Skip to content

security(passcode): persist attempt counter to MMKV to prevent bypass on remount#7436

Open
Shevilll wants to merge 6 commits into
RocketChat:developfrom
Shevilll:fix/passcode-lockout-bypass
Open

security(passcode): persist attempt counter to MMKV to prevent bypass on remount#7436
Shevilll wants to merge 6 commits into
RocketChat:developfrom
Shevilll:fix/passcode-lockout-bypass

Conversation

@Shevilll

@Shevilll Shevilll commented Jun 25, 2026

Copy link
Copy Markdown

Summary

This PR addresses passcode counter bypasses (Issue #7018) where local component state resets on unmount/remount. By migrating validation and the attempt counter to MMKV secure storage, we close this security gap and ensure persistence across component lifecycles.

Details

  • Migrated the local passcode attempt counter and lockout validation states from component state to MMKV secure storage.
  • Prevents bypasses where users could unmount/remount the component to reset the passcode attempt counter.
  • Implemented robust key handling and validation using helper methods in app/lib/methods/helpers/localAuthentication.ts and app/containers/Passcode/utils.ts.

Summary by CodeRabbit

  • New Features
    • Username edits now use stricter validation based on the server-provided pattern, with clearer feedback when characters are invalid.
  • Bug Fixes
    • Passcode lockout state and timing are now persisted more reliably, improving lock/unlock behavior across sessions.
    • Resetting passcode attempts now clears both the attempt count and lockout timing consistently.
  • Tests
    • Added/updated ProfileView tests to verify invalid username handling and successful resubmission after correction.

Shevilll and others added 4 commits June 22, 2026 16:21
Validate the username field against the server's UTF8_User_Names_Validation
setting (with the default pattern as a fallback) before submitting the profile.
This prevents invalid characters such as spaces from reaching the server, which
previously surfaced only as a generic save error, and shows an inline message
explaining the allowed characters.

Closes RocketChat#1682
Drop the stale isMasterDetail destructured from useAppSelector (the
selector no longer returns it) so only the useMasterDetail() hook
declares it, fixing the no-redeclare lint/build failure introduced by
merging develop. Also annotate isValidUsername with an explicit boolean
return type per the TS guideline.
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Shevilll, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 55 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4e375983-191f-40e2-a98a-b4b42dd9f0d8

📥 Commits

Reviewing files that changed from the base of the PR and between 6b6b487 and 674d0fa.

📒 Files selected for processing (1)
  • app/containers/Passcode/utils.ts

Walkthrough

Passcode lockout state now uses UserPreferences for attempts and lock timestamps. ProfileView now validates usernames against a server-provided pattern with a fallback default, adds a validation message, and updates tests for invalid and corrected submissions.

Changes

Passcode lockout persistence

Layer / File(s) Summary
Lockout storage helpers
app/containers/Passcode/utils.ts, app/lib/methods/helpers/localAuthentication.ts
getLockedUntil() reads the stored lockout timestamp from UserPreferences, and resetAttempts() removes both lockout keys through UserPreferences.
Passcode entry persistence
app/containers/Passcode/PasscodeEnter.tsx
PasscodeEnter reads attempts from UserPreferences, reloads lockedUntil through getLockedUntil(), and stores failed-attempt updates back in UserPreferences.

Username validation in ProfileView

Layer / File(s) Summary
Username validation rule
app/views/ProfileView/index.tsx, app/i18n/locales/en.json
ProfileView loads UTF8_User_Names_Validation, validates usernames against the server pattern with a default-regex fallback, and adds the Username_invalid message.
Submit validation tests
app/views/ProfileView/index.test.tsx
The submit tests mock the validation setting and cover invalid username rejection plus saving after correction.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Suggested labels: type: bug

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main passcode change: persisting attempt state to MMKV to prevent remount bypasses.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
app/views/ProfileView/index.test.tsx (1)

125-134: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Exercise the correction flow in the same render.

This test starts from a clean form, so it never proves that the Username_invalid error clears after a failed submit. A regression where the old error keeps submit blocked would still pass here. Submit an invalid username first in the same render, then correct it and assert that saveUserProfile is finally called.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/views/ProfileView/index.test.tsx` around lines 125 - 134, The ProfileView
username test only covers a clean valid submission and misses the correction
path; update the `saves when the username is corrected to a valid value` test to
use the same `renderProfile()` instance for an initial invalid submit, verify
the `Username_invalid` state is exercised, then change the username to a valid
value and submit again so `saveUserProfile` is only called after the error
clears. Keep the fix within the existing `ProfileView` test helpers and
assertions (`renderProfile`, `saveUserProfile`, `profile-view-username`,
`profile-view-submit`).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/containers/Passcode/PasscodeEnter.tsx`:
- Line 22: The passcode lockout logic in PasscodeEnter is using a stale attempts
value captured at render time, so repeated failures never reach MAX_ATTEMPTS
while the component stays mounted. Update onEndProcess to read the latest
persisted count from UserPreferences with parseInt on each failed attempt, then
compute nextAttempts from that fresh value before writing it back and checking
the lockout condition. Keep the fix centered around PasscodeEnter and its
onEndProcess failure path so the counter reflects every attempt correctly.

In `@app/containers/Passcode/utils.ts`:
- Around line 1-12: Resolve the ESLint issues in getLockedUntil within the
Passcode utils module by removing the unnecessary blank line inside the import
block and making getLockedUntil a non-async arrow function since it only calls
the synchronous UserPreferences.getString and has no await. Keep the existing
return shape intact so PasscodeEnter.tsx can continue to call getLockedUntil
without any behavioral change.

In `@app/i18n/locales/en.json`:
- Line 1005: Update the Username_invalid copy in the locale entry used by
ProfileView so it no longer mentions specific allowed characters from the
default fallback regex. The validation now uses UTF8_User_Names_Validation, so
make the message generic and accurate for all server-configured username rules;
locate the string by the Username_invalid key and replace it with neutral
wording such as an invalid-characters message.

In `@app/views/ProfileView/index.tsx`:
- Around line 95-102: The username validation in ProfileView’s validationSchema
currently applies the UTF8_User_Names_Validation regex on every submit, even
when username is unchanged or not editable. Update the yup test on username so
it only runs isValidUsername when the field is actually being edited or has
changed from its original value, and otherwise skips the regex check while still
preserving the required rule and other validations.

---

Nitpick comments:
In `@app/views/ProfileView/index.test.tsx`:
- Around line 125-134: The ProfileView username test only covers a clean valid
submission and misses the correction path; update the `saves when the username
is corrected to a valid value` test to use the same `renderProfile()` instance
for an initial invalid submit, verify the `Username_invalid` state is exercised,
then change the username to a valid value and submit again so `saveUserProfile`
is only called after the error clears. Keep the fix within the existing
`ProfileView` test helpers and assertions (`renderProfile`, `saveUserProfile`,
`profile-view-username`, `profile-view-submit`).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2faf29fa-107c-4bb1-bc17-00c51971af09

📥 Commits

Reviewing files that changed from the base of the PR and between da389be and 66bf48a.

📒 Files selected for processing (6)
  • app/containers/Passcode/PasscodeEnter.tsx
  • app/containers/Passcode/utils.ts
  • app/i18n/locales/en.json
  • app/lib/methods/helpers/localAuthentication.ts
  • app/views/ProfileView/index.test.tsx
  • app/views/ProfileView/index.tsx
📜 Review details
🧰 Additional context used
📓 Path-based instructions (7)
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx}: Use descriptive names for functions, variables, and classes that clearly convey their purpose
Write comments that explain the 'why' behind code decisions, not the 'what'
Keep functions small and focused on a single responsibility
Use const by default, let when reassignment is needed, and avoid var
Prefer async/await over .then() chains for handling asynchronous operations
Use explicit error handling with try/catch blocks for async operations
Avoid deeply nested code; refactor complex logic into helper functions

Files:

  • app/views/ProfileView/index.test.tsx
  • app/lib/methods/helpers/localAuthentication.ts
  • app/views/ProfileView/index.tsx
  • app/containers/Passcode/utils.ts
  • app/containers/Passcode/PasscodeEnter.tsx
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Use TypeScript for type safety; add explicit type annotations to function parameters and return types
Prefer interfaces over type aliases for defining object shapes in TypeScript
Use enums for sets of related constants rather than magic strings or numbers

Use TypeScript with strict mode enabled

Files:

  • app/views/ProfileView/index.test.tsx
  • app/lib/methods/helpers/localAuthentication.ts
  • app/views/ProfileView/index.tsx
  • app/containers/Passcode/utils.ts
  • app/containers/Passcode/PasscodeEnter.tsx
**/*.{js,jsx,ts,tsx,json}

📄 CodeRabbit inference engine (CLAUDE.md)

Use Prettier formatting with tabs, single quotes, 130 character line width, no trailing commas, and avoid arrow function parentheses

Files:

  • app/views/ProfileView/index.test.tsx
  • app/i18n/locales/en.json
  • app/lib/methods/helpers/localAuthentication.ts
  • app/views/ProfileView/index.tsx
  • app/containers/Passcode/utils.ts
  • app/containers/Passcode/PasscodeEnter.tsx
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Enforce ESLint rules from @rocket.chat/eslint-config with React, React Native, TypeScript, and Jest plugins

Files:

  • app/views/ProfileView/index.test.tsx
  • app/lib/methods/helpers/localAuthentication.ts
  • app/views/ProfileView/index.tsx
  • app/containers/Passcode/utils.ts
  • app/containers/Passcode/PasscodeEnter.tsx
app/views/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Place screen components in 'app/views/' directory

Files:

  • app/views/ProfileView/index.test.tsx
  • app/views/ProfileView/index.tsx
app/i18n/**/*.{ts,tsx,json}

📄 CodeRabbit inference engine (CLAUDE.md)

Place internationalization (i18n) configuration in 'app/i18n/' directory with support for 40+ locales and RTL

Files:

  • app/i18n/locales/en.json
app/containers/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Place reusable UI components in 'app/containers/' directory

Files:

  • app/containers/Passcode/utils.ts
  • app/containers/Passcode/PasscodeEnter.tsx
🧠 Learnings (2)
📚 Learning: 2026-04-30T17:07:51.020Z
Learnt from: diegolmello
Repo: RocketChat/Rocket.Chat.ReactNative PR: 7274
File: app/lib/services/voip/MediaCallEvents.ts:0-0
Timestamp: 2026-04-30T17:07:51.020Z
Learning: In this Rocket.Chat React Native codebase, the ESLint rule `no-void: error` is enforced. When you see a promise returned from an async call that is not awaited (a “floating promise”), do not silence it with the `void somePromise()` pattern. Instead, handle the promise explicitly by attaching `.catch(...)` (or otherwise awaiting/handling the error) so unhandled-rejection risks are addressed in a way that satisfies the existing ESLint configuration.

Applied to files:

  • app/views/ProfileView/index.test.tsx
  • app/lib/methods/helpers/localAuthentication.ts
  • app/views/ProfileView/index.tsx
  • app/containers/Passcode/utils.ts
  • app/containers/Passcode/PasscodeEnter.tsx
📚 Learning: 2026-06-24T22:58:43.390Z
Learnt from: Rohit3523
Repo: RocketChat/Rocket.Chat.ReactNative PR: 7157
File: app/views/MessagesView/index.tsx:392-392
Timestamp: 2026-06-24T22:58:43.390Z
Learning: When wrapping a React Native component (e.g., via `withSafeAreaInsets`) ensure `hoistNonReactStatics` is only required if the wrapped component actually defines static properties/methods that consumers rely on. If the component has no statics (as in `app/views/MessagesView/index.tsx`), you can omit `hoistNonReactStatics` for this case.

Applied to files:

  • app/views/ProfileView/index.test.tsx
  • app/views/ProfileView/index.tsx
🪛 ESLint
app/containers/Passcode/utils.ts

[error] 1-1: There should be no empty line within import group

(import/order)


[error] 6-6: Async arrow function has no 'await' expression.

(require-await)

🔇 Additional comments (1)
app/lib/methods/helpers/localAuthentication.ts (1)

50-54: LGTM!

Comment thread app/containers/Passcode/PasscodeEnter.tsx Outdated
Comment thread app/containers/Passcode/utils.ts
Comment thread app/i18n/locales/en.json
"User_not_found_or": "User not found or incorrect password",
"User_sent_an_attachment": "{{user}} sent an attachment",
"Username": "Username",
"Username_invalid": "Use only letters, numbers, dots, hyphens and underscores",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Make the validation message regex-agnostic.

ProfileView now validates against UTF8_User_Names_Validation, but this copy still describes only the default [0-9a-zA-Z-_.]+ fallback. On servers with customized username rules, users will get the wrong guidance. A generic message like “Username contains invalid characters” would stay accurate.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/i18n/locales/en.json` at line 1005, Update the Username_invalid copy in
the locale entry used by ProfileView so it no longer mentions specific allowed
characters from the default fallback regex. The validation now uses
UTF8_User_Names_Validation, so make the message generic and accurate for all
server-configured username rules; locate the string by the Username_invalid key
and replace it with neutral wording such as an invalid-characters message.

Comment on lines +95 to +102
const validationSchema = yup.object().shape({
name: yup.string().required(I18n.t('Name_required')),
email: yup.string().email(I18n.t('Email_must_be_a_valid_email')).required(I18n.t('Email_required')),
username: yup
.string()
.required(I18n.t('Username_required'))
.test('valid-username', I18n.t('Username_invalid'), value => isValidUsername(value ?? '', UTF8_User_Names_Validation))
});

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Skip regex validation for unchanged usernames.

This check runs on every submit, even when the user cannot edit username or leaves it unchanged. If an admin tightens UTF8_User_Names_Validation after an account was created, a legacy username can fail local validation and block saving unrelated profile changes. Only apply the regex when the username is actually being edited.

Suggested fix
 	username: yup
 		.string()
 		.required(I18n.t('Username_required'))
-		.test('valid-username', I18n.t('Username_invalid'), value => isValidUsername(value ?? '', UTF8_User_Names_Validation))
+		.test('valid-username', I18n.t('Username_invalid'), value => {
+			if (!value || value === user?.username || !Accounts_AllowUsernameChange) {
+				return true;
+			}
+			return isValidUsername(value, UTF8_User_Names_Validation);
+		})
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const validationSchema = yup.object().shape({
name: yup.string().required(I18n.t('Name_required')),
email: yup.string().email(I18n.t('Email_must_be_a_valid_email')).required(I18n.t('Email_required')),
username: yup
.string()
.required(I18n.t('Username_required'))
.test('valid-username', I18n.t('Username_invalid'), value => isValidUsername(value ?? '', UTF8_User_Names_Validation))
});
const validationSchema = yup.object().shape({
name: yup.string().required(I18n.t('Name_required')),
email: yup.string().email(I18n.t('Email_must_be_a_valid_email')).required(I18n.t('Email_required')),
username: yup
.string()
.required(I18n.t('Username_required'))
.test('valid-username', I18n.t('Username_invalid'), value => {
if (!value || value === user?.username || !Accounts_AllowUsernameChange) {
return true;
}
return isValidUsername(value, UTF8_User_Names_Validation);
})
});
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/views/ProfileView/index.tsx` around lines 95 - 102, The username
validation in ProfileView’s validationSchema currently applies the
UTF8_User_Names_Validation regex on every submit, even when username is
unchanged or not editable. Update the yup test on username so it only runs
isValidUsername when the field is actually being edited or has changed from its
original value, and otherwise skips the regex check while still preserving the
required rule and other validations.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/containers/Passcode/utils.ts`:
- Around line 5-8: Validate the persisted value in getLockedUntil before
converting it to a Date, and return null or an unset value when
UserPreferences.getString(LOCKED_OUT_TIMER_KEY) is missing or invalid so
downstream getDiff calls do not see an invalid date. Update the getLockedUntil
export in app/containers/Passcode/utils.ts to include an explicit return type,
and use the same guard around the dayjs(t).add(...) path to ensure only a valid
timestamp is returned.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 62b82e31-82d5-49f0-b01b-a751e397aa1d

📥 Commits

Reviewing files that changed from the base of the PR and between 66bf48a and 6b6b487.

📒 Files selected for processing (3)
  • app/containers/Passcode/PasscodeEnter.tsx
  • app/containers/Passcode/utils.ts
  • app/views/ProfileView/index.test.tsx
🚧 Files skipped from review as they are similar to previous changes (2)
  • app/views/ProfileView/index.test.tsx
  • app/containers/Passcode/PasscodeEnter.tsx
📜 Review details
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx}: Use descriptive names for functions, variables, and classes that clearly convey their purpose
Write comments that explain the 'why' behind code decisions, not the 'what'
Keep functions small and focused on a single responsibility
Use const by default, let when reassignment is needed, and avoid var
Prefer async/await over .then() chains for handling asynchronous operations
Use explicit error handling with try/catch blocks for async operations
Avoid deeply nested code; refactor complex logic into helper functions

Files:

  • app/containers/Passcode/utils.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Use TypeScript for type safety; add explicit type annotations to function parameters and return types
Prefer interfaces over type aliases for defining object shapes in TypeScript
Use enums for sets of related constants rather than magic strings or numbers

Use TypeScript with strict mode enabled

Files:

  • app/containers/Passcode/utils.ts
**/*.{js,jsx,ts,tsx,json}

📄 CodeRabbit inference engine (CLAUDE.md)

Use Prettier formatting with tabs, single quotes, 130 character line width, no trailing commas, and avoid arrow function parentheses

Files:

  • app/containers/Passcode/utils.ts
**/*.{js,jsx,ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Enforce ESLint rules from @rocket.chat/eslint-config with React, React Native, TypeScript, and Jest plugins

Files:

  • app/containers/Passcode/utils.ts
app/containers/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Place reusable UI components in 'app/containers/' directory

Files:

  • app/containers/Passcode/utils.ts
🧠 Learnings (1)
📚 Learning: 2026-04-30T17:07:51.020Z
Learnt from: diegolmello
Repo: RocketChat/Rocket.Chat.ReactNative PR: 7274
File: app/lib/services/voip/MediaCallEvents.ts:0-0
Timestamp: 2026-04-30T17:07:51.020Z
Learning: In this Rocket.Chat React Native codebase, the ESLint rule `no-void: error` is enforced. When you see a promise returned from an async call that is not awaited (a “floating promise”), do not silence it with the `void somePromise()` pattern. Instead, handle the promise explicitly by attaching `.catch(...)` (or otherwise awaiting/handling the error) so unhandled-rejection risks are addressed in a way that satisfies the existing ESLint configuration.

Applied to files:

  • app/containers/Passcode/utils.ts

Comment thread app/containers/Passcode/utils.ts Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant