fix!: create inviteToken for invites and remove it from listInvites

[julio-rocketchat]

Proposed changes (including videos or screenshots)

Users who have the create-invite-links permission are also able to access /admin/invites and request all invites from the listInvites API endpoint. This means that users with such a permission are able to get invites for rooms they are not part of and they can use such invites to get arbitrary access to these rooms.

This happens because the invite ID works as a token and can be used in an invite link. Notwithstanding, the invite ID/token is too short and may be susceptible to brute-force attempts.

This PR:

• Creates inviteToken and separates it from _id.
• Doesn't return inviteToken in the listInvites response nor in the UI.
• Increases _id's randomness and entropy with const _id = crypto.randomBytes(8).toString('hex');.
• Generates inviteToken in a cryptographically secure manner by using const inviteToken = crypto.randomUUID();.

Issue(s)

VLN-38

Steps to test or reproduce

N/A

Further comments

N/A

Summary by CodeRabbit

• API Changes

  • New invite responses include an inviteToken for public invite links.
  • Invite listings intentionally omit inviteToken.
  • Invite validation and usage now require/accept inviteToken (not internal IDs).

• UI Updates

  • Renamed invites table header from "Token" to "Invite".

• Tests

  • End-to-end tests updated to use inviteToken, assert its presence on creation, and verify token handling/edge cases.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: d8afb84

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Adds an inviteToken used for public invite URLs and token-based lookups: models, server flows, APIs, client props/labels, and tests updated; legacy invites are backfilled with tokens; list API omits token from public listings while find/create returns it.

Changes

Cohort / File(s)	Summary
API Response Schemas apps/meteor/app/api/server/v1/invites.ts	listInvites 200 items changed to Omit<IInvite, 'inviteToken'>[] (inline object schema); findOrCreateInvite 200 response now includes required inviteToken: string.
Server Invite Functions apps/meteor/app/invites/server/functions/findOrCreateInvite.ts, apps/meteor/app/invites/server/functions/listInvites.ts, apps/meteor/app/invites/server/functions/validateInviteToken.ts	Generate inviteToken via crypto.randomUUID() for new and legacy invites; use inviteToken in URL construction and lookups; validateInviteToken queries by token.
Client UI Components apps/meteor/client/views/admin/invites/InviteRow.tsx, apps/meteor/client/views/admin/invites/InvitesPage.tsx	InviteRowProps omits inviteToken; table header label changed from "Token" to "Invite".
End-to-End Tests apps/meteor/tests/e2e/saml.spec.ts, apps/meteor/tests/end-to-end/api/abac.ts, apps/meteor/tests/end-to-end/api/invites.ts, apps/meteor/tests/end-to-end/api/users.ts	Tests updated to consume inviteToken from responses, assert presence/absence where appropriate, and adjust stored identifiers (store both _id and inviteToken when needed); added negative cases for using _id as a token.
Type Definitions & Models packages/core-typings/src/IInvite.ts, packages/model-typings/src/models/IInvitesModel.ts, packages/models/src/models/Invites.ts	Added inviteToken: string to IInvite; added findOneByInviteToken() and ensureInviteToken() to model typings and implemented them in InvitesRaw (uses crypto.randomUUID and tokens backfill/ensure logic).

Sequence Diagram(s)

sequenceDiagram
    actor Client
    participant API_Server as API Server
    participant Invites_DB as Invites DB

    Client->>API_Server: POST /findOrCreateInvite (roomId)
    activate API_Server
    API_Server->>Invites_DB: find existing invite by roomId
    alt invite not found
        API_Server->>API_Server: generate _id and inviteToken (crypto.randomUUID)
        API_Server->>Invites_DB: insert invite with inviteToken
    else invite found
        API_Server->>Invites_DB: ensureInviteToken(_id) -> token (generate if missing)
        API_Server->>Invites_DB: update invite with token if needed
    end
    API_Server->>API_Server: build invite URL using inviteToken
    API_Server-->>Client: return invite object including inviteToken and url
    deactivate API_Server

    Client->>API_Server: POST /validateInviteToken (inviteToken)
    activate API_Server
    API_Server->>Invites_DB: findOneByInviteToken(inviteToken)
    Invites_DB-->>API_Server: invite data / null
    API_Server-->>Client: return validation result
    deactivate API_Server

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• #37325: Modifies the same server-side invite functions (findOrCreateInvite, validateInviteToken); related due to overlapping invite-token and ABAC changes.

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• ggazzo
• sampaiodiego

Poem

🐰 I hopped in code with a happy wink,
Swapped IDs for tokens, quick as a blink.
Crypto crumbs scattered, invites now sing,
Tokens for links — a small secure thing.
Hop, hop — the new invites take wing! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'create inviteToken for invites and remove it from listInvites' directly and concisely summarizes the main changes: introducing inviteToken generation and excluding it from list responses.
Linked Issues check	✅ Passed	The PR addresses VLN-38 by preventing unauthorized access to invite links through increased token entropy and separation of invite identifiers from usable tokens.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to invite handling: new inviteToken field, token generation, storage, retrieval, and API response modifications align with the security fix objective.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor-invites

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

➡️ Changes

Service	Current	Baseline	Change	Percent
sum of all images	0B	0B	0B
account-service	0B	0B	0B
authorization-service	0B	0B	0B
ddp-streamer-service	0B	0B	0B
omnichannel-transcript-service	0B	0B	0B
presence-service	0B	0B	0B
queue-worker-service	0B	0B	0B
rocketchat	0B	0B	0B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 21:03", "12/22 18:54", "12/23 16:16", "12/24 19:38", "12/25 17:51", "12/26 13:18", "12/29 19:01", "12/30 20:52", "01/24 00:36 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.00]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "queue-worker-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "rocketchat" [0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.00]

Loading

Statistics (last 30 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.4GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 0B

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-38290
• Baseline: develop
• Timestamp: 2026-01-24 00:36:13 UTC
• Historical data points: 30

---

Updated: Sat, 24 Jan 2026 00:36:14 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.75%. Comparing base (08b586d) to head (d8afb84).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38290      +/-   ##
===========================================
+ Coverage    70.74%   70.75%   +0.01%     
===========================================
  Files         3159     3159              
  Lines       109384   109384              
  Branches     19676    19682       +6     
===========================================
+ Hits         77383    77398      +15     
+ Misses       29963    29958       -5     
+ Partials      2038     2028      -10     

Flag	Coverage Δ
e2e	60.31% <ø> (+0.04%)	⬆️
e2e-api	48.08% <ø> (+0.07%)	⬆️
unit	71.90% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[julio-rocketchat]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

apps/meteor/app/invites/server/functions/validateInviteToken.ts (1)

6-21: Backwards-compat break for legacy invite links.

With token-only lookup, existing invite URLs based on _id will fail after deploy unless a migration/backfill updates tokens (and URLs) ahead of time or you add a legacy fallback lookup. Please confirm intended behavior and, if legacy links should keep working, add a compatibility path (e.g., fallback to _id and optionally backfill inviteToken/url).

apps/meteor/app/invites/server/functions/listInvites.ts (1)

1-25: Add explicit crypto import for consistency with sibling module.

The sibling file findOrCreateInvite.ts in the same module imports crypto from 'node:crypto'. For consistency, add the import here as well:

import type { IInvite } from '@rocket.chat/core-typings';
+import crypto from 'node:crypto';
import { Invites } from '@rocket.chat/models';
import { Meteor } from 'meteor/meteor';

🤖 Fix all issues with AI agents

In `@apps/meteor/app/invites/server/functions/findOrCreateInvite.ts`:
- Around line 93-103: The legacy invite token race is fixed by atomically
setting the token with a conditional findOneAndUpdate instead of
Invites.updateOne: when you detect an existing invite without inviteToken,
generate a token and call Invites.findOneAndUpdate({ _id: existing._id, $or: [{
inviteToken: { $exists: false } }, { inviteToken: null }, { inviteToken: "" }]
}, { $set: { inviteToken } }, { returnDocument: "after" }); then set existing to
the returned document (or, if null, re-fetch the invite) and compute
existing.url = getInviteUrl(existing) before returning; replace the current
updateOne + local assignment with this atomic pattern so the response token
always matches DB state.

🧹 Nitpick comments (3)

apps/meteor/app/invites/server/functions/listInvites.ts (1)

18-33: Batch legacy-token backfill and drop inline comments.

Consider batching updates to avoid no-await-in-loop, and remove inline comments to keep the implementation clean. This also speeds up token backfill when many invites exist.

♻️ Possible refactor (apply after fixing crypto import)

-	// Ensure all invites have inviteToken (for legacy invites that might not have it)
-	for (const invite of invites) {
-		const inviteWithToken = invite as IInvite & { inviteToken?: string };
-		if (!inviteWithToken.inviteToken) {
-			const inviteToken = randomUUID();
-			// eslint-disable-next-line no-await-in-loop
-			await Invites.updateOne({ _id: invite._id }, { $set: { inviteToken } });
-			inviteWithToken.inviteToken = inviteToken;
-		}
-	}
-
-	// Remove inviteToken from the response
-	return invites.map((invite) => {
+	const invitesNeedingToken = invites.filter((invite) => !(invite as IInvite & { inviteToken?: string }).inviteToken);
+	await Promise.all(
+		invitesNeedingToken.map(async (invite) => {
+			const inviteToken = randomUUID();
+			await Invites.updateOne({ _id: invite._id }, { $set: { inviteToken } });
+			(invite as IInvite & { inviteToken: string }).inviteToken = inviteToken;
+		}),
+	);
+
+	return invites.map((invite) => {

As per coding guidelines, avoid code comments in the implementation.

apps/meteor/tests/e2e/saml.spec.ts (1)

142-143: Consider renaming variable for clarity.

The variable inviteId now holds the inviteToken value rather than the _id. While functionally correct (invite URLs should use the token), the naming is misleading.

Consider renaming to better reflect its purpose:

♻️ Suggested variable rename

-		const { inviteToken } = await inviteResponse.json();
-		inviteId = inviteToken;
+		const { inviteToken: token } = await inviteResponse.json();
+		inviteId = token;

Or rename the variable declaration at line 100:

-	let inviteId: string;
+	let inviteToken: string;

And update all usages of inviteId to inviteToken throughout the file (lines 445, 448, 459, 462, 485, 488, 508, 511).

apps/meteor/tests/end-to-end/api/invites.ts (1)

104-112: Stabilize listInvites assertion by matching on ID (avoid order dependence).

The list order isn’t guaranteed; picking index 0 can make the test flaky if other invites exist. Consider locating the invite by _id before asserting on inviteToken.

♻️ Proposed adjustment

-					expect(res.body[0]).to.have.property('_id', testInviteID);
-					expect(res.body[0]).to.not.have.property('inviteToken');
+					const invite = res.body.find((i: IInvite) => i._id === testInviteID);
+					expect(invite).to.exist;
+					expect(invite).to.not.have.property('inviteToken');

[cubic-dev-ai]

No issues found across 13 files

[pierre-lehnen-rc]

This change breaks compatibility with all existing Invite URLs, which IMO would already be a bad idea in a major version, and is even more so in a minor one.

[julio-rocketchat]

This change breaks compatibility with all existing Invite URLs, which IMO would already be a bad idea in a major version, and is even more so in a minor one.

What would be a better alternative in your opinion to ensure security at the same time that we don't break compatibility?

[pierre-lehnen-rc]

It wouldn't have the same level of security, but one option would be to update the old invites setting their old ID as the inviteToken (and perhaps changing their ID to a different value); That way the old URLs would still work and would not be leaked anymore.

Then in addition we could perhaps make the invite list show an indicator on old invites suggesting they should be replaced.

[pierre-lehnen-rc]

BTW the old token length (6) was a product decision. It was shorter in order to make it easier for users to type them out if needed (though I don't know if we have any workflow in which the code is typed manually).

[julio-rocketchat]

It wouldn't have the same level of security, but one option would be to update the old invites setting their old ID as the inviteToken (and perhaps changing their ID to a different value); That way the old URLs would still work and would not be leaked anymore.

Then in addition we could perhaps make the invite list show an indicator on old invites suggesting they should be replaced.

I see. I'll talk to Product about it and take a look into doing it this way as well.

[julio-rocketchat]

BTW the old token length (6) was a product decision. It was shorter in order to make it easier for users to type them out if needed (though I don't know if we have any workflow in which the code is typed manually).

Got it. I'll talk to product about this one as well, but I don't think we have workflows where the code is typed manually either.

[julio-rocketchat]

@pierre-lehnen-rc talked to Milton about this one and he agreed to wait for 9.0.0 to do this fix.

[sampaiodiego]

This means that users with such a permission are able to get invites for rooms they are not part of and they can use such invites to get arbitrary access to these rooms.

@julio-rocketchat is this really a thing? I don't think so by the looking at the code.. if that's not true does it means there is no vulnerability at all?

[julio-rocketchat]

This means that users with such a permission are able to get invites for rooms they are not part of and they can use such invites to get arbitrary access to these rooms.

@julio-rocketchat is this really a thing? I don't think so by the looking at the code.. if that's not true does it means there is no vulnerability at all?

@sampaiodiego

I’ve created a few private rooms with the rocketchat.internal.admin.test user and created invite links for each. Then, with the user julio, who only has the create-invite-links permission, I hit the listInvites endpoint and got the following:

With these, since _id is the token, we can form invite links such as https://go.rocket.chat/invite?host=localhost%3A3000&path=invite%2FRtgCeb&secure=no.

Then, I used it to get access to the private rooms with the user julio:

[sampaiodiego]

@julio-rocketchat I assume then you have created a new role with create-invite-links permission, right? this permission is "scoped", which means it should require a room id to be validated (thus default roles being owner and moderator - and admin as well), so with default roles the issue doesn't happen. I'll check if there is something we can do with the permission validation system as a whole, like not allow scoped permission being assigned to not scoped roles..

[julio-rocketchat]

@julio-rocketchat I assume then you have created a new role with create-invite-links permission, right? this permission is "scoped", which means it should require a room id to be validated (thus default roles being owner and moderator - and admin as well), so with default roles the issue doesn't happen. I'll check if there is something we can do with the permission validation system as a whole, like not allow scoped permission being assigned to not scoped roles..

@sampaiodiego for the PoC I gave the user role that permission. It would probably work with newly created roles as well, but haven't tested it yet.

I've thought about creating a new manage-invite-links but that would require migrations and I'm not sure it would be less of a breaking change than this option - and I also think that even if we had a separate permission, increasing the token complexity, making sure it's cryptographically random and separating ID and token are security improvements overall