fix(e2ee): Subscription's lastMessage not properly decrypting

[gabriellsh]

Proposed changes (including videos or screenshots)

There were 2 issues identified:

1. rocketchat.e2e.room.ts decryptMessage method was mutating the original (encrypted) message object, causing subsequent validations to assert that the original (encrypted) message msg property was the same as the decrypted message's msg property, since both were referencing the same object.
2. rocketchat.e2e.ts decryptSubscription was not waiting for the e2eRoom instance to be in state "ready", causing subscriptions to not be decrypted at all in a few cases, such as after a refresh, or after inserting the e2e password.

Issue(s)

CORE-1740

Steps to test or reproduce

Further comments

Summary by CodeRabbit

• Bug Fixes
  • Improved end-to-end decryption flow to more reliably handle directly encrypted content and consolidate final message assignment.
  • Added early-return guard when message content is missing to avoid unnecessary decryption attempts.
  • Deferred decryption until encryption rooms signal readiness, with clearer readiness logging.
  • Strengthened error handling and safeguards for more stable, predictable encrypted message processing.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is targeting the wrong base branch. It should target 8.2.0, but it targets 8.1.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8c13e1c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Refactors E2EE decryption paths: decryptMessage adds early encrypted-content handling and guards against missing message content, consolidating return flow; decryptSubscription adds null checks and defers decryption until the room emits READY, with added logging.

Changes

Cohort / File(s)	Summary
E2EE Message Decryption apps/meteor/client/lib/e2ee/rocketchat.e2e.room.ts	Rewrote decryptMessage: early return when content is already encrypted, guard and early return if message.msg is missing, consolidated decryption result handling so msg is replaced only when decrypted text is a string, and all branches set e2e: 'done'.
E2EE Subscription Setup apps/meteor/client/lib/e2ee/rocketchat.e2e.ts	Updated decryptSubscription: added null check for e2eRoom, log and return when missing; when present, wait for the room's READY event before invoking decryption, replacing the previous immediate invocation.

Sequence Diagram(s)

sequenceDiagram
  participant Caller as "Subscription Caller"
  participant Room as "E2E Room"
  participant Decrypt as "Decryptor"
  participant Log as "Logger"

  Caller->>Room: find e2eRoom
  alt no e2eRoom
    Room->>Log: warn("no e2eRoom found")
    Log-->>Caller: return
  else e2eRoom found
    Room-->>Caller: attach READY listener
    Note right of Room: wait for READY
    Room->>Caller: emit READY
    Caller->>Decrypt: decryptSubscription(e2eRoom)
    Decrypt-->>Caller: done
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• aleksandernsilva
• cardoso
• tassoevan

Poem

🐰
I hopped through code, a tiny sleuth,
Guards and signals found the truth.
Ready then decrypt, we cheer—
Messages safe, the path is clear. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly describes the main fix: addressing subscription lastMessage not being properly decrypted in end-to-end encrypted rooms, which directly matches the primary objective.
Linked Issues check	✅ Passed	The changes address both CORE-1740 objectives: preventing in-place message mutation in decryptMessage and ensuring decryptSubscription waits for e2eRoom readiness before decryption.
Out of Scope Changes check	✅ Passed	All changes remain focused on fixing the decryption flow in the two specified e2ee files; no unrelated modifications are present outside the scope of CORE-1740.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/e2eeDecryptMessageReference

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@apps/meteor/client/lib/e2ee/rocketchat.e2e.ts`:
- Around line 680-683: The READY listener can miss the event if the existing
e2eRoom instance is already initialized; update the logic around
getInstanceByRoomId to check the room's readiness first (e.g., an
isReady/isInitialized property or isReady() method) and if already ready call
e2eRoom.decryptSubscription() immediately, otherwise register
e2eRoom.once('READY', async () => { span.info('e2e room ready'); await
e2eRoom.decryptSubscription(); }); so that decryptSubscription runs in both
cases.

[codecov]

Codecov Report

❌ Patch coverage is 62.50000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.75%. Comparing base (c9103e8) to head (8c13e1c).
⚠️ Report is 9 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #38283   +/-   ##
========================================
  Coverage    70.75%   70.75%           
========================================
  Files         3142     3142           
  Lines       108927   108939   +12     
  Branches     19603    19619   +16     
========================================
+ Hits         77066    77079   +13     
+ Misses       29864    29858    -6     
- Partials      1997     2002    +5     

Flag	Coverage Δ
e2e	60.35% <62.50%> (+0.02%)	⬆️
e2e-api	48.05% <ø> (-1.11%)	⬇️
unit	71.86% <ø> (+0.03%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

📦 Docker Image Size Report

➡️ Changes

Service	Current	Baseline	Change	Percent
sum of all images	0B	0B	0B
account-service	0B	0B	0B
authorization-service	0B	0B	0B
ddp-streamer-service	0B	0B	0B
omnichannel-transcript-service	0B	0B	0B
presence-service	0B	0B	0B
queue-worker-service	0B	0B	0B
rocketchat	0B	0B	0B

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 21:03", "12/22 18:54", "12/23 16:16", "12/24 19:38", "12/25 17:51", "12/26 13:18", "12/29 19:01", "12/30 20:52", "01/21 17:40 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.00]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.00]
  line "queue-worker-service" [0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.00]
  line "rocketchat" [0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.00]

Loading

Statistics (last 30 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.4GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 0B

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-38283
• Baseline: develop
• Timestamp: 2026-01-21 17:40:05 UTC
• Historical data points: 30

---

Updated: Wed, 21 Jan 2026 17:40:05 GMT