiB	347MiB	+12MiB
omnichannel-transcript-service	132MiB	132MiB	+857B
queue-worker-service	132MiB	132MiB	+868B
ddp-streamer-service	126MiB	126MiB	-1.3KiB
account-service	113MiB	113MiB	+822B
authorization-service	111MiB	111MiB	-536B
stream-hub-service	111MiB	111MiB	+1.5KiB
presence-service	111MiB	111MiB	+496B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 19:04", "12/19 19:13 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 25 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37846
• Baseline: develop
• Timestamp: 2025-12-19 19:13:21 UTC
• Historical data points: 25

---

Updated: Fri, 19 Dec 2025 19:13:22 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.71%. Comparing base (0ccb969) to head (cf9b629).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #37846   +/-   ##
========================================
  Coverage    67.70%   67.71%           
========================================
  Files         3475     3475           
  Lines       113861   113903   +42     
  Branches     20942    21003   +61     
========================================
+ Hits         77093    77124   +31     
- Misses       34586    34594    +8     
- Partials      2182     2185    +3     

Flag	Coverage Δ
e2e	57.17% <ø> (-0.03%)	⬇️
e2e-api	44.04% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lucas-a-pelegrino]

BE looks good.