fix: imported fixes 02-18-2026-002 (#38770)

Signed-off-by: Abhinav Kumar <abhinav@avitechlab.com>
Co-authored-by: Abhinav Kumar <abhinav@avitechlab.com>

Author: julio-rocketchat

apps/meteor/.mocharc.js

@@ -30,5 +30,6 @@ module.exports = {
 		'app/file-upload/server/**/*.spec.ts',
 		'app/statistics/server/**/*.spec.ts',
 		'app/livechat/server/lib/**/*.spec.ts',
+		'app/utils/server/**/*.spec.ts',
 	],
 };

apps/meteor/app/file-upload/server/lib/FileUpload.spec.ts

@@ -11,10 +11,25 @@ const settingsGetMap = new Map();
 const messagesModelStub = {
 	find: sinon.stub(),
 };
+const usersModelStub = {
+	findOneByIdAndLoginToken: sinon.stub(),
+};
+const subscriptionsModelStub = {
+	findOneByRoomIdAndUserId: sinon.stub(),
+};
+const validateAndDecodeJWTStub = sinon.stub();
+const systemLoggerStub = {
+	error: sinon.stub(),
+};
+const roomCoordinatorStub = {
+	getRoomDirectives: sinon.stub(),
+};
 
 const { FileUpload, FileUploadClass } = proxyquire.noCallThru().load('./FileUpload', {
 	'@rocket.chat/models': {
 		Messages: messagesModelStub,
+		Users: usersModelStub,
+		Subscriptions: subscriptionsModelStub,
 	},
 	'meteor/check': sinon.stub(),
 	'meteor/meteor': sinon.stub(),
@@ -23,15 +38,19 @@ const { FileUpload, FileUploadClass } = proxyquire.noCallThru().load('./FileUplo
 	'stream-buffers': sinon.stub(),
 	'@rocket.chat/tools': sinon.stub(),
 	'../../../../server/lib/i18n': sinon.stub(),
-	'../../../../server/lib/logger/system': sinon.stub(),
-	'../../../../server/lib/rooms/roomCoordinator': sinon.stub(),
+	'../../../../server/lib/logger/system': { SystemLogger: systemLoggerStub },
+	'../../../../server/lib/rooms/roomCoordinator': { roomCoordinator: roomCoordinatorStub },
 	'../../../../server/ufs': sinon.stub(),
 	'../../../../server/ufs/ufs-methods': sinon.stub(),
 	'../../../settings/server': { settings: settingsStub },
 	'../../../utils/lib/mimeTypes': sinon.stub(),
-	'../../../utils/server/lib/JWTHelper': sinon.stub(),
+	'../../../utils/server/lib/JWTHelper': {
+		validateAndDecodeJWT: validateAndDecodeJWTStub,
+		generateJWT: sinon.stub(),
+	},
 	'../../../utils/server/restrictions': sinon.stub(),
 	'../../../api/server/lib/MultipartUploadHandler': sinon.stub(),
+	'@rocket.chat/account-utils': { hashLoginToken: sinon.stub().callsFake((token) => `hashed_${token}`) },
 });
 
 describe('FileUpload', () => {
@@ -45,6 +64,13 @@ describe('FileUpload', () => {
 		messagesModelStub.find.reset();
 		fakeStorageModel.findOneById.reset();
 		fakeStorageModel.deleteFile.reset();
+		usersModelStub.findOneByIdAndLoginToken.reset();
+		subscriptionsModelStub.findOneByRoomIdAndUserId.reset();
+		validateAndDecodeJWTStub.reset();
+		systemLoggerStub.error.reset();
+		roomCoordinatorStub.getRoomDirectives.reset();
+		settingsGetMap.clear();
+		settingsGetMap.set('FileUpload_Storage_Type', 'fakeStorage');
 	});
 
 	it('should not remove any file if no room id is provided', async () => {
@@ -101,4 +127,165 @@ describe('FileUpload', () => {
 		expect(fakeStorageModel.deleteFile.calledWith('file-id')).to.be.true;
 		expect(fakeStorageModel.deleteFile.calledWith('thumbnail-id')).to.be.true;
 	});
+
+	describe('requestCanAccessFiles', () => {
+		it('should allow access if FileUpload_ProtectFiles is false', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', false);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request);
+			expect(result).to.be.true;
+		});
+
+		it('should allow access if no url is provided', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+
+			const request = {
+				headers: {},
+				url: undefined,
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request);
+			expect(result).to.be.true;
+		});
+
+		it('should deny access if FileUpload_Enable_json_web_token_for_files is true but no token is provided', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+		});
+
+		it('should deny access if FileUpload_json_web_token_secret_for_files is not configured', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', '');
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=some-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+			expect(systemLoggerStub.error.calledOnce).to.be.true;
+		});
+
+		it('should deny access if an invalid token is provided', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns(null);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=invalid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+			expect(validateAndDecodeJWTStub.calledOnce).to.be.true;
+		});
+
+		it('should deny access if token is invalid or payload cannot be decoded', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns(null);
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+		});
+
+		it('should deny access if the fileId and rid in the token do not match the requested file', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns({ fileId: 'different-file-id', rid: 'different-room-id', userId: 'test-user-id' });
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.false;
+		});
+
+		it('should deny access if file object is not provided when using JWT', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns({ fileId: 'test-file-id', rid: 'test-room-id', userId: 'test-user-id' });
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, undefined);
+			expect(result).to.be.false;
+		});
+
+		it('should allow access when everything is valid: token is valid, secret configured, and file/room match', async () => {
+			settingsGetMap.set('FileUpload_ProtectFiles', true);
+			settingsGetMap.set('FileUpload_Enable_json_web_token_for_files', true);
+			settingsGetMap.set('FileUpload_json_web_token_secret_for_files', 'test-secret');
+			validateAndDecodeJWTStub.returns({ fileId: 'test-file-id', rid: 'test-room-id', userId: 'test-user-id' });
+
+			const request = {
+				headers: {},
+				url: '/file-upload/test-file-id/test-file.png?token=valid-token',
+			} as any;
+
+			const file = {
+				_id: 'test-file-id',
+				rid: 'test-room-id',
+			} as any;
+
+			const result = await FileUpload.requestCanAccessFiles(request, file);
+			expect(result).to.be.true;
+			expect(validateAndDecodeJWTStub.calledOnceWith('valid-token', 'test-secret')).to.be.true;
+		});
+	});
 });

apps/meteor/app/file-upload/server/lib/FileUpload.ts

@@ -35,7 +35,7 @@ import { MultipartUploadHandler } from '../../../api/server/lib/MultipartUploadH
 import { canAccessRoomAsync, canAccessRoomIdAsync } from '../../../authorization/server/functions/canAccessRoom';
 import { settings } from '../../../settings/server';
 import { mime } from '../../../utils/lib/mimeTypes';
-import { isValidJWT, generateJWT } from '../../../utils/server/lib/JWTHelper';
+import { validateAndDecodeJWT, generateJWT } from '../../../utils/server/lib/JWTHelper';
 import { fileUploadIsValidContentType } from '../../../utils/server/restrictions';
 
 const cookie = new Cookies();
@@ -471,12 +471,36 @@ export const FileUpload = {
 				.getRoomDirectives(rc_room_type)
 				.canAccessUploadedFile({ rc_uid: rc_uid || '', rc_rid: rc_rid || '', rc_token: rc_token || '' });
 
-		const isAuthorizedByJWT = () =>
-			settings.get('FileUpload_Enable_json_web_token_for_files') &&
-			token &&
-			isValidJWT(token as string, settings.get('FileUpload_json_web_token_secret_for_files'));
+		const isAuthorizedByJWT: () => boolean = () => {
+			if (!token || typeof token !== 'string' || !settings.get('FileUpload_Enable_json_web_token_for_files')) {
+				return false;
+			}
+
+			if (!settings.get('FileUpload_json_web_token_secret_for_files')) {
+				SystemLogger.error('FileUpload_json_web_token_secret_for_files is not configured. Cannot validate JWT for file access.');
+				return false;
+			}
+
+			const payload = validateAndDecodeJWT(token, settings.get('FileUpload_json_web_token_secret_for_files'));
+
+			if (!payload) {
+				return false;
+			}
+
+			const { fileId, rid } = payload as { fileId: string; rid: string };
+
+			if (!fileId || !rid) {
+				return false;
+			}
+
+			if (fileId !== file?._id || rid !== file?.rid) {
+				return false;
+			}
+
+			return true;
+		};
 
-		if ((await isAuthorizedByRoom()) || isAuthorizedByJWT()) {
+		if (isAuthorizedByJWT() || (await isAuthorizedByRoom())) {
 			return true;
 		}
 
@@ -659,7 +683,11 @@ export const FileUpload = {
 	},
 
 	generateJWTToFileUrls({ rid, userId, fileId }: { rid: string; userId: string; fileId: string }) {
-		if (!settings.get('FileUpload_ProtectFiles') || !settings.get('FileUpload_Enable_json_web_token_for_files')) {
+		if (
+			!settings.get('FileUpload_ProtectFiles') ||
+			!settings.get('FileUpload_Enable_json_web_token_for_files') ||
+			!settings.get('FileUpload_json_web_token_secret_for_files')
+		) {
 			return;
 		}
 		return generateJWT(