fix: remove visitor token from visitors.info endpoint

[julio-rocketchat]

Proposed changes (including videos or screenshots)

As seen here, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It looks like there's no use case for the token to be present in the response and it would be a good security practice to remove it altogether.

Issue(s)

https://rocketchat.atlassian.net/browse/VLN-367

Steps to test or reproduce

• N/A

Further comments

• N/A

Summary by CodeRabbit

• Bug Fixes
  • Fixed a security issue where visitor authentication tokens were being exposed in the visitors.info API response. The system now properly excludes sensitive token data.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 3f8f389

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 42 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/ui-composer	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cf72aa53-5577-46f7-a969-eb9f577f69b9

📥 Commits

Reviewing files that changed from the base of the PR and between b6b04aa and 3f8f389.

📒 Files selected for processing (3)

• .changeset/perky-tires-invite.md
• apps/meteor/app/livechat/server/api/lib/visitors.ts
• apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/livechat/server/api/lib/visitors.ts
• apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts

🧠 Learnings (4)

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/perky-tires-invite.md

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/livechat/server/api/lib/visitors.ts
• apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/livechat/server/api/lib/visitors.ts
• apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/app/livechat/server/api/lib/visitors.ts
• apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts

🔇 Additional comments (3)

apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts (1)

570-581: LGTM!

.changeset/perky-tires-invite.md (1)

1-5: LGTM!

apps/meteor/app/livechat/server/api/lib/visitors.ts (1)

9-9: Specify explicit type for the excluded token field.

The findOneEnabledById method accepts a generic type parameter (<T extends Document = ILivechatVisitor>), but without explicitly providing it, TypeScript infers ILivechatVisitor | null, which includes token: string as a required property. The MongoDB projection { projection: { token: 0 } } excludes the token at runtime, creating a type-safety gap—the inferred type suggests visitor.token exists, but it's undefined at runtime.

Either specify an explicit type parameter that excludes token, or add an explicit return type to findVisitorInfo that reflects the token exclusion.

---

Walkthrough

The pull request adds a security fix that prevents the visitor authentication token from being exposed in the visitors.info API response. A MongoDB projection excludes the token field at query time, a test verifies the fix, and a patch release note documents the change.

Changes

Exclude Visitor Token from API Response

Layer / File(s)	Summary
Visitor token field exclusion in API response apps/meteor/app/livechat/server/api/lib/visitors.ts, apps/meteor/tests/end-to-end/api/livechat/09-visitors.ts	findVisitorInfo adds a projection to exclude the token field from the visitor document lookup. A new test verifies that the visitors.info API response omits the token from the returned payload.
Release documentation .changeset/perky-tires-invite.md	Patch release note documents that the visitor token is no longer returned in visitors.info.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: removing the visitor token from the visitors.info endpoint, which aligns directly with the changeset modifications across all three files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (2)

• ID-1: Request failed with status code 401
• VLN-367: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.59%. Comparing base (b6b04aa) to head (3f8f389).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40501      +/-   ##
===========================================
- Coverage    69.60%   69.59%   -0.01%     
===========================================
  Files         3320     3320              
  Lines       122512   122512              
  Branches     21840    21811      -29     
===========================================
- Hits         85273    85262      -11     
- Misses       33910    33926      +16     
+ Partials      3329     3324       -5     

Flag	Coverage Δ
e2e	59.09% <ø> (+0.01%)	⬆️
e2e-api	46.31% <ø> (+0.06%)	⬆️
unit	70.30% <ø> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.