LoginSign Up
← Back to all sparks
Rocket.Chat logo

Rocket.Chat

COLLAB
Velocity6.3

Open-source team communication platform

rocket.chat

Rocket.Chat hardens for regulated buyers: phishing-resistant MFA, ABAC governance, and a quiet client-architecture pivot.

securityabac-governanceoauth-mfaclient-architectureenterpriseopen-source-chat
Current state
The 8.4 line is finishing its RC cycle while 8.5.0-rc.0 lands, carrying a server-side OAuth rewrite with CSRF/PKCE, 2FA-on-OAuth flows, and four new admin permissions for the ABAC panel. Around those headline items sits a layer of plumbing work — an opt-in SDK-over-DDP transport behind a meta-tag/localStorage/URL flag, a room-scoped text-index toggle for large workspaces, and image-URL sanitization closing an XSS vector — alongside the usual stack of patch fixes.
Where it's heading
Two trends dominate. First, security and enterprise governance are the gravitational center: ABAC keeps gaining surfaces (panel visibility, app reads, Virtru as a Policy Decision Point in 8.4), OAuth is being rebuilt server-side, and 2FA is being enforced even through identity providers. Second, the team is modernizing the legacy Meteor underbelly — an SDK transport that bypasses Meteor's DDP layer is shipping dormant, and a flag is staging for Babel's removal in 9.0.0.
Prediction
Expect 8.5 to graduate to GA with the OAuth/MFA hardening as its headline, and for the SDK-over-DDP transport to become the default in 9.0.0 once the dormant period exposes incompatibilities. ABAC will keep accreting admin controls until it's a coherent enterprise governance story alongside SSO and audit logs.

Recent moves

  1. 1d ago

    8.5.0-rc.0: phishing-resistant MFA, ABAC permissions, experimental SDK transport

    ⚡ SPARK

    8.5.0-rc.0 bundles the most directional work in months: a server-side OAuth flow with CSRF/PKCE and 2FA-on-OAuth, four new ABAC admin permissions, an experimental SDK-over-DDP transport flag, and image-URL XSS sanitization. This is where the security and architecture themes the codebase has been carrying for cycles step forward at once.

    View source ↗
  2. 23d ago

    8.4.0-rc.2: meteor version bump

    Routine meteor-version bump RC inside the 8.4 cycle, no new features. Part of the stabilization tail before the 8.4 line cuts GA.

    View source ↗
  3. 28d ago

    8.4.0-rc.1: meteor version bump

    Another meteor-version bump RC in the same 8.4 stabilization sequence. No user-visible changes.

    View source ↗
  4. 1mo ago

    8.4.0-rc.0: cold storage for read receipts, Virtru ABAC, livechat externalIds

    The substantive 8.4 RC: Cold Storage Archiving for Read Receipts (enterprise scale), Virtru-as-PDP for ABAC, livechat externalIds, omnichannel routing fixes, accessibility (image alt-text), and a `skipTranspile` flag staging Babel's removal in 9.0.0. Sets up the security and governance themes 8.5.0-rc.0 pushes further.

    View source ↗