fix: do not encrypt messages when workspace E2E is disabled

[OtavioStasiak]

Proposed changes

encryptMessage only checked the per-subscription encrypted flag, so a room with a stale encrypted: true value on the local subscription would still attempt to encrypt messages even when the workspace-level setting E2E_Enable was disabled. Since no session key was available, encryptMessage returned undefined, which then caused sendMessageCall to crash when destructuring _id, leaving the local message stuck in the TEMP state (preventing the user from sending messages).
This PR aligns mobile behavior with web behavior: when E2E_Enable is false at the workspace level, encryptMessage
now short-circuits and returns the plain message regardless of the local subscription flag.

Added unit tests covering the new branch, as well as the existing
encryptMessage branches:

• subscription not encrypted
• no session key available
• happy path
• subscription lookup error

Issue(s)

https://rocketchat.atlassian.net/browse/SUP-994

How to test or reproduce

Pre-requisites: a workspace where E2E_Enable is off at
admin settings, and a DM whose local subscription has encrypted: true (typically a DM that was previously encrypted, or one
stamped encrypted server-side).

Before the fix:

1. Open the DM on mobile.
2. Type any message and tap send.
3. The message stays as "sending" (TEMP) and never reaches the server.

After the fix:

1. Open the same DM on mobile.
2. Type any message and tap send.
3. Message is delivered as plain text — matching web's payload ({ _id, rid, msg }, no t: 'e2e').

Screenshots

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Improvement (non-breaking change which improves a current function)
• New feature (non-breaking change which adds functionality)
• Documentation update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA
• Lint and unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works (if applicable)
• I have added necessary documentation (if applicable)
• Any dependent changes have been merged and published in downstream modules

Further comments

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Updated end-to-end encryption behavior to respect workspace-level security settings. Messages are now encrypted only when encryption is enabled at the workspace level, ensuring consistent protection across conversations.

• Tests

  • Added test coverage for message encryption behavior, validating workspace settings, subscription encryption status, and session key handling.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: aba0edf0-81f1-4a22-b4d6-8ca3e0a12797

📥 Commits

Reviewing files that changed from the base of the PR and between d460448 and 5491562.

📒 Files selected for processing (2)

• app/lib/encryption/encryption.test.ts
• app/lib/encryption/encryption.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: E2E Build Android / android-build
• GitHub Check: ESLint and Test / run-eslint-and-test
• GitHub Check: format

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{js,ts,jsx,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{js,ts,jsx,tsx}: Use descriptive names for functions, variables, and classes that clearly convey their purpose
Write comments that explain the 'why' behind code decisions, not the 'what'
Keep functions small and focused on a single responsibility
Use const by default, let when reassignment is needed, and avoid var
Prefer async/await over .then() chains for handling asynchronous operations
Use explicit error handling with try/catch blocks for async operations
Avoid deeply nested code; refactor complex logic into helper functions

Files:

• app/lib/encryption/encryption.ts
• app/lib/encryption/encryption.test.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx}: Use TypeScript for type safety; add explicit type annotations to function parameters and return types
Prefer interfaces over type aliases for defining object shapes in TypeScript
Use enums for sets of related constants rather than magic strings or numbers

Files:

• app/lib/encryption/encryption.ts
• app/lib/encryption/encryption.test.ts

**/*.{ts,tsx,js,jsx,json}

📄 CodeRabbit inference engine (CLAUDE.md)

Use Prettier formatting with tabs, single quotes, 130 character width, no trailing commas, avoid arrow parens, and bracket same line

Files:

• app/lib/encryption/encryption.ts
• app/lib/encryption/encryption.test.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use ESLint with @rocket.chat/eslint-config base including React, React Native, TypeScript, and Jest plugins

Files:

• app/lib/encryption/encryption.ts
• app/lib/encryption/encryption.test.ts

app/lib/encryption/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Use @rocket.chat/mobile-crypto for E2E encryption in 'app/lib/encryption/' directory

Files:

• app/lib/encryption/encryption.ts
• app/lib/encryption/encryption.test.ts

🧠 Learnings (1)

📚 Learning: 2026-04-30T17:07:51.020Z

Learnt from: diegolmello
Repo: RocketChat/Rocket.Chat.ReactNative PR: 7274
File: app/lib/services/voip/MediaCallEvents.ts:0-0
Timestamp: 2026-04-30T17:07:51.020Z
Learning: In this Rocket.Chat React Native codebase, the ESLint rule `no-void: error` is enforced. When you see a promise returned from an async call that is not awaited (a “floating promise”), do not silence it with the `void somePromise()` pattern. Instead, handle the promise explicitly by attaching `.catch(...)` (or otherwise awaiting/handling the error) so unhandled-rejection risks are addressed in a way that satisfies the existing ESLint configuration.

Applied to files:

• app/lib/encryption/encryption.ts
• app/lib/encryption/encryption.test.ts

🔇 Additional comments (2)

app/lib/encryption/encryption.ts (1)

530-535: LGTM!

app/lib/encryption/encryption.test.ts (1)

1-143: LGTM!

---

Walkthrough

The PR adds a workspace-level E2E_Enable setting check to the encryptMessage function so encryption is skipped when disabled globally. A test suite validates the updated logic across five scenarios: disabled E2E, unencrypted subscription, missing session key, successful encryption, and subscription lookup errors.

Changes

E2E Workspace-Level Encryption Guard

Layer / File(s)	Summary
E2E_Enable guard implementation app/lib/encryption/encryption.ts	encryptMessage now checks store.getState().settings.E2E_Enable before processing any encryption; if false, it returns the original message unencrypted, regardless of subscription or session-key state.
Test suite for E2E_Enable and encryption paths app/lib/encryption/encryption.test.ts	Comprehensive Jest test suite that stubs crypto, filesystem, API, preferences, store, database, and room-encryption dependencies. Five test cases validate plaintext return when E2E is disabled, unencrypted subscription, missing session key, successful encryption delegation, and subscription lookup error fallback.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

type: bug

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main bug fix: preventing message encryption when the workspace-level E2E_Enable setting is disabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• SUP-994: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}