fix: Force logout live clients on E2EE keys reset

.changeset/eighty-pans-joke.md

@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Force logout the clients which are actively online, whenever a user resets E2EE keys.

apps/meteor/server/lib/resetUserE2EKey.ts

@@ -2,6 +2,7 @@ import { Subscriptions, Users } from '@rocket.chat/models';
 import { Meteor } from 'meteor/meteor';
 
 import * as Mailer from '../../app/mailer/server/api';
+import { Notifications } from '../../app/notifications/server';
 import { settings } from '../../app/settings/server';
 import { i18n } from './i18n';
 import { isUserIdFederated } from './isUserIdFederated';
@@ -64,6 +65,9 @@ export async function resetUserE2EEncriptionKey(uid: string, notifyUser: boolean
 		throw new Meteor.Error('error-not-allowed', 'Federated Users cant have TOTP', { function: 'resetTOTP' });
 	}
 
+	// force logout the live sessions
+	Notifications.notifyUser(uid, 'force_logout');
+
 	await Users.resetE2EKey(uid);
 	await Subscriptions.resetUserE2EKey(uid);
 

apps/meteor/tests/e2e/e2e-encryption.spec.ts

@@ -1,5 +1,6 @@
 import { faker } from '@faker-js/faker';
 
+import { createAuxContext } from './fixtures/createAuxContext';
 import injectInitialData from './fixtures/inject-initial-data';
 import { Users, storeState, restoreState } from './fixtures/userStates';
 import { AccountProfile, HomeChannel } from './page-objects';
@@ -134,11 +135,13 @@ test.describe.serial('e2e-encryption', () => {
 		expect(statusCode).toBe(200);
 
 		poHomeChannel = new HomeChannel(page);
-
 		await page.goto('/home');
 	});
 
 	test.afterAll(async ({ api }) => {
+		// inject initial data, so that tokens are restored after forced logout
+		await injectInitialData();
+
 		const statusCode = (await api.post('/settings/E2E_Enable', { value: false })).status();
 
 		await expect(statusCode).toBe(200);
@@ -213,6 +216,31 @@ test.describe.serial('e2e-encryption', () => {
 		await expect(poHomeChannel.content.lastUserMessage.locator('.rcx-icon--name-key')).toBeVisible();
 	});
 
+	test('expect force logout on e2e keys reset', async ({ page, browser }) => {
+		const poAccountProfile = new AccountProfile(page);
+		// creating another logged in client, to check force logout
+		const { page: anotherClientPage } = await createAuxContext(browser, Users.admin);
+
+		await page.goto('/account/security');
+
+		await poAccountProfile.securityE2EEncryptionSection.click();
+		await poAccountProfile.securityE2EEncryptionResetKeyButton.click();
+
+		await page.locator('role=button[name="Login"]').waitFor();
+		await anotherClientPage.locator('role=button[name="Login"]').waitFor();
+
+		await expect(page).toHaveURL('/home');
+		await expect(anotherClientPage).toHaveURL('/home');
+
+		await expect(page.locator('role=button[name="Login"]')).toBeVisible();
+		await expect(anotherClientPage.locator('role=button[name="Login"]')).toBeVisible();
+
+		await expect(page.locator('role=banner')).toContainText('Your session was ended on this device, please log in again to continue.');
+		await expect(anotherClientPage.locator('role=banner')).toContainText('Your session was ended on this device, please log in again to continue.');
+
+		await anotherClientPage.close();
+  });
+
 	test('expect create a private encrypted channel and send an attachment with encrypted file description', async ({ page }) => {
 		const channelName = faker.string.uuid();
 

packages/i18n/src/locales/en.i18n.json

@@ -3304,7 +3304,7 @@
   "Log_Trace_Subscriptions_Filter": "Trace subscription filter",
   "Log_Trace_Subscriptions_Filter_Description": "The text here will be evaluated as RegExp (`new RegExp('text')`). Keep it empty to show trace of every call.",
   "Log_View_Limit": "Log View Limit",
-  "Logged_Out_Banner_Text": "Your workspace admin ended your session on this device. Please log in again to continue.",
+  "Logged_Out_Banner_Text": "Your session was ended on this device, please log in again to continue.",
   "Logged_out_of_other_clients_successfully": "Logged out of other clients successfully",
   "Login": "Login",
   "Log_in_to_sync": "Log in to sync",