chore: Update coerceTypes to false and modify mocharc settings (RocketChat#39559)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Guilherme Gazzo <guilhermegazzo@gmail.com>
Co-authored-by: Guilherme Gazzo <guilherme@gazzo.xyz>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

.changeset/strict-ajv-coercion.md

@@ -0,0 +1,16 @@
+---
+"@rocket.chat/rest-typings": minor
+"@rocket.chat/meteor": patch
+---
+
+Splits the single AJV validator instance into two: `ajv` (coerceTypes: false) for request **body** validation and `ajvQuery` (coerceTypes: true) for **query parameter** validation.
+
+**Why this matters:** Previously, a single AJV instance with `coerceTypes: true` was used everywhere. This silently accepted values with wrong types — for example, sending `{ "rid": 12345 }` (number) where a string was expected would pass validation because `12345` was coerced to `"12345"`. With this change, body validation is now strict: the server will reject payloads with incorrect types instead of silently coercing them.
+
+**What may break for API consumers:**
+
+- **Numeric values sent as strings in POST/PUT/PATCH bodies** (e.g., `{ "count": "10" }` instead of `{ "count": 10 }`) will now be rejected. Ensure JSON bodies use proper types.
+- **Boolean values sent as strings in bodies** (e.g., `{ "readThreads": "true" }` instead of `{ "readThreads": true }`) will now be rejected.
+- **`null` values where a string is expected** (e.g., `{ "name": null }` for a `type: 'string'` field without `nullable: true`) will no longer be coerced to `""`.
+
+**No change for query parameters:** GET query params (e.g., `?count=10&offset=0`) continue to be coerced via `ajvQuery`, since HTTP query strings are always strings.

apps/meteor/.mocharc.api.js

@@ -7,7 +7,7 @@
 module.exports = /** @satisfies {import('mocha').MochaOptions} */ ({
 	...require('./.mocharc.base.json'), // see https://github.com/mochajs/mocha/issues/3916
 	timeout: 10000,
-	bail: true,
+	bail: false,
 	retries: 0,
 	file: 'tests/end-to-end/teardown.ts',
 	spec: ['tests/end-to-end/api/*.ts', 'tests/end-to-end/api/helpers/**/*', 'tests/end-to-end/api/methods/**/*', 'tests/end-to-end/apps/*'],

apps/meteor/app/api/server/ajv.ts

@@ -1,11 +1,13 @@
 import { schemas } from '@rocket.chat/core-typings';
-import { ajv } from '@rocket.chat/rest-typings';
+import { ajv, ajvQuery } from '@rocket.chat/rest-typings';
 
 const components = schemas.components?.schemas;
 if (components) {
 	for (const key in components) {
 		if (Object.prototype.hasOwnProperty.call(components, key)) {
-			ajv.addSchema(components[key], `#/components/schemas/${key}`);
+			const uri = `#/components/schemas/${key}`;
+			ajv.addSchema(components[key], uri);
+			ajvQuery.addSchema(components[key], uri);
 		}
 	}
 }

apps/meteor/app/api/server/v1/call-history.ts

@@ -3,6 +3,7 @@ import { CallHistory, MediaCalls } from '@rocket.chat/models';
 import type { PaginatedRequest, PaginatedResult } from '@rocket.chat/rest-typings';
 import {
 	ajv,
+	ajvQuery,
 	validateNotFoundErrorResponse,
 	validateBadRequestErrorResponse,
 	validateUnauthorizedErrorResponse,
@@ -61,7 +62,7 @@ const CallHistoryListSchema = {
 	additionalProperties: false,
 };
 
-export const isCallHistoryListProps = ajv.compile<CallHistoryList>(CallHistoryListSchema);
+export const isCallHistoryListProps = ajvQuery.compile<CallHistoryList>(CallHistoryListSchema);
 
 const callHistoryListEndpoints = API.v1.get(
 	'call-history.list',
@@ -185,7 +186,7 @@ const CallHistoryInfoSchema = {
 	],
 };
 
-export const isCallHistoryInfoProps = ajv.compile<CallHistoryInfo>(CallHistoryInfoSchema);
+export const isCallHistoryInfoProps = ajvQuery.compile<CallHistoryInfo>(CallHistoryInfoSchema);
 
 const callHistoryInfoEndpoints = API.v1.get(
 	'call-history.info',

apps/meteor/app/api/server/v1/commands.ts

@@ -2,7 +2,7 @@ import { Apps } from '@rocket.chat/apps';
 import type { SlashCommand } from '@rocket.chat/core-typings';
 import { Messages } from '@rocket.chat/models';
 import { Random } from '@rocket.chat/random';
-import { ajv, validateUnauthorizedErrorResponse, validateBadRequestErrorResponse } from '@rocket.chat/rest-typings';
+import { ajv, ajvQuery, validateUnauthorizedErrorResponse, validateBadRequestErrorResponse } from '@rocket.chat/rest-typings';
 import objectPath from 'object-path';
 
 import { canAccessRoomIdAsync } from '../../../authorization/server/functions/canAccessRoom';
@@ -24,7 +24,7 @@ const CommandsGetParamsSchema = {
 	additionalProperties: false,
 };
 
-const isCommandsGetParams = ajv.compile<CommandsGetParams>(CommandsGetParamsSchema);
+const isCommandsGetParams = ajvQuery.compile<CommandsGetParams>(CommandsGetParamsSchema);
 
 const commandsEndpoints = API.v1.get(
 	'commands.get',

apps/meteor/app/api/server/v1/custom-user-status.ts

@@ -1,6 +1,6 @@
 import type { ICustomUserStatus } from '@rocket.chat/core-typings';
 import { CustomUserStatus } from '@rocket.chat/models';
-import { ajv, validateUnauthorizedErrorResponse, validateBadRequestErrorResponse } from '@rocket.chat/rest-typings';
+import { ajv, ajvQuery, validateUnauthorizedErrorResponse, validateBadRequestErrorResponse } from '@rocket.chat/rest-typings';
 import type { PaginatedRequest, PaginatedResult } from '@rocket.chat/rest-typings';
 import { escapeRegExp } from '@rocket.chat/string-helpers';
 import { Match, check } from 'meteor/check';
@@ -46,7 +46,7 @@ const CustomUserStatusListSchema = {
 	additionalProperties: false,
 };
 
-const isCustomUserStatusListProps = ajv.compile<CustomUserStatusListProps>(CustomUserStatusListSchema);
+const isCustomUserStatusListProps = ajvQuery.compile<CustomUserStatusListProps>(CustomUserStatusListSchema);
 
 const customUserStatusEndpoints = API.v1.get(
 	'custom-user-status.list',

apps/meteor/app/api/server/v1/e2e.ts

@@ -2,6 +2,7 @@ import type { IRoom, ISubscription, IUser } from '@rocket.chat/core-typings';
 import { Subscriptions, Users } from '@rocket.chat/models';
 import {
 	ajv,
+	ajvQuery,
 	validateUnauthorizedErrorResponse,
 	validateBadRequestErrorResponse,
 	validateForbiddenErrorResponse,
@@ -164,7 +165,9 @@ const ise2eGetUsersOfRoomWithoutKeyParamsGET = ajv.compile<e2eGetUsersOfRoomWith
 
 const ise2eUpdateGroupKeyParamsPOST = ajv.compile<e2eUpdateGroupKeyParamsPOST>(e2eUpdateGroupKeyParamsPOSTSchema);
 
-const isE2EFetchUsersWaitingForGroupKeyProps = ajv.compile<E2EFetchUsersWaitingForGroupKeyProps>(E2EFetchUsersWaitingForGroupKeySchema);
+const isE2EFetchUsersWaitingForGroupKeyProps = ajvQuery.compile<E2EFetchUsersWaitingForGroupKeyProps>(
+	E2EFetchUsersWaitingForGroupKeySchema,
+);
 
 const isE2EProvideUsersGroupKeyProps = ajv.compile<E2EProvideUsersGroupKeyProps>(E2EProvideUsersGroupKeySchema);
 
@@ -457,7 +460,6 @@ const e2eEndpoints = API.v1
 			},
 		},
 		async function action() {
-			// eslint-disable-next-line @typescript-eslint/naming-convention
 			const { public_key, private_key, force } = this.bodyParams;
 
 			await setUserPublicAndPrivateKeysMethod(this.userId, {

apps/meteor/app/api/server/v1/misc.ts

@@ -348,7 +348,7 @@ const spotlightResponseSchema = ajv.compile<{
 					statusText: { type: 'string' },
 					avatarETag: { type: 'string' },
 				},
-				required: ['_id', 'name', 'username', 'status', 'statusText'],
+				required: ['_id', 'name', 'username', 'status'],
 				additionalProperties: true,
 			},
 		},

apps/meteor/app/api/server/v1/oauthapps.ts

@@ -2,6 +2,7 @@ import type { IOAuthApps } from '@rocket.chat/core-typings';
 import { OAuthApps } from '@rocket.chat/models';
 import {
 	ajv,
+	ajvQuery,
 	validateUnauthorizedErrorResponse,
 	validateBadRequestErrorResponse,
 	validateForbiddenErrorResponse,
@@ -114,14 +115,14 @@ const oauthAppsGetParamsSchema = {
 	],
 };
 
-const isOauthAppsGetParams = ajv.compile<OauthAppsGetParams>(oauthAppsGetParamsSchema);
+const isOauthAppsGetParams = ajvQuery.compile<OauthAppsGetParams>(oauthAppsGetParamsSchema);
 
 const oauthAppsEndpoints = API.v1
 	.get(
 		'oauth-apps.list',
 		{
 			authRequired: true,
-			query: ajv.compile<{ uid?: string }>({
+			query: ajvQuery.compile<{ uid?: string }>({
 				type: 'object',
 				properties: {
 					uid: {

apps/meteor/app/api/server/v1/permissions.ts

@@ -2,6 +2,7 @@ import type { IPermission } from '@rocket.chat/core-typings';
 import { Permissions, Roles } from '@rocket.chat/models';
 import {
 	ajv,
+	ajvQuery,
 	validateUnauthorizedErrorResponse,
 	validateBadRequestErrorResponse,
 	validateForbiddenErrorResponse,
@@ -57,7 +58,7 @@ const permissionUpdatePropsSchema = {
 	additionalProperties: false,
 };
 
-const isPermissionsListAll = ajv.compile<PermissionsListAllProps>(permissionListAllSchema);
+const isPermissionsListAll = ajvQuery.compile<PermissionsListAllProps>(permissionListAllSchema);
 
 const isBodyParamsValidPermissionUpdate = ajv.compile<PermissionsUpdateProps>(permissionUpdatePropsSchema);