chore: Make this.user optional instead of nullable for non-auth endpoints

[Copilot]

This pull request refactors authentication handling and user type definitions in the API, and updates related test utilities for improved clarity and consistency. The main focus is on simplifying how user authentication and user objects are managed, especially in API route contexts and test setup.

API authentication and user handling improvements:

• Refactored the authentication logic in APIClass.ts to always hash the auth token and set this.token, regardless of authentication requirements. Removed the conditional block that previously tied token assignment to authentication checks.
• Updated user lookup and assignment in the login flow to use a local user variable instead of this.user, and improved error handling and response construction to reference this variable. [1] [2]

API type definitions and context typing:

• Simplified user and userId types in definition.ts to remove unnecessary null/undefined states, and adjusted TypedThis to use more accurate conditional typing for user and userId based on authentication requirements. [1] [2] [3]

Integration API improvements:

• Modified the WebHook API to explicitly set the x-auth-token header in the route context, ensuring the integration token is properly propagated for downstream authentication.

Test utility and test suite updates:

• Updated the registerUser test utility to accept nullable credentials and only set them if provided, improving flexibility for test scenarios. Adjusted test cases to pass null credentials where anonymous registration is required. [1] [2] [3] [4] [5]

Task: ARCH-1980

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is targeting the wrong base branch. It should target 8.3.0, but it targets 8.2.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4d4a537

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.55%. Comparing base (7d23911) to head (4d4a537).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38861      +/-   ##
===========================================
- Coverage    70.60%   70.55%   -0.05%     
===========================================
  Files         3189     3189              
  Lines       112703   112703              
  Branches     20436    20400      -36     
===========================================
- Hits         79573    79517      -56     
- Misses       31069    31124      +55     
- Partials      2061     2062       +1     

Flag	Coverage Δ
e2e	60.37% <ø> (-0.04%)	⬇️
e2e-api	47.82% <ø> (-0.06%)	⬇️
unit	71.54% <ø> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ggazzo]

/jira ARCH-1935

[cubic-dev-ai]

2 issues found across 4 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/api/server/ApiClass.ts">

<violation number="1" location="apps/meteor/app/api/server/ApiClass.ts:832">
P1: `String(authToken)` coerces `null` to `"null"` when the header is absent, causing `Accounts._hashLoginToken` to hash the literal string `"null"` and assign it to `this.token` for all non-authenticated routes. Guard against a missing header before hashing.</violation>

<violation number="2" location="apps/meteor/app/api/server/ApiClass.ts:838">
P1: Debug `console.log` statement left in production code. This will log internal authentication state (`shouldPreventAnonymousRead`) on every unauthorized request.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Debug console.log statement left in production code. This will log internal authentication state (shouldPreventAnonymousRead) on every unauthorized request.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/ApiClass.ts, line 838:

<comment>Debug `console.log` statement left in production code. This will log internal authentication state (`shouldPreventAnonymousRead`) on every unauthorized request.</comment>

<file context>
@@ -825,18 +825,17 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
 						const shouldPreventUserRead = !this.user && options.authRequired;
 
 						if (shouldPreventAnonymousRead || shouldPreventUserRead) {
+							console.log('shouldPreventAnonymousRead', shouldPreventAnonymousRead);
 							const result = api.unauthorized('You must be logged in to do this.');
 							// compatibility with the old API
</file context>

[cubic-dev-ai]

P1: String(authToken) coerces null to "null" when the header is absent, causing Accounts._hashLoginToken to hash the literal string "null" and assign it to this.token for all non-authenticated routes. Guard against a missing header before hashing.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/ApiClass.ts, line 832:

<comment>`String(authToken)` coerces `null` to `"null"` when the header is absent, causing `Accounts._hashLoginToken` to hash the literal string `"null"` and assign it to `this.token` for all non-authenticated routes. Guard against a missing header before hashing.</comment>

<file context>
@@ -825,18 +825,17 @@ export class APIClass<TBasePath extends string = '', TOperations extends Record<
+						this.user = user!;
+						this.userId = this.user?._id;
+						const authToken = this.request.headers.get('x-auth-token');
+						this.token = Accounts._hashLoginToken(String(authToken))!;
 
 						const shouldPreventAnonymousRead = !this.user && options.authOrAnonRequired && !settings.get('Accounts_AllowAnonymousRead');
</file context>

Suggested change

	this.token = Accounts._hashLoginToken(String(authToken))!;
	this.token = authToken ? Accounts._hashLoginToken(authToken) : undefined;