code · pull · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026 · Jan 8, 2026
diff --git a/.changeset/fifty-starfishes-collect.md b/.changeset/fifty-starfishes-collect.md
@@ -0,0 +1,5 @@
+---
+"@rocket.chat/meteor": patch
+---
+
+Fixes browser slowdowns by preventing a rare cascading of language preference updates when multiple tabs reload
diff --git a/.changeset/nervous-clouds-carry.md b/.changeset/nervous-clouds-carry.md
@@ -0,0 +1,6 @@
+---
+'@rocket.chat/ui-client': minor
+'@rocket.chat/meteor': minor
+---
+
+Enables the password policy by default to ensure security by default and alters SetupWizard to handle errors
diff --git a/.changeset/soft-dryers-count.md b/.changeset/soft-dryers-count.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Changes users.getAvatar endpoint to prevent unauthorized access.
diff --git a/apps/meteor/app/api/server/v1/users.ts b/apps/meteor/app/api/server/v1/users.ts
@@ -81,7 +81,7 @@ import { findPaginatedUsersByStatus, findUsersToAutocomplete, getInclusiveFields
 
 API.v1.addRoute(
 	'users.getAvatar',
-	{ authRequired: false },
+	{ authRequired: true },
 	{
 		async get() {
 			const user = await getUserFromParams(this.queryParams);

diff --git a/apps/meteor/app/integrations/server/api/api.ts b/apps/meteor/app/integrations/server/api/api.ts
@@ -14,11 +14,15 @@ import { APIClass } from '../../../api/server/ApiClass';
 import type { RateLimiterOptions } from '../../../api/server/api';
 import { API, defaultRateLimiterOptions } from '../../../api/server/api';
 import type { FailureResult, GenericRouteExecutionContext, SuccessResult, UnavailableResult } from '../../../api/server/definition';
+import { loggerMiddleware } from '../../../api/server/middlewares/logger';
+import { metricsMiddleware } from '../../../api/server/middlewares/metrics';
+import { tracerSpanMiddleware } from '../../../api/server/middlewares/tracer';
 import type { WebhookResponseItem } from '../../../lib/server/functions/processWebhookMessage';
 import { processWebhookMessage } from '../../../lib/server/functions/processWebhookMessage';
+import { metrics } from '../../../metrics/server';
 import { settings } from '../../../settings/server';
 import { IsolatedVMScriptEngine } from '../lib/isolated-vm/isolated-vm';
-import { incomingLogger } from '../logger';
+import { incomingLogger, integrationLogger } from '../logger';
 import { addOutgoingIntegration } from '../methods/outgoing/addOutgoingIntegration';
 import { deleteOutgoingIntegration } from '../methods/outgoing/deleteOutgoingIntegration';
 
@@ -247,8 +251,9 @@ async function executeIntegrationRest(
 			return API.v1.success({ responses: messageResponse });
 		}
 		return API.v1.success();
-	} catch ({ error, message }: any) {
-		return API.v1.failure(error || message);
+	} catch (err: any) {
+		incomingLogger.error({ msg: 'Error processing webhook message', err });
+		return API.v1.failure(err?.error || err?.message || 'Unknown error');
 	}
 }
 
@@ -378,6 +383,11 @@ const Api = new WebHookAPI({
 	prettyJson: process.env.NODE_ENV === 'development',
 });
 
+Api.router
+	.use(loggerMiddleware(integrationLogger))
+	.use(metricsMiddleware({ basePathRegex: new RegExp(/^\/hooks\//), api: Api, settings, summary: metrics.rocketchatRestApi }))
+	.use(tracerSpanMiddleware);
+
 const middleware = async (c: Context, next: Next): Promise<void> => {
 	const { req } = c;
 	if (req.raw.headers.get('content-type') !== 'application/x-www-form-urlencoded') {

diff --git a/apps/meteor/app/integrations/server/logger.ts b/apps/meteor/app/integrations/server/logger.ts
@@ -1,6 +1,6 @@
 import { Logger } from '@rocket.chat/logger';
 
-const logger = new Logger('Integrations');
+export const integrationLogger = new Logger('Integrations');
 
-export const incomingLogger = logger.section('Incoming WebHook');
-export const outgoingLogger = logger.section('Outgoing WebHook');
+export const incomingLogger = integrationLogger.section('Incoming WebHook');
+export const outgoingLogger = integrationLogger.section('Outgoing WebHook');
diff --git a/apps/meteor/client/providers/UserProvider/UserProvider.tsx b/apps/meteor/client/providers/UserProvider/UserProvider.tsx
@@ -4,7 +4,7 @@ import { useLocalStorage } from '@rocket.chat/fuselage-hooks';
 import { createPredicateFromFilter } from '@rocket.chat/mongo-adapter';
 import { afterLogoutCleanUpCallback } from '@rocket.chat/ui-client';
 import type { FindOptions, SubscriptionWithRoom } from '@rocket.chat/ui-contexts';
-import { UserContext, useEndpoint, useRouteParameter, useSearchParameter } from '@rocket.chat/ui-contexts';
+import { UserContext, useRouteParameter, useSearchParameter } from '@rocket.chat/ui-contexts';
 import { useQueryClient } from '@tanstack/react-query';
 import { Accounts } from 'meteor/accounts-base';
 import { Meteor } from 'meteor/meteor';
@@ -79,8 +79,6 @@ const UserProvider = ({ children }: UserProviderProps): ReactElement => {
 	const samlCredentialToken = useSearchParameter('saml_idp_credentialToken');
 	const inviteTokenHash = useRouteParameter('hash');
 
-	const setUserPreferences = useEndpoint('POST', '/v1/users.setPreferences');
-
 	useEmailVerificationWarning(user ?? undefined);
 	useClearRemovedRoomsHistory(userId);
 
@@ -156,17 +154,22 @@ const UserProvider = ({ children }: UserProviderProps): ReactElement => {
 		[userId, user, querySubscription, querySubscriptions],
 	);
 
+	// Mirror local preference changes into the live userLanguage state without hitting the server.
 	useEffect(() => {
-		if (!!userId && preferedLanguage !== userLanguage) {
-			setUserPreferences({ data: { language: preferedLanguage } });
-			setUserLanguage(preferedLanguage);
+		if (preferedLanguage === userLanguage) {
+			return;
 		}
 
+		setUserLanguage(preferedLanguage);
+	}, [preferedLanguage, setUserLanguage, userLanguage]);
+
+	// When the server reports a new language, overwrite both storage keys so every tab stays aligned.
+	useEffect(() => {
 		if (user?.language !== undefined && user.language !== userLanguage) {
 			setUserLanguage(user.language);
 			setPreferedLanguage(user.language);
 		}
-	}, [preferedLanguage, setPreferedLanguage, setUserLanguage, user?.language, userLanguage, userId, setUserPreferences]);
+	}, [setPreferedLanguage, setUserLanguage, user?.language, userLanguage]);
 
 	useEffect(() => {
 		if (!samlCredentialToken && !inviteTokenHash) {

diff --git a/apps/meteor/server/settings/accounts.ts b/apps/meteor/server/settings/accounts.ts
@@ -809,7 +809,7 @@ export const createAccountSettings = () =>
 		});
 
 		await this.section('Password_Policy', async function () {
-			await this.add('Accounts_Password_Policy_Enabled', false, {
+			await this.add('Accounts_Password_Policy_Enabled', true, {
 				type: 'boolean',
 				public: true,
 			});
@@ -820,7 +820,7 @@ export const createAccountSettings = () =>
 				public: true,
 			};
 
-			await this.add('Accounts_Password_Policy_MinLength', 7, {
+			await this.add('Accounts_Password_Policy_MinLength', 14, {
 				type: 'int',
 				public: true,
 				enableQuery,

diff --git a/apps/meteor/tests/data/user.ts b/apps/meteor/tests/data/user.ts
@@ -1,7 +1,7 @@
 import type { Credentials } from '@rocket.chat/api-client';
 import type { IUser } from '@rocket.chat/core-typings';
 
-export const password = 'rocket.chat';
+export const password = 'R0ck3t.ch@tP@ssw0rd1234.!';
 export const adminUsername = 'rocketchat.internal.admin.test';
 export const adminEmail = `${adminUsername}@rocket.chat`;
 export const adminPassword = adminUsername;

diff --git a/apps/meteor/tests/e2e/account-security.spec.ts b/apps/meteor/tests/e2e/account-security.spec.ts
@@ -8,22 +8,32 @@ import { test, expect } from './utils/test';
 
 test.use({ storageState: Users.admin.state });
 
-const RANDOM_PASSWORD = faker.string.alphanumeric(10);
+const RANDOM_PASSWORD = faker.helpers
+	.shuffle([
+		faker.string.alpha({ casing: 'upper' }),
+		faker.string.alpha({ casing: 'lower' }),
+		faker.string.numeric(),
+		faker.string.symbol(),
+		faker.string.alphanumeric(10),
+	])
+	.join('');
 
 test.describe.serial('account-security', () => {
 	let poAccountSecurity: AccountSecurity;
 
-	test.beforeEach(async ({ page }) => {
+	test.beforeEach(async ({ page, api }) => {
 		poAccountSecurity = new AccountSecurity(page);
 		await page.goto('/account/security');
 		await page.waitForSelector('#main-content');
+		await setSettingValueById(api, 'Accounts_Password_Policy_Enabled', false);
 	});
 
 	test.afterAll(async ({ api }) =>
 		Promise.all([
 			setSettingValueById(api, 'Accounts_AllowPasswordChange', true),
 			setSettingValueById(api, 'Accounts_TwoFactorAuthentication_Enabled', true),
 			setSettingValueById(api, 'E2E_Enable', false),
+			setSettingValueById(api, 'Accounts_Password_Policy_Enabled', true),
 		]),
 	);
 

diff --git a/apps/meteor/tests/e2e/administration.spec.ts b/apps/meteor/tests/e2e/administration.spec.ts
@@ -75,8 +75,8 @@ test.describe.parallel('administration', () => {
 			await poAdminUsers.editUser.inputName.fill(faker.person.firstName());
 			await poAdminUsers.editUser.inputUserName.fill(faker.internet.userName());
 			await poAdminUsers.editUser.inputSetManually.click();
-			await poAdminUsers.editUser.inputPassword.fill('any_password');
-			await poAdminUsers.editUser.inputConfirmPassword.fill('any_password');
+			await poAdminUsers.editUser.inputPassword.fill('P@ssw0rd1234.!');
+			await poAdminUsers.editUser.inputConfirmPassword.fill('P@ssw0rd1234.!');
 			await expect(poAdminUsers.editUser.userRole).toBeVisible();
 			await poAdminUsers.editUser.btnAddUser.click();
 		});
@@ -95,8 +95,8 @@ test.describe.parallel('administration', () => {
 			await poAdminUsers.editUser.inputUserName.type(username);
 			await poAdminUsers.editUser.inputEmail.type(faker.internet.email());
 			await poAdminUsers.editUser.inputSetManually.click();
-			await poAdminUsers.editUser.inputPassword.type('any_password');
-			await poAdminUsers.editUser.inputConfirmPassword.type('any_password');
+			await poAdminUsers.editUser.inputPassword.type('P@ssw0rd1234.!');
+			await poAdminUsers.editUser.inputConfirmPassword.type('P@ssw0rd1234.!');
 			await expect(poAdminUsers.editUser.userRole).toBeVisible();
 			await expect(poAdminUsers.editUser.joinDefaultChannels).toBeVisible();
 			await poAdminUsers.editUser.btnAddUser.click();

diff --git a/apps/meteor/tests/e2e/register.spec.ts b/apps/meteor/tests/e2e/register.spec.ts
@@ -31,15 +31,15 @@ test.describe.parallel('register', () => {
 				await poRegistration.inputName.fill(faker.person.firstName());
 				await poRegistration.inputEmail.fill(faker.internet.email());
 				await poRegistration.username.fill(faker.internet.userName());
-				await poRegistration.inputPassword.fill('any_password');
-				await poRegistration.inputPasswordConfirm.fill('any_password_2');
+				await poRegistration.inputPassword.fill('P@ssw0rd1234.!');
+				await poRegistration.inputPasswordConfirm.fill('Password1235.!');
 				await poRegistration.btnRegister.click();
 
 				await expect(poRegistration.inputPasswordConfirm).toBeInvalid();
 			});
 
 			await test.step('expect successfully register a new user', async () => {
-				await poRegistration.inputPasswordConfirm.fill('any_password');
+				await poRegistration.inputPasswordConfirm.fill('P@ssw0rd1234.!');
 				await poRegistration.btnRegister.click();
 				await poAuth.waitForDisplay();
 			});
@@ -74,7 +74,7 @@ test.describe.parallel('register', () => {
 					await poRegistration.inputName.fill(faker.person.firstName());
 					await poRegistration.inputEmail.fill(faker.internet.email());
 					await poRegistration.username.fill(faker.internet.userName());
-					await poRegistration.inputPassword.fill('any_password');
+					await poRegistration.inputPassword.fill('P@ssw0rd1234.!');
 
 					await poRegistration.btnRegister.click();
 					await poAuth.waitForDisplay();
@@ -149,7 +149,7 @@ test.describe.parallel('register', () => {
 				name: faker.person.firstName(),
 				email,
 				username: faker.internet.userName(),
-				pass: 'any_password',
+				pass: 'P@ssw0rd1234.!',
 			});
 
 			await test.step('Attempt registration with the same email', async () => {
@@ -158,8 +158,8 @@ test.describe.parallel('register', () => {
 				await poRegistration.inputName.fill(faker.person.firstName());
 				await poRegistration.inputEmail.fill(email);
 				await poRegistration.username.fill(faker.internet.userName());
-				await poRegistration.inputPassword.fill('any_password');
-				await poRegistration.inputPasswordConfirm.fill('any_password');
+				await poRegistration.inputPassword.fill('P@ssw0rd1234.!');
+				await poRegistration.inputPasswordConfirm.fill('P@ssw0rd1234.!');
 				await poRegistration.btnRegister.click();
 
 				await expect(page.getByRole('alert').filter({ hasText: 'Email already exists' })).toBeVisible();
@@ -203,8 +203,8 @@ test.describe.parallel('register', () => {
 			await poRegistration.inputName.fill(faker.person.firstName());
 			await poRegistration.inputEmail.fill(faker.internet.email());
 			await poRegistration.username.fill(faker.internet.userName());
-			await poRegistration.inputPassword.fill('any_password');
-			await poRegistration.inputPasswordConfirm.fill('any_password');
+			await poRegistration.inputPassword.fill('P@ssw0rd1234.!');
+			await poRegistration.inputPasswordConfirm.fill('P@ssw0rd1234.!');
 			await poRegistration.btnRegister.click();
 			await poAuth.waitForDisplay();
 		});

diff --git a/apps/meteor/tests/e2e/reset-password.spec.ts b/apps/meteor/tests/e2e/reset-password.spec.ts
@@ -17,8 +17,8 @@ test.describe.parallel('Reset Password', () => {
 	});
 
 	test('should confirm password be invalid', async () => {
-		await poRegistration.inputPassword.fill('123456');
-		await poRegistration.inputPasswordConfirm.fill('123455');
+		await poRegistration.inputPassword.fill('P@ssw0rd1234.!');
+		await poRegistration.inputPasswordConfirm.fill('Password4321.!');
 		await poRegistration.btnReset.click();
 		await expect(poRegistration.inputPasswordConfirm).toBeInvalid();
 	});

diff --git a/apps/meteor/tests/e2e/user-required-password-change.spec.ts b/apps/meteor/tests/e2e/user-required-password-change.spec.ts
@@ -19,6 +19,7 @@ test.describe('User - Password change required', () => {
 
 	test.beforeAll(async ({ api }) => {
 		settingDefaultValue = await getSettingValueById(api, 'Accounts_RequirePasswordConfirmation');
+		await setSettingValueById(api, 'Accounts_Password_Policy_Enabled', false);
 		await setSettingValueById(api, 'Accounts_RequirePasswordConfirmation', true);
 		userRequiringPasswordChange = await createTestUser(api, { data: { requirePasswordChange: true } });
 		userNotRequiringPasswordChange = await createTestUser(api, { data: { requirePasswordChange: false } });
@@ -38,6 +39,7 @@ test.describe('User - Password change required', () => {
 			userRequiringPasswordChange.delete(),
 			userNotRequiringPasswordChange.delete(),
 			userNotAbleToLogin.delete(),
+			setSettingValueById(api, 'Accounts_Password_Policy_Enabled', true),
 		]);
 	});
 

diff --git a/apps/meteor/tests/end-to-end/api/users.ts b/apps/meteor/tests/end-to-end/api/users.ts
@@ -817,7 +817,7 @@ describe('[Users]', () => {
 					email,
 					name: 'name',
 					username,
-					pass: 'test',
+					pass: 'P@ssw0rd1234.!',
 				})
 				.expect('Content-Type', 'application/json')
 				.expect(200)
@@ -838,7 +838,7 @@ describe('[Users]', () => {
 					email,
 					name: 'name',
 					username: 'test$username<>',
-					pass: 'test',
+					pass: 'P@ssw0rd1234.!',
 				})
 				.expect('Content-Type', 'application/json')
 				.expect(400)
@@ -856,7 +856,7 @@ describe('[Users]', () => {
 					email,
 					name: 'name',
 					username,
-					pass: 'test',
+					pass: 'P@ssw0rd1234.!',
 				})
 				.expect('Content-Type', 'application/json')
 				.expect(400)
@@ -873,7 +873,7 @@ describe('[Users]', () => {
 					email,
 					name: '</\\name>',
 					username,
-					pass: 'test',
+					pass: 'P@ssw0rd1234.!',
 				})
 				.expect('Content-Type', 'application/json')
 				.expect(400)
@@ -1105,7 +1105,7 @@ describe('[Users]', () => {
 				email: `me-${Date.now()}@email.com`,
 				name: 'testuser',
 				username: ufsUsername,
-				password: '1234',
+				password,
 			});
 
 			await request
@@ -2171,7 +2171,7 @@ describe('[Users]', () => {
 						.send({
 							userId: targetUser._id,
 							data: {
-								password: 'itsnotworking',
+								password: '1tsn0tw0rkingP@ssw0rd1234.!',
 							},
 						})
 						.expect('Content-Type', 'application/json')
@@ -2193,7 +2193,7 @@ describe('[Users]', () => {
 						.send({
 							userId: targetUser._id,
 							data: {
-								password: 'itsnotworking',
+								password: '1tsn0tw0rkingP@ssw0rd1234.!',
 							},
 						})
 						.expect('Content-Type', 'application/json')
@@ -2700,7 +2700,7 @@ describe('[Users]', () => {
 				.set(credentials)
 				.send({
 					data: {
-						newPassword: 'the new pass',
+						newPassword: '1Tsn3wP@ssw0rd1234.!',
 					},
 				})
 				.expect('Content-Type', 'application/json')
@@ -2851,7 +2851,7 @@ describe('[Users]', () => {
 				.set(credentials)
 				.send({
 					data: {
-						newPassword: 'MyNewPassw0rd',
+						newPassword: '1Tsn3wP@ssw0rd1234.!',
 					},
 				})
 				.expect('Content-Type', 'application/json')
@@ -2891,13 +2891,11 @@ describe('[Users]', () => {
 		describe('[Password Policy]', () => {
 			before(async () => {
 				await updateSetting('Accounts_AllowPasswordChange', true);
-				await updateSetting('Accounts_Password_Policy_Enabled', true);
 				await updateSetting('Accounts_TwoFactorAuthentication_Enabled', false);
 			});
 
 			after(async () => {
 				await updateSetting('Accounts_AllowPasswordChange', true);
-				await updateSetting('Accounts_Password_Policy_Enabled', false);
 				await updateSetting('Accounts_TwoFactorAuthentication_Enabled', true);
 			});
 
@@ -3086,7 +3084,7 @@ describe('[Users]', () => {
 					.send({
 						data: {
 							currentPassword,
-							newPassword: '123Abc@!',
+							newPassword: '1Tsn3wP@ssw0rd1234.!',
 						},
 					})
 					.expect('Content-Type', 'application/json')