feat: Encryption security hardening

[diegolmello]

Proposed changes

Issue(s)

Depends on:

• feat: e2ee security hardening Rocket.Chat#36942
• feat: v2 rocket.chat-mobile-crypto#4

https://rocketchat.atlassian.net/browse/ESH-23
https://rocketchat.atlassian.net/browse/ESH-24
https://rocketchat.atlassian.net/browse/ESH-30
https://rocketchat.atlassian.net/browse/ESH-26
https://rocketchat.atlassian.net/browse/ESH-28
https://rocketchat.atlassian.net/browse/ESH-44
https://rocketchat.atlassian.net/browse/ESH-47

How to test or reproduce

Screenshots

UI improvements on change e2ee password

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Improvement (non-breaking change which improves a current function)
• New feature (non-breaking change which adds functionality)
• Documentation update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA
• Lint and unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works (if applicable)
• I have added necessary documentation (if applicable)
• Any dependent changes have been merged and published in downstream modules

Further comments

Summary by CodeRabbit

• New Features

  • E2E v2 (AES‑GCM) support with versioned encrypted payloads and 12‑word passphrase generation.

• Improvements

  • Version-aware encryption across app, push notifications and background processing; per-room handlers, safer key flows and improved logging while preserving compatibility.

• UI/Style

  • Updated Save Your Password and Change Password screens, manual password entry, copy-to-clipboard and password policy UX.

• Localization

  • Added “Enter manually” and “Generate new password” translations.

• Tests

  • New consolidated Maestro E2E encryption suites added; legacy flows removed.

• Chores

  • iOS project/pod reorganization and dependency update.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Implements server-versioned E2EE (v1/v2) across JS/TS and native layers, adds prefixed‑base64 payloads, BIP‑39 passphrase generation, per‑room refactor and async push decryption, updates message/content models and chat.update to accept content, plus UI/i18n and Maestro E2E test updates.

Changes

Cohort / File(s)	Summary of changes
Core encryption (TS) app/lib/encryption/encryption.ts, app/lib/encryption/room.ts, app/lib/encryption/utils.ts, app/lib/encryption/wordList.ts	Add versioned private‑key encoding/decoding (v1/v2), AES‑GCM flows, prefixed‑base64 helpers, parsePrivateKey, generatePassphrase (BIP‑39), adjust generateMasterKey(password,salt,iterations), remove randomPassword, refactor per‑room instance model and delegate encryption/decryption to room instances.
Type & models (TS / iOS) app/definitions/IMessage.ts, app/lib/encryption/definitions.ts, app/definitions/IAttachment.ts, ios/Shared/Models/EncryptedContent.swift, ios/Shared/Models/Message.swift	Introduce EncryptedContent union (v1/v2), add optional kid/iv, widen algorithm union to include rc.v2.aes-sha2, make msg/content optional, add FallbackMessage and e2eMentions fields.
Android native: encryption & notifications android/.../notification/Encryption.java, ReplyBroadcast.java, Ejson.java, CustomPushNotification.java, E2ENotificationProcessor.java, MainApplication.kt	Introduce PrefixedData/ParsedMessage/RoomKeyResult/EncryptionContent, change decryptRoomKey to return RoomKeyResult, add dual v1/v2 AES‑CBC/AES‑GCM handling, prefixed‑base64 parsing, async E2E notification processor with ReactContext polling and lazy MMKV init, add kid/iv/messageType fields.
iOS native: encryption & messaging ios/Shared/RocketChat/Encryption.swift, RocketChat.swift, API/Requests/SendMessage.swift, NotificationService.swift, ReplyNotification.swift	Add prefixed‑base64 helpers and ParsedMessage/RoomKeyResult types, change decryptRoomKey to return RoomKeyResult, support AES‑CBC/AES‑GCM, make SendMessage accept optional msg and content, simplify notification decryption and reply send background handling.
E2E security UI & helpers app/views/E2ESaveYourPasswordView.tsx, app/views/E2EEncryptionSecurityView/*	UI restyling, manual vs generated passphrase flow, integrate generatePassphrase (BIP‑39), clipboard copy action with new log event, password policy validator, and updated styles/components.
Subscriptions / decryption triggers app/lib/methods/subscriptions/rooms.ts, related app/lib/methods/*	Stop in‑method DB mutations; filter already‑decrypted subscriptions/messages; trigger per‑room decryption when message.msg or message.content present; remove broad readiness waits and delegate to room instances.
REST / send & edit message app/lib/services/restApi.ts, ios/Shared/RocketChat/RocketChat.swift, app/lib/methods/sendMessage.ts	editMessage now accepts optional text and content; sending branches to include content payload (or fallback msg), with safer optional chaining and explicit MessageType typing.
Maestro E2E tests & helpers .maestro/tests/e2e/**, .maestro/tests/assorted/**, .maestro/helpers/**, .maestro/scripts/data.js	Remove old assorted suite; add new .maestro/tests/e2e flows and helpers for E2E encryption (create room, enter key, send/verify, reset, edit, quote), update deeplink/login helpers and add e2eePassword test data.
i18n & UI text app/i18n/locales/*.json (many)	Add Enter_manually and Generate_new_password translations across locales.
Project config & deps ios/RocketChatRN.xcodeproj/project.pbxproj, package.json	Rework CocoaPods xcconfig/framework refs and RN bundling scripts; update @rocket.chat/mobile-crypto dependency to tag fix.gcm.
Misc & tests app/lib/constants/keys.ts, app/lib/methods/getThreadName.ts, app/lib/methods/updateMessages.ts, app/reducers/encryption.ts, app/reducers/encryption.test.ts, others	Make E2E_STATUS readonly const, add E2E_SEC_COPY_PASSWORD log event, remove encryptionInit handling, add explicit decrypted merges/casts and small safety/typing refactors.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant UI as RN UI
  participant Room as EncryptionRoom (TS)
  participant Native as Native Crypto
  participant Server as Server

  UI->>Room: encryptText(plaintext)
  Room->>Room: determine algorithm (server/version)
  alt v2 (rc.v2.aes-sha2)
    Room->>Native: aesGcmEncrypt(key, iv, plaintext)
    Native-->>Room: {ciphertext, iv}
    Room-->>UI: content {algorithm, ciphertext, kid, iv}
  else v1 (rc.v1.aes-sha2)
    Room->>Native: legacy AES‑CBC-like encrypt
    Native-->>Room: ciphertext
    Room-->>UI: content {algorithm, ciphertext}
  end
  UI->>Server: sendMessage({ content, msg? })

Loading

sequenceDiagram
  autonumber
  participant Push as Push Receiver
  participant Proc as E2ENotificationProcessor (Android)
  participant Ctx as React Context Provider
  participant Enc as Native Encryption
  participant Sys as System Notification

  Push->>Proc: processAsync(bundle, ejson)
  loop poll React context until available or timeout
    Proc->>Ctx: getReactContext()
  end
  Proc->>Enc: decryptRoomKey(e2eKey)
  Enc-->>Proc: RoomKeyResult { decryptedKey, algorithm }
  Proc->>Enc: decryptContent(content/msg, decryptedKey, algorithm)
  Enc-->>Proc: plaintext
  Proc->>Sys: showNotification(plaintext)

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Areas to focus review on:

• Cross-language encryption compatibility and payload formats (prefixed‑base64, IV and iterations handling) across TS, Java, and Swift.
• Signature change: generateMasterKey(password, salt, iterations) — ensure all call sites updated.
• Room key/session export formats, keyID migration, and algorithm selection in room.ts and native counterparts.
• Push notification async decryption: ReactContext polling/timeouts and MMKV lazy init (Android).
• API change for send/edit message (content field) and server compatibility (chat.update payload).
• Maestro E2E test additions/removals and updated deeplink/login helpers.

Possibly related PRs

• fix(android): Push notification crashing on some edge cases #6667 — similar Android notification parsing/handling refactors and safer EJSON parsing.
• test: use deeplink authentication #6699 — overlaps Maestro login/deeplink helper and test scaffold adjustments.
• chore: iOS Maestro test fix #6700 — related Maestro test helper and flow changes touching E2E test infra.

Poem

I nibble keys beneath the digital moon,
Two ciphers hum — the old and new in tune.
Twelve words I gather, warm and bright,
Prefixed bytes tucked safe at night.
Hop, whisker, encrypt — snug till morning light. 🐰🔐

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'feat: Encryption security hardening' accurately summarizes the main objective of implementing E2EE v2 encryption with enhanced security hardening measures.
Linked Issues check	✅ Passed	The changeset implements all major coding requirements from linked issues: BIP39 wordlist adoption (ESH-23), longer passphrase enforcement with policies (ESH-24), v2 write path as default (ESH-26), v1/v2 auto-detection on read (ESH-28), password generation mechanism with manual/auto modes (ESH-44), and chat.update API content parameter support (ESH-47).
Out of Scope Changes check	✅ Passed	All changes are within scope: encryption core refactoring, v1/v2 versioning support, password management UI updates, test suite organization, and localization entries directly support the encryption security hardening objectives.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

app/lib/encryption/room.ts (2)

477-498: Encryption failure silently returns unencrypted message.

If encryptText throws (line 483), the catch block logs the error but returns the original unencrypted message (line 497). This fail-open behavior could allow sensitive content to be sent unencrypted. Consider either throwing the error to prevent sending or marking the message with an error state.

Apply this diff to prevent unencrypted sends:

 		} catch (e) {
-			// Do nothing
 			console.error(e);
+			throw new Error('Failed to encrypt message: ' + (e instanceof Error ? e.message : String(e)));
 		}

---

501-528: Same fail-open behavior in upload encryption.

Like the encrypt method, encryptUpload returns the original unencrypted upload if encryption fails (line 527). This creates the same security risk of unencrypted content being sent.

Consider applying the same fix as suggested for the encrypt method.

♻️ Duplicate comments (2)

app/lib/encryption/room.ts (2)

196-222: Back-compat risk: decodePrefixedBase64 assumes fixed RSA ciphertext length.

decodePrefixedBase64 at line 203 enforces a fixed 256-byte Base64 length (2048-bit RSA). Older v1 keys using 12-char prefix + variable-length base64, or users with 4096-bit RSA keys, will throw RangeError and break key imports.

Wrap the call in a try-catch with fallback to legacy parsing:

 	): Promise<{ sessionKeyExportedString: string; roomKey: ArrayBuffer; keyID: string; algorithm: TAlgorithm }> => {
 		try {
-			// Parse the encrypted key using prefixed base64
-			const [kid, encryptedData] = decodePrefixedBase64(E2EKey);
+			let kid: string;
+			let encryptedData: ArrayBuffer;
+			try {
+				[kid, encryptedData] = decodePrefixedBase64(E2EKey);
+			} catch (err) {
+				// Fallback: legacy v1 uses 12-char keyID prefix + base64 ciphertext of variable length
+				if (err instanceof RangeError) {
+					kid = E2EKey.slice(0, 12);
+					encryptedData = b64ToBuffer(E2EKey.slice(12));
+				} else {
+					throw err;
+				}
+			}
 
 			// Decrypt the session key
 			const decryptedKey = await rsaDecrypt(bufferToB64(encryptedData), privateKey);

---

352-361: Handle >2048-bit RSA ciphertext when exporting room keys.

encodePrefixedBase64 at line 357 requires exactly 256 bytes. If a recipient has a 4096-bit RSA key (or any non-2048-bit key), rsaEncrypt produces a different-sized ciphertext, encodePrefixedBase64 throws, and you cannot share the room key with that user.

Add fallback to legacy format on size mismatch:

 		const encryptedUserKey = await rsaEncrypt(this.sessionKeyExportedString as string, userKey);
 		const encryptedBuffer = b64ToBuffer(encryptedUserKey as string);
-		return encodePrefixedBase64(this.keyID, encryptedBuffer);
+		try {
+			return encodePrefixedBase64(this.keyID, encryptedBuffer);
+		} catch (error) {
+			if (error instanceof RangeError) {
+				// Fallback to legacy format for non-2048-bit keys
+				return `${this.keyID}${encryptedUserKey}`;
+			}
+			throw error;
+		}

🧹 Nitpick comments (2)

app/lib/encryption/room.ts (2)

447-474: Consider explicit algorithm validation to prevent silent v1 fallback.

When this.algorithm === '' (uninitialized) or has an unexpected value, execution silently falls through to the v1 encryption path at line 467. While handshake() should set this.algorithm via createNewRoomKey or importRoomKey, explicit validation would catch edge cases where the room is not properly initialized.

Add validation before branching:

 	): Promise<
 		| { algorithm: 'rc.v2.aes-sha2'; kid: string; iv: string; ciphertext: string }
 		| { algorithm: 'rc.v1.aes-sha2'; ciphertext: string }
 	> => {
 		const textBuffer = utf8ToBuffer(text);
+		if (!this.algorithm) {
+			throw new Error('Encryption algorithm not initialized. Room handshake may have failed.');
+		}
 		if (this.algorithm === 'A256GCM') {

---

776-821: Well-structured subscription decryption with smart caching.

The method includes appropriate guard clauses for ready state, message type, and encryption status. The optimization at lines 803-814 avoids re-decrypting identical messages by comparing _updatedAt timestamps, which is a good performance enhancement for frequently accessed subscriptions.

Consider adding a type guard for lastMessage to improve type safety:

 	decryptSubscription = async (subscription: Partial<ISubscription>) => {
 		if (!this.ready) {
 			return subscription;
 		}
 
 		// If the subscription doesn't have a lastMessage just return
 		const { rid, lastMessage } = subscription;
-		if (!lastMessage) {
+		if (!lastMessage || typeof lastMessage !== 'object') {
 			return subscription;
 		}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b019fec and 8d17033.

📒 Files selected for processing (2)

• app/lib/encryption/room.ts (15 hunks)
• app/lib/methods/subscriptions/rooms.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• app/lib/methods/subscriptions/rooms.ts

🧰 Additional context used

🧬 Code graph analysis (1)

app/lib/encryption/room.ts (4)

app/lib/encryption/helpers/deferred.ts (1)

• Deferred (1-39)

android/app/src/main/java/chat/rocket/reactnative/notification/Encryption.java (1)

• Encryption (108-454)

app/lib/services/restApi.ts (2)

• e2eAcceptSuggestedGroupKey (84-86)
• e2eRejectSuggestedGroupKey (88-90)

app/lib/encryption/utils.ts (9)

• decodePrefixedBase64 (200-219)
• bufferToB64 (17-17)
• b64ToBuffer (15-15)
• bufferToB64URI (21-40)
• encodePrefixedBase64 (221-237)
• utf8ToBuffer (42-59)
• joinVectorData (73-78)
• splitVectorData (67-71)
• bufferToUtf8 (61-65)

🔇 Additional comments (7)

app/lib/encryption/room.ts (7)

226-272: Version-aware key creation implemented correctly.

The method properly branches by server version (>= 7.13.0 for v2) and sets this.algorithm to 'A256GCM' (line 245) for v2 or 'A128CBC' (line 265) for v1. Key sizes, key ID generation, and session key formats are appropriate for each version.

---

646-663: Parse method correctly handles v1/v2 payload formats.

The method properly distinguishes v2 structured payloads (with algorithm: 'rc.v2.aes-sha2') from v1 string-based payloads. The v1 path correctly extracts the 12-character key ID and splits the vector from ciphertext. Defensive handling with payload?.ciphertext || '' prevents null reference errors.

---

665-678: Clean algorithm-aware decryption dispatcher.

The method correctly routes decryption to aesGcmDecrypt for v2 (A256GCM) or aesDecrypt for v1 (A128CBC), gracefully handles null decryption results, and parses the final EJSON payload. Accepting algorithm as a parameter rather than using this.algorithm provides flexibility for decrypting old keys.

---

680-702: Robust v1/v2 decryption with key rotation support.

The method correctly handles both encryption versions via the parse helper, supports key rotation by searching oldRoomKeys when the key ID doesn't match, and uses the appropriate algorithm for each key. Error handling returns null rather than throwing, which aligns with the graceful degradation pattern used elsewhere.

---

705-741: Message decryption properly handles v1/v2 formats and nested content.

The flow correctly decrypts message content (with v1 fallback to msg field), spreads the decrypted structured data (attachments, files, text) into the message, and processes quote attachments. Marking attachments as e2e: 'pending' appropriately signals that file content requires separate decryption.

---

530-636: File encryption consistently uses structured encryption results.

The encryptFile method properly returns structured encryption results from encryptText for both the getContent callback (line 607-608) and fileContent (line 624). This maintains consistency with the versioned encryption approach across message and file flows.

---

638-644: LGTM!

File content decryption correctly checks for v1/v2 algorithm markers and delegates to the versioned decryptContent method.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Ready promise not rejected on key import failure, can leave room stuck.

When importRoomKey fails for E2ESuggestedKey (lines 153-155) or E2EKey (lines 169-173), the code sets establishing = false and logs the error but never rejects this.readyPromise. Callers awaiting handshake() will hang indefinitely. The room remains in a not-ready state with no path to recovery until the subscription updates externally.

Consider rejecting the promise to signal failure:

 		} catch (error) {
 			await e2eRejectSuggestedGroupKey(this.roomId);
+			this.establishing = false;
+			this.readyPromise.reject(error);
+			return;
 		}

 		} catch (error) {
 			this.establishing = false;
+			this.readyPromise.reject(error);
 			log(error);
-			// Fall through to try other options
+			return;
 		}

[github-actions]

Android Build Available

Rocket.Chat Experimental 4.67.0.107687

Internal App Sharing: https://play.google.com/apps/test/RQVpXLytHNc/ahAO29uNTUEipTZV9RaVOUtE0NSFeLqHqbTyUPzqNTigUDW2gt8bFHzkXPaE7_bzXE8x90LmybFQI5C99zM-BjerKo

[github-actions]

iOS Build Available

Rocket.Chat Experimental 4.67.0.107690