chore: Passport Meteor OAuth

[yash-rajpal]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

PRM-35

Summary by CodeRabbit

• New Features
  • Added OAuth authentication support for the Meteor Developer provider. Users can now sign in using their Meteor Developer account when the OAuth configuration is enabled with the required credentials.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: d991673

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This PR adds support for Meteor Developer OAuth authentication. It introduces OAuth configuration that conditionally registers the meteor-developer strategy based on settings, wires startup initialization to watch for configuration changes, and integrates the new server module into the application's import chain.

Changes

Meteor Developer OAuth Integration

Layer / File(s)	Summary
OAuth provider configuration and startup wiring apps/meteor/app/meteor-developer/server/lib.ts	configureMeteorDeveloperOAuth function reads OAuth enablement and client credentials from settings, validates presence, and registers the meteor-developer OAuth strategy with fixed endpoint paths, email scope, and header-based token transport. Meteor.startup wires settings.watchMultiple to trigger configuration when OAuth settings change.
Server module entry and package registration apps/meteor/app/meteor-developer/server/index.ts, apps/meteor/server/importPackages.ts	Server entry point imports lib.ts to execute initialization code; importPackages.ts adds the meteor-developer/server module to the application's server-side import list.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40203: Introduces Passport custom-OAuth wiring that this PR builds upon to register the meteor-developer OAuth provider.

Suggested labels

type: feature

Suggested reviewers

• KevLehman
• tassoevan

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: Passport Meteor OAuth' directly describes the main change: adding Meteor OAuth configuration via Passport. It is specific and clearly summarizes the primary change in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• PRM-35: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.76%. Comparing base (aa3602b) to head (d991673).

Additional details and impacted files

@@                       Coverage Diff                       @@
##           feat/phishing-resistant-mfa   #40595      +/-   ##
===============================================================
+ Coverage                        69.71%   69.76%   +0.05%     
===============================================================
  Files                             3304     3297       -7     
  Lines                           121731   120969     -762     
  Branches                         21561    21564       +3     
===============================================================
- Hits                             84866    84398     -468     
+ Misses                           33602    33302     -300     
- Partials                          3263     3269       +6     

Flag	Coverage Δ
unit	70.46% <ø> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/meteor-developer/server/lib.ts`:
- Around line 6-17: The configureMeteorDeveloperOAuth function returns early
when Accounts_OAuth_Meteor is disabled or when clientId/clientSecret are missing
but doesn’t unregister a previously registered Passport strategy; update
configureMeteorDeveloperOAuth to call passport.unuse('meteor-developer') in both
early-return branches (when enabled is false and when clientId or clientSecret
are falsy) so any stale strategy is torn down before returning—refer to
configureMeteorDeveloperOAuth and the existing addPassportCustomOAuth usage for
context.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d33ab808-24fd-4620-93a4-58ea839799e3

📥 Commits

Reviewing files that changed from the base of the PR and between aa3602b and d991673.

📒 Files selected for processing (3)

• apps/meteor/app/meteor-developer/server/index.ts
• apps/meteor/app/meteor-developer/server/lib.ts
• apps/meteor/server/importPackages.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: 📦 Meteor Build (coverage)
• GitHub Check: 🔎 Code Check / Code Lint
• GitHub Check: 🔎 Code Check / TypeScript
• GitHub Check: 🔨 Test Unit / Unit Tests

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/importPackages.ts
• apps/meteor/app/meteor-developer/server/index.ts
• apps/meteor/app/meteor-developer/server/lib.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/importPackages.ts
• apps/meteor/app/meteor-developer/server/index.ts
• apps/meteor/app/meteor-developer/server/lib.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/importPackages.ts
• apps/meteor/app/meteor-developer/server/index.ts
• apps/meteor/app/meteor-developer/server/lib.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/importPackages.ts
• apps/meteor/app/meteor-developer/server/index.ts
• apps/meteor/app/meteor-developer/server/lib.ts

🔇 Additional comments (3)

apps/meteor/app/meteor-developer/server/lib.ts (1)

19-32: LGTM!

apps/meteor/app/meteor-developer/server/index.ts (1)

1-1: LGTM!

apps/meteor/server/importPackages.ts (1)

36-36: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Locate OAuth helper(s):"
fd -i "addPassportCustomOAuth"

echo
echo "Search for registration and unregistration APIs:"
rg -n -C3 --type ts --type js "addPassportCustomOAuth\\(|passport\\.use\\(|passport\\.unuse\\(|removePassport|unregister.*OAuth"

echo
echo "Compare disable-handling patterns across OAuth providers:"
rg -n -C4 --type ts --type js "watchMultiple\\(|Accounts_OAuth_|configure.*OAuth|addPassportCustomOAuth\\(" apps/meteor/app

Repository: RocketChat/Rocket.Chat

Length of output: 47216

---

Call passport.unuse('meteor-developer') when OAuth is disabled or credentials are cleared.

The configureMeteorDeveloperOAuth function returns early when Accounts_OAuth_Meteor is false or credentials are missing, but never unregisters the Passport strategy that was registered in previous executions. Each call to addPassportCustomOAuth already unuses before re-registering; however, when settings become invalid, the function skips the registration entirely, leaving the stale strategy active until restart.

Add explicit teardown on disable:

• When enabled === false, call passport.unuse('meteor-developer')
• When clientId || clientSecret are missing, call passport.unuse('meteor-developer')

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/app/meteor-developer/server/lib.ts` around lines 6 - 17, The
configureMeteorDeveloperOAuth function returns early when Accounts_OAuth_Meteor
is disabled or when clientId/clientSecret are missing but doesn’t unregister a
previously registered Passport strategy; update configureMeteorDeveloperOAuth to
call passport.unuse('meteor-developer') in both early-return branches (when
enabled is false and when clientId or clientSecret are falsy) so any stale
strategy is torn down before returning—refer to configureMeteorDeveloperOAuth
and the existing addPassportCustomOAuth usage for context.

[cubic-dev-ai]

1 issue found across 3 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/meteor-developer/server/lib.ts">

<violation number="1" location="apps/meteor/app/meteor-developer/server/lib.ts:8">
P2: Disabling Meteor OAuth (or clearing its credentials) does not undo a previously registered strategy because the watcher callback returns early without cleanup.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: Disabling Meteor OAuth (or clearing its credentials) does not undo a previously registered strategy because the watcher callback returns early without cleanup.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/meteor-developer/server/lib.ts, line 8:

<comment>Disabling Meteor OAuth (or clearing its credentials) does not undo a previously registered strategy because the watcher callback returns early without cleanup.</comment>

<file context>
@@ -0,0 +1,40 @@
+
+const configureMeteorDeveloperOAuth = (): void => {
+	const enabled = settings.get<boolean>('Accounts_OAuth_Meteor');
+	if (!enabled) {
+		return;
+	}
</file context>