chore: Passport Gitlab OAuth

[yash-rajpal]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

PRM-42

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Enhanced GitLab OAuth authentication configuration to reliably apply settings changes and properly handle enable/disable states.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 96c02d7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

GitLab OAuth configuration is refactored to re-register the Passport strategy instead of directly mutating a CustomOAuth instance. Imports are updated to use OAuthConfiguration and addPassportCustomOAuth, a new configureGitlabOAuth function handles strategy registration with runtime setting validation, and the settings watcher is expanded to monitor the enable flag and client credentials.

Changes

GitLab OAuth Configuration Refactoring

Layer / File(s)

Summary

GitLab OAuth strategy refactoring apps/meteor/app/gitlab/server/lib.ts

Imports are updated from OauthConfig/CustomOAuth to OAuthConfiguration and addPassportCustomOAuth. A new configureGitlabOAuth function unuses the existing gitlab Passport strategy, reads OAuth settings (enabled flag, client credentials, GitLab URL, identity path, merge-users), normalizes the server URL, and re-registers the strategy via addPassportCustomOAuth. The settings watcher is expanded to monitor the enable flag and credential keys.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40203: Main PR's GitLab OAuth wiring now re-registers the Passport strategy via addPassportCustomOAuth('gitlab', ...), which directly depends on the custom-Passport OAuth infrastructure introduced in this PR.

Suggested labels

type: chore

Suggested reviewers

• KevLehman
• ricardogarim

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: Passport Gitlab OAuth' is vague and uses generic terms that don't clearly describe the specific changes made to the OAuth configuration implementation.	Consider a more specific title that describes the key change, such as 'refactor: Extract GitLab OAuth configuration into dedicated function' or 'chore: Refactor GitLab OAuth configuration to use passport strategy registration'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• PRM-42: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/gitlab/server/lib.ts`:
- Line 31: The expression that initializes serverURL calls .trim() on
settings.get('API_Gitlab_URL') without guarding for null/undefined; update the
serverURL initialization so the value from
settings.get<string>('API_Gitlab_URL') is defaulted or checked before calling
.trim() (for example, use optional chaining or fallback to an empty string) and
then apply .trim().replace(...) so serverURL is computed safely in the
declaration where serverURL is defined.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 373a3557-e504-4dde-a235-c04b25f6471b

📥 Commits

Reviewing files that changed from the base of the PR and between afda09b and 96c02d7.

📒 Files selected for processing (1)

• apps/meteor/app/gitlab/server/lib.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/gitlab/server/lib.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/gitlab/server/lib.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/gitlab/server/lib.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/app/gitlab/server/lib.ts

🔇 Additional comments (5)

apps/meteor/app/gitlab/server/lib.ts (5)

1-6: LGTM!

---

9-19: LGTM!

---

24-27: LGTM!

Also applies to: 29-30, 32-33, 35-37, 39-40

---

42-56: LGTM!

---

22-22: ⚡ Quick win

No action needed. passport.unuse() safely handles missing strategies without throwing an error—it simply deletes the entry if it exists and returns the authenticator instance. The code is correct as written.

			> Likely an incorrect or invalid review comment.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.71%. Comparing base (afda09b) to head (96c02d7).

Additional details and impacted files

@@                     Coverage Diff                      @@
##           feat/phishing-resistant-mfa   #40609   +/-   ##
============================================================
  Coverage                        69.70%   69.71%           
============================================================
  Files                             3322     3320    -2     
  Lines                           122760   122705   -55     
  Branches                         21839    21928   +89     
============================================================
- Hits                             85569    85541   -28     
+ Misses                           33853    33823   -30     
- Partials                          3338     3341    +3     

Flag	Coverage Δ
unit	70.39% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}

[abhinavkrin]

When the settings are changed, the addPassportCustomOAuth re adds the endpoint routes. Will it have impact on memory (duplications) or are the routes just overwritten?

Rest everything LGTM.

[yash-rajpal]

I was checking this, I assumed it will overwrite but sadly no, it adds middlewares to the chain.

For our implementation it shouldn't create any impact as we send a response, so it never goes to stacked middleware.

I'll open a task to improve this, for now it should increase a little memory consumption if routes are over-written many times.