chore: Passport Twitter OAuth

[yash-rajpal]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

PRM-39

Summary by CodeRabbit

• New Features

  • Twitter OAuth authentication is now supported: users can sign in/register with Twitter and receive profile and email where available.
  • OAuth provider configuration updated to support Twitter-specific options and optional scope settings.

• Chores

  • Added Twitter Passport dependency and corresponding TypeScript types.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 30904be

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds Twitter OAuth: installs passport-twitter and its types, registers twitter in OAuthConfigs (optional scope, includeEmail), makes service scope optional, and configures the strategy to set consumerKey/consumerSecret while logging the Passport profile in the callback.

Changes

Twitter OAuth Integration

Layer / File(s)	Summary
Twitter OAuth dependencies apps/meteor/package.json	Adds passport-twitter (^1.0.4) and @types/passport-twitter (^1) to enable the Twitter OAuth strategy.
Twitter provider registration apps/meteor/server/lib/oauth/oauthConfigs.ts	Imports TwitterStrategy, makes scope optional and adds optional includeEmail to OAuthConfig, and registers twitter in OAuthConfigs with includeEmail: true.
Strategy initialization & callback apps/meteor/server/lib/oauth/configureOAuthServices.ts	Extends strategy options to include consumerKey/consumerSecret mapped from config.clientId/config.clientSecret, and logs the Passport profile in the authentication callback before calling Accounts.updateOrCreateUserFromExternalService.
OAuth service config typing apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts	Changes OAuthServiceConfig.scope to optional and reads scope with optional chaining (OAuthConfigs[service]?.scope) and spreads provider config from OAuthConfigs[service].

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40203: Modifies Passport/OAuth setup and callback flow in configureOAuthServices.ts, related to the callback and strategy handling changes.

Suggested labels

type: feature

Suggested reviewers

• KevLehman
• ricardogarim

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding Passport Twitter OAuth support to the codebase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• PRM-39: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.66%. Comparing base (afda09b) to head (30904be).
⚠️ Report is 1 commits behind head on feat/phishing-resistant-mfa.

Additional details and impacted files

@@                       Coverage Diff                       @@
##           feat/phishing-resistant-mfa   #40563      +/-   ##
===============================================================
- Coverage                        69.70%   69.66%   -0.05%     
===============================================================
  Files                             3322     3320       -2     
  Lines                           122760   122705      -55     
  Branches                         21839    21871      +32     
===============================================================
- Hits                             85569    85477      -92     
- Misses                           33853    33886      +33     
- Partials                          3338     3342       +4     

Flag	Coverage Δ
unit	70.31% <ø> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/server/lib/oauth/configureOAuthServices.ts`:
- Line 41: Remove the raw OAuth profile logging in configureOAuthServices (the
console.log('profile - ', profile) call) to avoid PII exposure; instead either
delete the log or replace it with a safe, minimal diagnostic message that only
logs non-sensitive identifiers (e.g., provider name or user id) after redacting
or extracting specific allowed fields, and ensure this change occurs inside the
configureOAuthServices function handling the OAuth callback/profile processing.

In `@apps/meteor/server/lib/oauth/oauthConfigs.ts`:
- Around line 25-28: The twitter provider config currently passes OAuth2-style
scopes (scope: ['email','profile']) which passport-twitter (TwitterStrategy)
ignores; change the twitter config to remove those scopes (e.g., scope: []) and
instead add provider-specific strategy options to request email via
includeEmail: true when constructing/initializing TwitterStrategy or its options
object; update the code that builds/instantiates TwitterStrategy (referencing
TwitterStrategy and the twitter config object) to merge provider-specific
options (includeEmail: true) so profile.emails will be populated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 28f1c4fd-6ac9-441b-b1da-efae22775b39

📥 Commits

Reviewing files that changed from the base of the PR and between 500e008 and 92a69a6.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• apps/meteor/package.json
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/server/lib/oauth/oauthConfigs.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

🔇 Additional comments (2)

apps/meteor/package.json (1)

272-272: LGTM!

Also applies to: 404-404

apps/meteor/server/lib/oauth/configureOAuthServices.ts (1)

29-30: LGTM!

[cubic-dev-ai]

2 issues found across 4 files

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic}

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts`:
- Around line 19-22: The access to OAuthConfigs[service] is inconsistent:
createOAuthServiceConfig (or the block constructing the config) uses
OAuthConfigs[service].strategy without safety but uses
OAuthConfigs[service]?.scope with optional chaining; make these consistent to
avoid runtime TypeError by either removing the optional chaining on scope if
services is guaranteed valid, or (safer) apply optional chaining to all accesses
(e.g., use OAuthConfigs[service]?.strategy and OAuthConfigs[service]?.scope) and
provide sensible fallbacks for strategy, scope, clientId and clientSecret (via
settings.get or defaults) so the code never dereferences an undefined
OAuthConfigs[service]; update the references to OAuthConfigs, strategy, scope,
and the settings.get(capitalize(service)...) calls accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5713d8b3-ffd3-40d0-9406-532823a08828

📥 Commits

Reviewing files that changed from the base of the PR and between 0e5dc86 and 2fa3f41.

📒 Files selected for processing (1)

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

🔇 Additional comments (1)

apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts (1)

12-12: LGTM!

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts`:
- Around line 21-22: The returned config may spread a missing
OAuthConfigs[service] (services is string[]), which can omit required fields
like strategy and break OAuthServiceConfig later; in createOAuthServiceConfig
validate that OAuthConfigs[service] exists and contains the required keys (at
minimum strategy) before spreading, and if missing throw or return a clear error
mentioning the service name so the failure is fast and explicit rather than
failing during strategy initialization.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 83b79bbb-9136-4355-8152-f464d0f6d755

📥 Commits

Reviewing files that changed from the base of the PR and between 2fa3f41 and 83fcccf.

📒 Files selected for processing (2)

• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/server/lib/oauth/configureOAuthServices.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/lib/oauth/createOAuthServiceConfig.ts

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>