poc: Passport OAuth

[yash-rajpal]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project
• This PR has an invalid title

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: e2ffa19

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

In general, the problem should be fixed by adding a rate-limiting middleware in front of HTTP routes that perform authentication/authorization or other expensive operations. In Express, this is typically achieved by using a library like express-rate-limit and applying it either globally or to specific routes. For OAuth callbacks, per-route limiting is often preferred to avoid impacting unrelated endpoints.

For this file, the minimal, non-breaking fix is to introduce express-rate-limit, define a conservative limiter (for example, allowing a small number of login attempts per IP over a time window), and apply it to both /auth/facebook/callback and /auth/github/callback. We should not change the semantics of the existing handlers: they must still authenticate via Passport and then perform the current Meteor Account operations. The rate limiter should be inserted into the middleware chain between app.get(path, ...) and the final handler, or as an additional middleware parameter to app.get. Because imports already use ES module style (import express from 'express';), we will import the limiter likewise. We will define a shared limiter constant near where the app is created, and then attach it to both callback routes. This keeps the change localized to apps/meteor/server/passport.ts and does not alter existing business logic.

Concretely:

• Add an import for express-rate-limit at the top of apps/meteor/server/passport.ts.
• Define a loginLimiter (or similar) after const app = express(); and before the route definitions, with a reasonable windowMs and max values.
• Modify:
  • app.get('/auth/facebook/callback', passport.authenticate(...), async (req, res) => { ... });
  • app.get('/auth/github/callback', passport.authenticate(...), async (req, res) => { ... });
    so that each includes loginLimiter as an additional middleware in the chain (e.g., app.get('/auth/facebook/callback', loginLimiter, passport.authenticate(...), async ...)).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.50%. Comparing base (eb366e7) to head (e2ffa19).
⚠️ Report is 52 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #38592      +/-   ##
===========================================
+ Coverage    70.39%   70.50%   +0.10%     
===========================================
  Files         3161     3163       +2     
  Lines       110654   110931     +277     
  Branches     19892    19988      +96     
===========================================
+ Hits         77895    78207     +312     
+ Misses       30731    30698      -33     
+ Partials      2028     2026       -2     

Flag	Coverage Δ
unit	71.48% <ø> (+0.08%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.1GiB	1.1GiB	+11MiB
rocketchat	360MiB	349MiB	+11MiB
omnichannel-transcript-service	134MiB	134MiB	+560B
queue-worker-service	134MiB	134MiB	+2.7KiB
ddp-streamer-service	128MiB	128MiB	+2.0KiB
account-service	115MiB	115MiB	+3.0KiB
authorization-service	112MiB	112MiB	+2.0KiB
presence-service	112MiB	112MiB	+2.9KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 22:18", "12/17 21:04", "12/18 23:12", "12/19 23:27", "12/20 21:03", "12/22 18:54", "12/23 16:16", "12/24 19:38", "12/25 17:51", "12/26 13:18", "12/29 19:01", "12/30 20:52", "02/12 22:57", "02/13 22:38", "02/16 14:04", "02/16 17:27 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
  line "rocketchat" [0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]

Loading

Statistics (last 30 days):

• 📊 Average: 1.5GiB
• ⬇️ Minimum: 1.4GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.1GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-38592
• Baseline: develop
• Timestamp: 2026-02-16 17:27:03 UTC
• Historical data points: 30

---

Updated: Mon, 16 Feb 2026 17:27:03 GMT