chore: Passport login UI

[yash-rajpal]

Proposed changes (including videos or screenshots)

This is a temporary change on Login web UI, which should support both OAuth, legacy meteor OAuth and new Passport OAuth. The idea behind supporting both of these OAuth flows is for testing both side by side.

We can enable these flows by setting a flag fuselage-localStorage-useLegacyOAuth on local storage as follows -

• To use new Passport flow - Either don't set the flag on local storage or set it as false.
• To use legacy meteor flow - Set the flag variable as true.

Issue(s)

Steps to test or reproduce

Further comments

PRM-17

Summary by CodeRabbit

• Bug Fixes

  • Sign-out now immediately clears local user data and exits the session flow to prevent stale state during logout.

• New Features

  • Added a legacy OAuth mode toggle for login services.
  • When legacy mode is off, logins perform a direct OAuth redirect; when on, the previous in-app login flow is preserved.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0a659fc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1a52109c-beff-4a0b-adfd-089b42327530

📥 Commits

Reviewing files that changed from the base of the PR and between a34df10 and 0a659fc.

📒 Files selected for processing (1)

• packages/web-ui-registration/src/LoginServicesButton.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/web-ui-registration/src/LoginServicesButton.tsx

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: 📦 Build Packages
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Walkthrough

Startup now exits early during Meteor logout before syncing user data; the login button reads a persisted useLegacyOAuth flag and either redirects to /oauth/{service} or calls the existing handler, enabling conditional legacy OAuth flow.

Changes

Cohort / File(s)	Summary
Client startup logout guard apps/meteor/client/startup/startup.ts	Adds Meteor.loggingOut() check inside Tracker.autorun to remove local user data and return immediately when logging out, reordering early-return logic before calling watchUserId() and subsequent synchronizeUserData(uid) flow.
Login button OAuth routing packages/web-ui-registration/src/LoginServicesButton.tsx	Introduces useLocalStorage<boolean>('useLegacyOAuth', false) and updates handleOnClick to immediately redirect to /oauth/${service} when the flag is false; preserves original handler() flow (with error mapping) when true and updates hook dependencies.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

type: feature, area: authentication

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: Passport login UI' is vague and generic, using non-specific terms that don't clearly convey what the changeset accomplishes.	Use a more descriptive title that explains the main change, such as 'chore: Add Passport OAuth flow with legacy Meteor fallback toggle' to clarify the dual-flow implementation.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR partially addresses PRM-17 by implementing Passport OAuth flow support alongside legacy Meteor OAuth, enabling side-by-side testing as a stepping stone toward full migration.
Out of Scope Changes check	✅ Passed	All changes directly support the Passport OAuth implementation objective: LoginServicesButton adds the toggle logic, and startup.ts adds logout handling for the new flow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.87%. Comparing base (2243b8a) to head (0a659fc).
⚠️ Report is 1 commits behind head on feat/phishing-resistant-mfa.

Additional details and impacted files

@@                       Coverage Diff                       @@
##           feat/phishing-resistant-mfa   #39848      +/-   ##
===============================================================
+ Coverage                        70.44%   70.87%   +0.43%     
===============================================================
  Files                             3242     3207      -35     
  Lines                           115099   113351    -1748     
  Branches                         20930    20552     -378     
===============================================================
- Hits                             81076    80337     -739     
+ Misses                           31972    30970    -1002     
+ Partials                          2051     2044       -7     

Flag	Coverage Δ
unit	71.56% <ø> (+0.60%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/client/startup/startup.ts">

<violation number="1" location="apps/meteor/client/startup/startup.ts:30">
P1: When `watchUserId()` is empty, this branch now returns without clearing local user data, which can leave stale user state cached after auth loss/logout paths.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

🧹 Nitpick comments (1)

packages/web-ui-registration/src/LoginServicesButton.tsx (1)

35-35: Encode service before composing the redirect URL.

Use URL encoding defensively to avoid malformed paths if provider identifiers ever include reserved characters.

Suggested patch

-			window.location.href = `/oauth/${service}`;
+			window.location.href = `/oauth/${encodeURIComponent(service)}`;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/web-ui-registration/src/LoginServicesButton.tsx` at line 35, The
redirect URL uses an unencoded provider identifier in window.location.href =
`/oauth/${service}`, which can break if service contains reserved characters;
update the LoginServicesButton click/redirect logic to encode the provider
before composing the path (use encodeURIComponent on the service value) and
ensure the value is a non-null string (e.g., coerce/trim) before encoding so the
composed URL is safe and well-formed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/web-ui-registration/src/LoginServicesButton.tsx`:
- Line 35: The redirect URL uses an unencoded provider identifier in
window.location.href = `/oauth/${service}`, which can break if service contains
reserved characters; update the LoginServicesButton click/redirect logic to
encode the provider before composing the path (use encodeURIComponent on the
service value) and ensure the value is a non-null string (e.g., coerce/trim)
before encoding so the composed URL is safe and well-formed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9d5bd657-c6a7-4ada-8e05-f3f518ae8ce6

📥 Commits

Reviewing files that changed from the base of the PR and between 2243b8a and a34df10.

📒 Files selected for processing (2)

• apps/meteor/client/startup/startup.ts
• packages/web-ui-registration/src/LoginServicesButton.tsx

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (1/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (5/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (4/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (3/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (2/5)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (3/4)
• GitHub Check: 🔨 Test API Livechat (CE) / MongoDB 8.0 (1/1)
• GitHub Check: 🔨 Test API Livechat (EE) / MongoDB 8.0 coverage (1/1)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (2/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (4/4)
• GitHub Check: 🔨 Test API (CE) / MongoDB 8.0 (1/1)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.0 (1/4)
• GitHub Check: 🔨 Test API (EE) / MongoDB 8.0 coverage (1/1)
• GitHub Check: 🔨 Test Federation Matrix
• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/web-ui-registration/src/LoginServicesButton.tsx
• apps/meteor/client/startup/startup.ts

🧠 Learnings (6)

📓 Common learnings

Learnt from: smirk-dev
Repo: RocketChat/Rocket.Chat PR: 39625
File: apps/meteor/app/api/server/v1/push.ts:85-97
Timestamp: 2026-03-14T14:58:58.834Z
Learning: In RocketChat/Rocket.Chat, the `push.token` POST/DELETE endpoints in `apps/meteor/app/api/server/v1/push.ts` were already migrated to the chained router API pattern on `develop` prior to PR `#39625`. `cleanTokenResult` (which strips `authToken` and returns `PushTokenResult`) and `isPushTokenPOSTProps`/`isPushTokenDELETEProps` validators already exist on `develop`. PR `#39625` only migrates `push.get` and `push.info` to the chained pattern. Do not flag `cleanTokenResult` or `PushTokenResult` as newly introduced behavior-breaking changes when reviewing this PR.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39647
File: apps/meteor/app/api/server/v1/users.ts:710-757
Timestamp: 2026-03-15T14:31:28.969Z
Learning: In RocketChat/Rocket.Chat, the `UserCreateParamsPOST` type in `apps/meteor/app/api/server/v1/users.ts` (migrated from `packages/rest-typings/src/v1/users/UserCreateParamsPOST.ts`) intentionally has `fields: string` (non-optional) and `settings?: IUserSettings` without a corresponding AJV schema entry. This is a pre-existing divergence carried over verbatim from the original rest-typings source (PR `#39647`). Do not flag this type/schema misalignment during the OpenAPI migration review — it is tracked as a separate follow-up fix.

📚 Learning: 2026-03-11T22:04:20.529Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 39545
File: apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts:59-61
Timestamp: 2026-03-11T22:04:20.529Z
Learning: In `apps/meteor/client/views/room/body/hooks/useHasNewMessages.ts`, the `msg.u._id === uid` early-return in the `streamNewMessage` handler is intentional: the "New messages" indicator is designed to notify about messages from other users only. Self-sent messages — including those sent from a different session/device — are always skipped, by design. Do not flag this as a multi-session regression.

Applied to files:

• apps/meteor/client/startup/startup.ts

📚 Learning: 2026-03-16T11:57:17.987Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 39657
File: apps/meteor/tests/end-to-end/apps/app-resolve-visitor.ts:43-45
Timestamp: 2026-03-16T11:57:17.987Z
Learning: In `apps/meteor/tests/end-to-end/apps/app-resolve-visitor.ts`, `externalIds` lookups are namespaced per `app.id`. Because `cleanupApps()` is called before each test run and a fresh app is installed (giving a new unique `app.id`), fixed `userId` strings like `'nonexistent-id'` in null-path tests are safe and cannot collide with stale visitor records from previous runs. Do not flag these as needing unique/random values.

Applied to files:

• apps/meteor/client/startup/startup.ts

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

• apps/meteor/client/startup/startup.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/client/startup/startup.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/client/startup/startup.ts

🔇 Additional comments (4)

packages/web-ui-registration/src/LoginServicesButton.tsx (2)

31-37: OAuth flow toggle is implemented correctly.

Defaulting to Passport redirect and falling back to legacy handler when useLegacyOAuth is true matches the migration/testing objective.

---

45-45: useCallback dependency list update looks correct.

Including both useLegacyOAuth and service avoids stale callback behavior after toggles/prop changes.

apps/meteor/client/startup/startup.ts (2)

15-18: Early logout cleanup ordering is a good change.

Running removeLocalUserData() before the rest of the autorun flow on logout makes the cleanup path explicit and immediate.

---

28-32: uid guard before synchronization is correct.

Returning early when no user id is present prevents unnecessary/invalid user-data synchronization attempts.