Skip to content

chore: Passport Meteor OAuth#40595

Merged
yash-rajpal merged 6 commits into
feat/phishing-resistant-mfafrom
passport-meteor-oauth
May 18, 2026
Merged

chore: Passport Meteor OAuth#40595
yash-rajpal merged 6 commits into
feat/phishing-resistant-mfafrom
passport-meteor-oauth

Conversation

@yash-rajpal
Copy link
Copy Markdown
Member

@yash-rajpal yash-rajpal commented May 18, 2026
edited by coderabbitai Bot
Loading

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

PRM-35

Summary by CodeRabbit

  • New Features
    • Add OAuth sign-in via the Meteor Developer provider when credentials are configured.
    • Provider registration updates automatically at runtime when related settings or credentials change.
    • Account visibility rules: full service details shown only to the account owner; provider username shown to other users when available.

Review Change Stack

@dionisio-bot
Copy link
Copy Markdown
Contributor

dionisio-bot Bot commented May 18, 2026

Looks like this PR is not ready to merge, because of the following issues:

  • This PR is missing the 'stat: QA assured' label
  • This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 18, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: d8210a2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 18, 2026
edited
Loading

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bfb86b93-3d9e-4a38-8822-8922dbbdb893

📥 Commits

Reviewing files that changed from the base of the PR and between 4d317de and d8210a2.

📒 Files selected for processing (1)
  • apps/meteor/server/importPackages.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • apps/meteor/server/importPackages.ts
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: 📦 Build Packages
  • GitHub Check: CodeQL-Build
  • GitHub Check: CodeQL-Build

Walkthrough

Adds Meteor “meteor-developer” OAuth provider: defines provider config and a configure function that unregisters existing strategy and registers via addPassportCustomOAuth; watches settings for enablement/credentials; and wires the server-side package so initialization runs on startup.

Changes

Meteor Developer OAuth Integration

Layer / File(s) Summary
OAuth provider configuration and startup wiring
apps/meteor/app/meteor-developer/server/lib.ts		 configureMeteorDeveloperOAuth unregisters any existing meteor-developer Passport strategy, reads Accounts_OAuth_Meteor and client id/secret settings, returns early if disabled/missing, and registers the provider via addPassportCustomOAuth with Meteor.com endpoints, email scope, tokenSentVia: 'header', and autopublish field mappings. Meteor.startup wires settings.watchMultiple to re-run configuration on changes.
Server module entry and package registration
apps/meteor/app/meteor-developer/server/index.ts, apps/meteor/server/importPackages.ts		 Adds a side-effect index.ts that imports ./lib to execute initialization and updates importPackages.ts to include the new meteor-developer/server module in the server import list.

Sequence Diagram(s)

sequenceDiagram
  participant MeteorStartup as Meteor.startup
  participant SettingsWatcher as settings.watchMultiple
  participant ConfigFn as configureMeteorDeveloperOAuth
  participant Passport as passport.unuse
  participant Registrar as addPassportCustomOAuth
  MeteorStartup->>SettingsWatcher: watch enable + client id + client secret
  SettingsWatcher->>ConfigFn: trigger on change
  ConfigFn->>Passport: passport.unuse('meteor-developer')
  ConfigFn->>Registrar: register meteor-developer (endpoints, scope, token header, autopublish)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • RocketChat/Rocket.Chat#40203: Introduces the Passport custom-OAuth wiring (addPassportCustomOAuth) that this change uses to register the meteor-developer provider.

Suggested labels

area: authentication

Suggested reviewers

  • ricardogarim
  • tassoevan
  • KevLehman
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: adding Passport-based Meteor OAuth support. It is concise, specific, and clearly summarizes the primary objective of the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)
  • PRM-35: Request failed with status code 401

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@yash-rajpal yash-rajpal marked this pull request as ready for review May 18, 2026 10:05
@yash-rajpal yash-rajpal requested a review from a team as a code owner May 18, 2026 10:05
@coderabbitai coderabbitai Bot added the type: feature Pull requests that introduces new feature label May 18, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 18, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (feat/phishing-resistant-mfa@9cda3cf). Learn more about missing BASE report.

Additional details and impacted files

Impacted file tree graph

@@                      Coverage Diff                       @@
##             feat/phishing-resistant-mfa   #40595   +/-   ##
==============================================================
  Coverage                               ?   69.77%           
==============================================================
  Files                                  ?     3297           
  Lines                                  ?   120967           
  Branches                               ?    21536           
==============================================================
  Hits                                   ?    84402           
  Misses                                 ?    33302           
  Partials                               ?     3263
Flag Coverage Δ
unit 70.46% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

coderabbitai[bot]
coderabbitai Bot reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/meteor-developer/server/lib.ts`:
- Around line 6-17: The configureMeteorDeveloperOAuth function returns early
when Accounts_OAuth_Meteor is disabled or when clientId/clientSecret are missing
but doesn’t unregister a previously registered Passport strategy; update
configureMeteorDeveloperOAuth to call passport.unuse('meteor-developer') in both
early-return branches (when enabled is false and when clientId or clientSecret
are falsy) so any stale strategy is torn down before returning—refer to
configureMeteorDeveloperOAuth and the existing addPassportCustomOAuth usage for
context.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d33ab808-24fd-4620-93a4-58ea839799e3

📥 Commits

Reviewing files that changed from the base of the PR and between aa3602b and d991673.

📒 Files selected for processing (3)
  • apps/meteor/app/meteor-developer/server/index.ts
  • apps/meteor/app/meteor-developer/server/lib.ts
  • apps/meteor/server/importPackages.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)
  • GitHub Check: cubic · AI code reviewer
  • GitHub Check: 📦 Meteor Build (coverage)
  • GitHub Check: 🔎 Code Check / Code Lint
  • GitHub Check: 🔎 Code Check / TypeScript
  • GitHub Check: 🔨 Test Unit / Unit Tests
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

  • apps/meteor/server/importPackages.ts
  • apps/meteor/app/meteor-developer/server/index.ts
  • apps/meteor/app/meteor-developer/server/lib.ts
🧠 Learnings (3)
📚 Learning: 2026-02-26T19:25:44.063Z 
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

  • apps/meteor/server/importPackages.ts
  • apps/meteor/app/meteor-developer/server/index.ts
  • apps/meteor/app/meteor-developer/server/lib.ts
📚 Learning: 2026-02-26T19:25:44.063Z 
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

  • apps/meteor/server/importPackages.ts
  • apps/meteor/app/meteor-developer/server/index.ts
  • apps/meteor/app/meteor-developer/server/lib.ts
📚 Learning: 2026-05-06T12:21:44.083Z 
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

  • apps/meteor/server/importPackages.ts
  • apps/meteor/app/meteor-developer/server/index.ts
  • apps/meteor/app/meteor-developer/server/lib.ts
🔇 Additional comments (3)
apps/meteor/app/meteor-developer/server/lib.ts (1)

19-32: LGTM!

apps/meteor/app/meteor-developer/server/index.ts (1)

1-1: LGTM!

apps/meteor/server/importPackages.ts (1)

36-36: LGTM!

Comment thread apps/meteor/app/meteor-developer/server/lib.ts
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread apps/meteor/app/meteor-developer/server/lib.ts
@coderabbitai coderabbitai Bot added area: authentication and removed type: feature Pull requests that introduces new feature labels May 18, 2026
@coderabbitai coderabbitai Bot added type: feature Pull requests that introduces new feature and removed area: authentication labels May 18, 2026
@ricardogarim
Copy link
Copy Markdown
Member

ricardogarim commented May 18, 2026
edited
Loading

Important note: we’re currently unable to test this because Meteor oAuth config page is down - discussion here.

That said, we’re approving it to be merged into the main feature repo. We’ll specifically validate this provider later and make any adjustments if needed.

@coderabbitai coderabbitai Bot added area: authentication and removed type: feature Pull requests that introduces new feature labels May 18, 2026
@yash-rajpal yash-rajpal merged commit c7f7306 into feat/phishing-resistant-mfa May 18, 2026
38 of 45 checks passed
@yash-rajpal yash-rajpal deleted the passport-meteor-oauth branch May 18, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@KevLehman KevLehman KevLehman approved these changes

Assignees

No one assigned

Labels

area: authentication

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yash-rajpal @ricardogarim @KevLehman