fix(custom-oauth): pass SSRF allowlist to all fetch calls in CustomOAuth

[Varun789-mx]

Proposed changes (including videos or screenshots)

This fix ensures the SSRF_Allowlist admin setting is respected during
Custom OAuth token exchanges and identity fetches.

Previously, the getAccessToken, getIdentity, and getEmailFromPath
methods in app/custom-oauth/server/custom_oauth_server.js called
fetch() without passing the allowList option, causing all Custom
OAuth requests to bypass the SSRF allowlist configured by the admin.

This affected self-hosted deployments where the OAuth/OIDC provider
(e.g., Keycloak, WSO2, Authentik) is on a private network — a standard
pattern for homelab, on-premise, and air-gapped environments.

The fix passes allowList: settings.get('SSRF_Allowlist') to all three
fetch calls, consistent with how other internal fetch calls handle this
(e.g., app/apps/server/bridges/http.ts).

Issue(s)

Closes #40586

Steps to test or reproduce

1. Deploy Rocket.Chat self-hosted
2. Configure a Custom OAuth provider pointing at an IdP on a private IP
   (e.g., Keycloak at https://idp.local:9443)
3. Add the host/IP to the SSRF Allowlist in
   Admin > General > SSRF Protection > SSRF Allowlist
4. Attempt to log in with the Custom OAuth provider
5. Without this fix: login fails with error-ssrf-validation-failed
6. With this fix: token exchange succeeds and login completes normally

Further comments

The fix also adds ignoreSsrfValidation: true to these fetch calls,
consistent with the security rationale that these URLs can only be
configured by privileged admins. Reviewers should confirm this
aligns with the intended security posture for OAuth endpoints.

Summary by CodeRabbit

• Bug Fixes
  • Strengthened OAuth handshake security: outbound HTTP calls for token exchange, identity retrieval, and optional email lookup now enforce a configured SSRF allowlist instead of bypassing SSRF checks, reducing exposure to unsafe remote endpoints.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 86fbcaf

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2029e9af-3ef5-41ce-bb2e-9e1896f71df6

📥 Commits

Reviewing files that changed from the base of the PR and between 0f97354 and 86fbcaf.

📒 Files selected for processing (1)

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

---

Walkthrough

Custom OAuth server HTTP calls for token exchange, identity retrieval, and email lookup now include the SSRF allowlist setting from admin configuration. The fetch options in getAccessToken, getIdentity, and getEmailFromPath add allowList: settings.get('SSRF_Allowlist').

Changes

SSRF Allowlist for OAuth Handshake

Layer / File(s)	Summary
OAuth fetch endpoints with SSRF allowlist apps/meteor/app/custom-oauth/server/custom_oauth_server.js	getAccessToken (token POST), getIdentity (identity GET), and getEmailFromPath (email GET) now pass allowList: settings.get('SSRF_Allowlist') in their fetch options instead of relying on ignoreSsrfValidation: true.

Sequence Diagram(s)

sequenceDiagram
  participant CustomOAuthServer
  participant Settings
  participant IdentityProvider
  CustomOAuthServer->>Settings: read SSRF_Allowlist
  CustomOAuthServer->>IdentityProvider: POST /oauth/token (allowList: SSRF_Allowlist)
  CustomOAuthServer->>IdentityProvider: GET /userinfo (allowList: SSRF_Allowlist)
  CustomOAuthServer->>IdentityProvider: GET /email (allowList: SSRF_Allowlist)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

area: authentication

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: passing SSRF allowlist to fetch calls in CustomOAuth, which is precisely what the PR modifies.
Linked Issues check	✅ Passed	The PR addresses all key objectives from issue #40586: adding allowList to getAccessToken, getIdentity, and getEmailFromPath fetch calls, ensuring SSRF_Allowlist admin setting is honored, and enabling OAuth/OIDC on private networks.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to the linked issue: modifying only the three methods (getAccessToken, getIdentity, getEmailFromPath) to add allowList configuration, with no unrelated alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/custom-oauth/server/custom_oauth_server.js`:
- Line 150: The SSRF options are contradictory: calls to the server-fetch
options set both ignoreSsrfValidation: true and allowList:
settings.get('SSRF_Allowlist'), so decide and make them consistent across all
usages (the calls that pass these options to `@rocket.chat/server-fetch`): either
remove ignoreSsrfValidation: true and keep allowList to enforce the whitelist,
or remove allowList and keep ignoreSsrfValidation: true if you intend a full
bypass; update every occurrence that currently includes both (references:
ignoreSsrfValidation, allowList, settings.get('SSRF_Allowlist')) and add a short
inline comment stating which of the two approaches you chose and why for future
reviewers.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 256dc29c-263d-4599-ad60-bfd37e68524f

📥 Commits

Reviewing files that changed from the base of the PR and between 80b0f14 and d23fa1a.

📒 Files selected for processing (1)

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

[cubic-dev-ai]

2 issues found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/custom-oauth/server/custom_oauth_server.js">

<violation number="1" location="apps/meteor/app/custom-oauth/server/custom_oauth_server.js:186">
P1: `ignoreSsrfValidation: true` and `allowList` are mutually exclusive in `@rocket.chat/server-fetch`. When `ignoreSsrfValidation` is `true`, the code skips the entire SSRF validation branch including the allowList check — so the `allowList` parameter here is dead code and has no effect.

The existing codebase pattern (e.g., `AppHttpBridge`) treats these as exclusive:
```js
shouldIgnoreSsrf
  ? { ignoreSsrfValidation: true }
  : { ignoreSsrfValidation: false, allowList: settings.get('SSRF_Allowlist') }

To actually enforce the SSRF allowlist (which is the stated goal of this PR), remove ignoreSsrfValidation: true and keep only allowList. If full bypass is intended instead, remove allowList to avoid the misleading appearance of protection.

P1: Same issue here: `ignoreSsrfValidation: true` causes the entire SSRF validation (including `allowList`) to be skipped. The `allowList` parameter has no effect. Remove `ignoreSsrfValidation: true` to enforce the allowlist, or remove `allowList` if full bypass is intended. ```

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/custom-oauth/server/custom_oauth_server.js`:
- Around line 290-293: Update the stale security comment above the fetch call
that uses this.emailPath so it accurately reflects that the SSRF allowlist is
enforced (the fetch includes allowList: settings.get('SSRF_Allowlist')),
matching the wording used by the other two security comments; locate the comment
immediately before the fetch(...) call in custom_oauth_server.js and replace
"It's ok to disable this check here." with a statement indicating the SSRF check
is being enforced (e.g., "SSRF allowlist enforced via allowList option.").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ef16a6e9-eba2-4de0-99f4-a02a4161b189

📥 Commits

Reviewing files that changed from the base of the PR and between d23fa1a and 0f6e0cb.

📒 Files selected for processing (1)

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/custom-oauth/server/custom_oauth_server.js

🔇 Additional comments (2)

apps/meteor/app/custom-oauth/server/custom_oauth_server.js (2)

144-150: LGTM!

---

183-186: LGTM!