regression: fixes undefined user-agent on device login detection

[lucas-a-pelegrino]

Proposed changes (including videos or screenshots)

This PR aims at fixing a recurring issue, previously thought to be fixed on #36880 and #37493.

The behavior happens because when logging into the application via login form (type: "password"), the event is emitted passing connection.httpHeaders as an instance of Headers, but when it's reusing the connection from the ws (type: "resume"), connection.httpHeaders is a plain object.

This difference in the object's format depending on where it's being emitted from caused issues with both previous PR "fixes".

Adding a type/instance check on httpHeaders before accessing it allows us to extract user-agent in both cases.

Issue(s)

CORE-1544

Steps to test or reproduce

Further comments

This is being further investigated in parallel to this quick fix, so we can fix the difference in format behavior without the need for this check.

Summary by CodeRabbit

• Bug Fixes
  • Fixed an issue where Login Detection emails were being sent with incomplete or undefined data, ensuring proper email delivery with complete information.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3ac99de

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This PR addresses a regression where Login Detection emails displayed undefined device information. It modifies the user-agent extraction logic in session management to handle both Headers instances and plain object header formats, preventing undefined values from being included in the email notification.

Changes

Cohort / File(s)	Summary
Changeset .changeset/silly-cooks-guess.md	Documents a patch-level fix for the regression preventing Login Detection emails from being sent with undefined user-agent derived data.
Session Management apps/meteor/ee/server/lib/deviceManagement/session.ts	Updates user-agent retrieval to support both Headers instance (via get('user-agent')) and plain object (via bracket notation) header formats, eliminating undefined values.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5–10 minutes

• Focus areas:
  • Verify that both header format branches (Headers instance vs. plain object) are correctly handled and return consistent results
  • Confirm that the fallback logic properly prevents undefined values from reaching the email notification logic

Possibly related PRs

• fix: improves how code access user-agent in the headers #37493 — Modifies the same file and user-agent extraction logic, also handling different header shapes in DDP connections.
• Release 7.12.2 #37519 — Updates the same session.ts file to change how user-agent is read from DDP connection headers with different httpHeaders formats.
• fix: login device email undefined values #36880 — Modifies the same user-agent extraction logic in deviceManagement/session.ts to handle Headers instances and prevent undefined values in login-detection emails.

Suggested labels

stat: ready to merge, stat: QA assured

Suggested reviewers

• cardoso
• yash-rajpal

Poem

🐰 A header twist, a fix so neat,
No more undefined, the logic's sweet,
Headers and objects now align,
Login emails work just fine!
—Your friendly code-reviewing hare 🥕

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Title clearly describes the main regression fix: preventing undefined user-agent in device login detection emails.
Linked Issues check	✅ Passed	Changes directly address CORE-1544 by fixing undefined user-agent extraction through conditional header format handling.
Out of Scope Changes check	✅ Passed	All changes are scoped to fixing the user-agent extraction issue; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch regression/CORE-1544

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d19bb8a and c828d9c.

📒 Files selected for processing (2)

• .changeset/silly-cooks-guess.md (1 hunks)
• apps/meteor/ee/server/lib/deviceManagement/session.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/ee/server/lib/deviceManagement/session.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Agent
• GitHub Check: CodeQL analysis (javascript-typescript)

🔇 Additional comments (2)

.changeset/silly-cooks-guess.md (1)

1-5: LGTM! Changeset accurately documents the fix.

The changeset correctly describes the issue and the patch-level bump is appropriate for this bug fix.

apps/meteor/ee/server/lib/deviceManagement/session.ts (1)

70-73: I'll verify the review comment by examining the code changes and searching for similar patterns that may need the same fix.
<function_calls>

#!/bin/bash

First, let's verify the exact code at lines 70-73 in the target file

echo "=== Checking lines 70-73 in session.ts ==="
cat -n apps/meteor/ee/server/lib/deviceManagement/session.ts | sed -n '70,73p'

echo ""
echo "=== Checking context around line 108 ==="
cat -n apps/meteor/ee/server/lib/deviceManagement/session.ts | sed -n '105,110p'


</function_calls>

Looking at the code and the mentioned observation about line 108, I need to search for all patterns of httpHeaders access to verify if there are other occurrences that need the same fix.
<function_calls>

#!/bin/bash

Search for direct accesses to httpHeaders['user-agent'] or httpHeaders["user-agent"]

and related patterns that may need the same instanceof check

echo "=== Searching for httpHeaders['user-agent'] or httpHeaders["user-agent"] patterns ==="
rg -n --type=ts --type=js "httpHeaders[(['"])user-agent\1]" -C3

echo ""
echo "=== Searching for broader httpHeaders access patterns ==="
rg -n --type=ts --type=js "httpHeaders[" -C2


</function_calls>

Now let me examine the full file to understand the context better:
<function_calls>

#!/bin/bash

Get the full file to understand the structure

echo "=== Full session.ts file ==="
cat -n apps/meteor/ee/server/lib/deviceManagement/session.ts


</function_calls>

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+37MiB
rocketchat	367MiB	347MiB	+20MiB
omnichannel-transcript-service	141MiB	132MiB	+8.8MiB
queue-worker-service	141MiB	132MiB	+8.8MiB
ddp-streamer-service	127MiB	127MiB	+68KiB
account-service	114MiB	114MiB	+68KiB
stream-hub-service	111MiB	111MiB	+68KiB
authorization-service	111MiB	111MiB	+68KiB
presence-service	111MiB	111MiB	+68KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 13:34", "12/01 14:17 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.14]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.14]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.36]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 10 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37642
• Baseline: develop
• Timestamp: 2025-12-01 14:17:52 UTC
• Historical data points: 10

---

Updated: Mon, 01 Dec 2025 14:17:53 GMT

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (release-7.13.0@d19bb8a). Learn more about missing BASE report.

Additional details and impacted files

@@                Coverage Diff                @@
##             release-7.13.0   #37642   +/-   ##
=================================================
  Coverage                  ?   68.93%           
=================================================
  Files                     ?     3360           
  Lines                     ?   114278           
  Branches                  ?    20561           
=================================================
  Hits                      ?    78780           
  Misses                    ?    33405           
  Partials                  ?     2093           

Flag	Coverage Δ
e2e	57.43% <ø> (?)
e2e-api	43.52% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR addresses a regression where the Login Detection email was being sent with undefined user-agent data. The issue occurred because connection.httpHeaders has different formats depending on the authentication type: it's a Headers instance during form login (type: "password") but a plain object during session resume (type: "resume"). The fix adds an instance check to handle both cases correctly.

Key Changes:

• Added type checking for connection.httpHeaders to handle both Headers instance and plain object formats
• Uses .get('user-agent') method for Headers instances and bracket notation for plain objects

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
apps/meteor/ee/server/lib/deviceManagement/session.ts	Updated user-agent extraction to handle both Headers instance and plain object formats via instanceof check
.changeset/silly-cooks-guess.md	Added changeset documenting the fix for undefined user-agent in Login Detection emails

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[dougfabris]

/backport 7.10.6

[dionisio-bot]

Sorry, I couldn't do that backport because of conflicts. Could you please solve them?

you can do so by running the following commands:

git fetch
git checkout backport-7.10.6-37642
git cherry-pick 2ec30579b0824a2073b7531697663b40a0e967c7
// solve the conflict
git push

after that just run /backport 7.10.6 again

[dougfabris]

/backport 7.10.6

[dionisio-bot]

Pull request #38010 added to Project: "Patch 7.10.6"