feat: Accounts_OAuth_Use_Modern_Flow Setting

[yash-rajpal]

Proposed changes (including videos or screenshots)

Adds a new setting Accounts_OAuth_Flow_Engine to toggle between new passport and legacy meteor OAuth flows.

Issue(s)

Steps to test or reproduce

Further comments

Due to some limitations on express and how routing works in our app, as of now we don't have a way of unmounting routes and middlewares when the setting is toggled. So this PR works around this issue by skipping the current route and router on basis of setting value.

PRM-50

Summary by CodeRabbit

• New Features
  • Added a runtime-selectable OAuth flow mode (Modern vs Legacy) that switches behavior across Dolphin, Drupal, GitLab, Nextcloud, and WordPress.
  • Updated OAuth routing/auth handling to align with the selected flow mode.
• Settings
  • Introduced Accounts_OAuth_Use_Modern_Flow with full configuration support, including reconfiguration when toggled.
• UI
  • Login services and desktop-app login behavior now adapt to the selected OAuth flow.
  • OAuth button visibility on mobile now follows the active OAuth flow mode.
• Localization
  • Added i18n labels and descriptions for the new OAuth flow setting.

[dionisio-bot]

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 97615b5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a boolean Accounts_OAuth_Use_Modern_Flow setting and gates OAuth configuration, routing, and client login behavior between Passport-based modern flow (with system browser and deep-link support) and legacy non-Passport implementations.

Changes

OAuth Modern Flow Toggle and Dual-Mode Wiring

Layer / File(s)	Summary
OAuth Modern Flow Setting and Localization apps/meteor/server/settings/oauth.ts, packages/i18n/src/locales/en.i18n.json	Registers the new public boolean setting Accounts_OAuth_Use_Modern_Flow with i18n label and description keys describing modern Passport-based flow (recommended with system browser and deep links) versus legacy Meteor OAuth.
OAuth Route Handlers Conditional on Modern Flow apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts, apps/meteor/server/lib/oauth/configureOAuthServices.ts	The /_oauth routes now check Accounts_OAuth_Use_Modern_Flow: when enabled, proceed with passport.authenticate; otherwise skip via next('router'). Passport authenticate options updated to remove failureFlash while retaining failureRedirect, failWithError, and keepSessionInfo.
Passport Configuration Early-Return Guard apps/meteor/server/configuration/configurePassport.ts	The Accounts_OAuth_* settings watcher now returns early when Accounts_OAuth_Use_Modern_Flow is true, preventing OAuth service configuration in modern-flow mode.
OAuth Providers with Modern/Legacy Flow Branching apps/meteor/app/dolphin/server/lib.ts, apps/meteor/app/drupal/server/lib.ts, apps/meteor/app/gitlab/server/lib.ts, apps/meteor/app/nextcloud/server/lib.ts, apps/meteor/app/wordpress/server/lib.ts	Each provider now instantiates CustomOAuth and builds merged completeConfig; configuration branches at runtime: call addPassportCustomOAuth(serviceName, completeConfig) when modern flow is enabled, otherwise call CustomOAuth.configure(completeConfig). Settings watchers expanded to include Accounts_OAuth_Use_Modern_Flow for reconfiguration.
API Settings Response Modern Flow Gating apps/meteor/app/api/server/v1/settings.ts	The OAuth settings API endpoint reads Accounts_OAuth_Use_Modern_Flow and derives isPassportFlowEnabled to control the hideButtonOnMobile field for OAuth services, replacing the previous hard-coded true value in both the early-return path and the final service object.
Login UI Modern Flow Toggle packages/web-ui-registration/src/LoginServices.tsx, packages/web-ui-registration/src/LoginServicesButton.tsx	LoginServices reads Accounts_OAuth_Use_Modern_Flow, derives enableModernOAuthFlow, and passes it to LoginServicesButton; the button gates redirect-to-/oauth/${service} behavior on this flag and updates prop types and dependency arrays accordingly.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• RocketChat/Rocket.Chat#40203: Introduces addPassportCustomOAuth and Passport-based provider wiring which this PR gates behind Accounts_OAuth_Use_Modern_Flow.
• RocketChat/Rocket.Chat#40609: Modifies GitLab OAuth configuration to use Passport and re-register strategy on settings changes; overlaps with this PR's GitLab provider updates.
• RocketChat/Rocket.Chat#40591: Changes Nextcloud OAuth wiring around NEXTCLOUD_PATHS and addPassportCustomOAuth; directly related to this PR's Nextcloud provider adjustments.

Suggested labels

area: authentication

Suggested reviewers

• KevLehman
• tassoevan
• ricardogarim

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of the pull request: adding a new OAuth flow toggle setting called Accounts_OAuth_Use_Modern_Flow to switch between Passport-based and legacy Meteor OAuth flows.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• PRM-50: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 30.76923% with 9 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (feat/phishing-resistant-mfa@9933083). Learn more about missing BASE report.

Additional details and impacted files

@@                      Coverage Diff                       @@
##             feat/phishing-resistant-mfa   #40876   +/-   ##
==============================================================
  Coverage                               ?   69.59%           
==============================================================
  Files                                  ?     3340           
  Lines                                  ?   123342           
  Branches                               ?    22000           
==============================================================
  Hits                                   ?    85837           
  Misses                                 ?    34142           
  Partials                               ?     3363           

Flag	Coverage Δ
e2e	59.15% <ø> (?)
e2e-api	45.75% <30.76%> (?)
unit	70.42% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/app/nextcloud/server/lib.ts (1)

23-45: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Missing passport.unuse('nextcloud') before reconfiguration.

Unlike the other provider implementations (Dolphin, Drupal, GitLab, WordPress), this file does not call passport.unuse('nextcloud') at the start of the configuration function. When switching from passport to meteor flow engine, the stale Passport strategy will remain registered, potentially causing unexpected behavior.

🔧 Proposed fix

+import passport from 'passport';
+
 function configureNextcloudOAuth(): void {
+	passport.unuse('nextcloud');
+
 	const enabled = settings.get<boolean>('Accounts_OAuth_Nextcloud');

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/app/nextcloud/server/lib.ts` around lines 23 - 45, In
configureNextcloudOAuth add a step to unregister any existing Passport strategy
for 'nextcloud' before applying new configuration: call
passport.unuse('nextcloud') (ensure passport is imported or available) at the
start of the function so stale Passport strategies are removed when switching
flow engines; keep this in place whether you then call
addPassportCustomOAuth('nextcloud', config) or Nextcloud.configure(config) to
match the pattern used by other providers.

🧹 Nitpick comments (2)

apps/meteor/server/settings/oauth.ts (2)

10-11: ⚡ Quick win

Clarify user-facing labels for the OAuth flow options.

The labels 'Meteor' and 'New flow' may not clearly convey the choice to administrators. 'New flow' is particularly vague—consider more descriptive labels such as 'Legacy (Meteor)' and 'Modern (Passport)' or use i18n keys for proper localization and clarity.

📝 Suggested improvement

 		await this.add('Accounts_OAuth_Flow_Engine', 'meteor', {
 			type: 'select',
 			values: [
-				{ key: 'meteor', i18nLabel: 'Meteor' },
-				{ key: 'passport', i18nLabel: 'New flow' },
+				{ key: 'meteor', i18nLabel: 'Legacy (Meteor)' },
+				{ key: 'passport', i18nLabel: 'Modern (Passport)' },
 			],
 			public: true,
 			i18nDescription: 'Accounts_OAuth_Flow_Engine_Description',
 		});

Or use i18n keys for proper localization:

 		await this.add('Accounts_OAuth_Flow_Engine', 'meteor', {
 			type: 'select',
 			values: [
-				{ key: 'meteor', i18nLabel: 'Meteor' },
-				{ key: 'passport', i18nLabel: 'New flow' },
+				{ key: 'meteor', i18nLabel: 'Accounts_OAuth_Flow_Engine_Meteor' },
+				{ key: 'passport', i18nLabel: 'Accounts_OAuth_Flow_Engine_Passport' },
 			],
 			public: true,
 			i18nDescription: 'Accounts_OAuth_Flow_Engine_Description',
 		});

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/server/settings/oauth.ts` around lines 10 - 11, The user-facing
labels for the OAuth flow options are ambiguous; update the entries in the
options array (the objects with key: 'meteor' and key: 'passport') to use
clearer labels such as "Legacy (Meteor)" and "Modern (Passport)" or replace the
hardcoded i18nLabel strings with appropriate i18n keys (e.g., i18nLabel:
'oauth.label.legacy' / 'oauth.label.modern') so administrators see a clear,
localizable choice between the Meteor and Passport flows; ensure you update any
corresponding translation files if you opt for i18n keys.

---

7-15: Confirm i18n description key + refine label wording

• i18nDescription: 'Accounts_OAuth_Flow_Engine_Description' is present in packages/i18n/src/locales/en.i18n.json, so the admin UI description won’t be missing.
• Consider replacing the New flow option label with more descriptive text (e.g., “Passport-based flow”) to improve admin UX.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/server/settings/oauth.ts` around lines 7 - 15, Confirm that the
i18n key Accounts_OAuth_Flow_Engine_Description exists (it does) and update the
select option label for key 'passport' in the add call for
'Accounts_OAuth_Flow_Engine' to a more descriptive string such as
"Passport-based flow" (or similar) to improve admin UX; locate the values array
inside the await this.add('Accounts_OAuth_Flow_Engine', 'meteor', { ... }) call
and replace the i18nLabel or displayed label for the { key: 'passport',
i18nLabel: 'New flow' } entry accordingly, ensuring any corresponding i18n key
is added/updated if you change to a translatable label.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/wordpress/server/lib.ts`:
- Around line 72-78: The WordPress passport branch passes a config missing
clientId/clientSecret to addPassportCustomOAuth, so update the code that
prepares WordPress's config (the same way other providers do) to read clientId
and clientSecret from settings (via settings.get) and merge them into the config
object before calling addPassportCustomOAuth(serviceKey, config); ensure the
final object contains clientId and clientSecret keys so addPassportCustomOAuth's
early-return check finds them.

In `@apps/meteor/server/configuration/configurePassport.ts`:
- Around line 25-33: The current configureOAuth function short-circuits when
Accounts_OAuth_Flow_Engine !== 'passport', leaving any previously-registered
Passport state active; update configureOAuth to detect a transition away from
'passport' and perform teardown: call passport.unuse for any strategies
previously registered (track strategy names created by
createOAuthServiceConfig/configureOAuthServices or derive them from
getOAuthServices), remove or disable Passport-specific routes/middleware that
configureOAuthServices added, and ensure future calls re-register cleanly when
switching back; reference configureOAuth, getOAuthServices,
createOAuthServiceConfig, configureOAuthServices and use passport.unuse (and
route-level gating cleanup) to implement the teardown path.

In `@apps/meteor/server/lib/oauth/configureOAuthServices.ts`:
- Line 84: Remove the noisy console.log in the OAuth callback middleware: locate
the "console.log('In check middleware')" call inside the OAuth callback handling
(the middleware registered in configureOAuthServices / the "check" middleware)
and delete it, or replace it with a conditional debug/log.debug call controlled
by environment or log level if you need traceability; ensure no unconditional
console logging remains in that middleware so production auth callbacks stay
quiet.

---

Outside diff comments:
In `@apps/meteor/app/nextcloud/server/lib.ts`:
- Around line 23-45: In configureNextcloudOAuth add a step to unregister any
existing Passport strategy for 'nextcloud' before applying new configuration:
call passport.unuse('nextcloud') (ensure passport is imported or available) at
the start of the function so stale Passport strategies are removed when
switching flow engines; keep this in place whether you then call
addPassportCustomOAuth('nextcloud', config) or Nextcloud.configure(config) to
match the pattern used by other providers.

---

Nitpick comments:
In `@apps/meteor/server/settings/oauth.ts`:
- Around line 10-11: The user-facing labels for the OAuth flow options are
ambiguous; update the entries in the options array (the objects with key:
'meteor' and key: 'passport') to use clearer labels such as "Legacy (Meteor)"
and "Modern (Passport)" or replace the hardcoded i18nLabel strings with
appropriate i18n keys (e.g., i18nLabel: 'oauth.label.legacy' /
'oauth.label.modern') so administrators see a clear, localizable choice between
the Meteor and Passport flows; ensure you update any corresponding translation
files if you opt for i18n keys.
- Around line 7-15: Confirm that the i18n key
Accounts_OAuth_Flow_Engine_Description exists (it does) and update the select
option label for key 'passport' in the add call for 'Accounts_OAuth_Flow_Engine'
to a more descriptive string such as "Passport-based flow" (or similar) to
improve admin UX; locate the values array inside the await
this.add('Accounts_OAuth_Flow_Engine', 'meteor', { ... }) call and replace the
i18nLabel or displayed label for the { key: 'passport', i18nLabel: 'New flow' }
entry accordingly, ensuring any corresponding i18n key is added/updated if you
change to a translatable label.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3dcc3eea-364f-4a5c-b26b-d6496c9f28ed

📥 Commits

Reviewing files that changed from the base of the PR and between 8f3741d and 1abed54.

📒 Files selected for processing (12)

• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/gitlab/server/lib.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/app/wordpress/server/lib.ts
• apps/meteor/server/configuration/configurePassport.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/server/settings/oauth.ts
• packages/i18n/src/locales/en.i18n.json
• packages/web-ui-registration/src/LoginServices.tsx
• packages/web-ui-registration/src/LoginServicesButton.tsx

📜 Review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/web-ui-registration/src/LoginServices.tsx
• apps/meteor/app/wordpress/server/lib.ts
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/gitlab/server/lib.ts
• packages/web-ui-registration/src/LoginServicesButton.tsx
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/configuration/configurePassport.ts

🧠 Learnings (4)

📚 Learning: 2026-03-27T14:52:56.865Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.

Applied to files:

• packages/web-ui-registration/src/LoginServices.tsx
• packages/web-ui-registration/src/LoginServicesButton.tsx

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• packages/web-ui-registration/src/LoginServices.tsx
• apps/meteor/app/wordpress/server/lib.ts
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/gitlab/server/lib.ts
• packages/web-ui-registration/src/LoginServicesButton.tsx
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/configuration/configurePassport.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/wordpress/server/lib.ts
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/gitlab/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/configuration/configurePassport.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/wordpress/server/lib.ts
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/gitlab/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/configuration/configurePassport.ts

🔇 Additional comments (10)

packages/i18n/src/locales/en.i18n.json (1)

361-362: LGTM!

Also applies to: 7258-7258

packages/web-ui-registration/src/LoginServices.tsx (1)

21-21: LGTM!

Also applies to: 56-62

packages/web-ui-registration/src/LoginServicesButton.tsx (1)

23-23: LGTM!

Also applies to: 29-29, 35-35, 56-56

apps/meteor/server/configuration/configurePassport.ts (1)

100-102: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Accounts_OAuth_Flow_Engine is watched twice, causing duplicate reconfiguration.

The regex watcher at Line 96 already matches Accounts_OAuth_Flow_Engine, so Lines 100-102 invoke configureOAuth a second time per toggle. Since route registration is additive, this can duplicate handlers.

Suggested fix

-	settings.watch('Accounts_OAuth_Flow_Engine', () => {
-		configureOAuth(settings);
-	});

			> Likely an incorrect or invalid review comment.

apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts (1)

50-58: LGTM!

apps/meteor/app/dolphin/server/lib.ts (1)

10-10: LGTM!

Also applies to: 26-27, 52-59, 63-72

apps/meteor/app/drupal/server/lib.ts (1)

7-7: LGTM!

Also applies to: 11-11, 26-27, 43-51, 58-58

apps/meteor/app/gitlab/server/lib.ts (1)

7-7: LGTM!

Also applies to: 22-23, 42-50, 64-64

apps/meteor/app/nextcloud/server/lib.ts (1)

5-5: LGTM!

Also applies to: 9-9, 21-22, 50-56

apps/meteor/app/wordpress/server/lib.ts (1)

8-8: LGTM!

Also applies to: 24-25, 98-99

[cubic-dev-ai]

5 issues found across 12 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[hacktron-app]

1 issue found across 1 file

Severity	Count
	1

View full scan results

[coderabbitai]

🧹 Nitpick comments (1)

apps/meteor/app/dolphin/server/lib.ts (1)

54-57: 💤 Low value

Minor inconsistency: explicit === true vs truthy check.

This file uses === true while other providers (Drupal, GitLab, Nextcloud, WordPress) use a truthy check. While functionally equivalent for a boolean setting, consider aligning for consistency.

-	if (settings.get<boolean>('Accounts_OAuth_Use_Modern_Flow') === true) {
+	if (settings.get<boolean>('Accounts_OAuth_Use_Modern_Flow')) {

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/app/dolphin/server/lib.ts` around lines 54 - 57, Change the
explicit `=== true` comparison in the Accounts_OAuth_Use_Modern_Flow settings
check to a truthy check to align with the pattern used in other OAuth providers
like Drupal, GitLab, Nextcloud, and WordPress. Replace the condition so it
evaluates the settings.get call as a boolean truthy value rather than an
explicit strict equality comparison.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@apps/meteor/app/dolphin/server/lib.ts`:
- Around line 54-57: Change the explicit `=== true` comparison in the
Accounts_OAuth_Use_Modern_Flow settings check to a truthy check to align with
the pattern used in other OAuth providers like Drupal, GitLab, Nextcloud, and
WordPress. Replace the condition so it evaluates the settings.get call as a
boolean truthy value rather than an explicit strict equality comparison.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8eab7bbf-d4cc-4b31-80bd-afe2beb2bc4c

📥 Commits

Reviewing files that changed from the base of the PR and between c761471 and d6ee505.

📒 Files selected for processing (11)

• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/gitlab/server/lib.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/app/wordpress/server/lib.ts
• apps/meteor/server/configuration/configurePassport.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/server/settings/oauth.ts
• packages/i18n/src/locales/en.i18n.json
• packages/web-ui-registration/src/LoginServices.tsx

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: CodeQL-Build
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/configuration/configurePassport.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/gitlab/server/lib.ts
• packages/web-ui-registration/src/LoginServices.tsx
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/wordpress/server/lib.ts

🧠 Learnings (4)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/configuration/configurePassport.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/gitlab/server/lib.ts
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/wordpress/server/lib.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/configuration/configurePassport.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/gitlab/server/lib.ts
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/wordpress/server/lib.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/configuration/configurePassport.ts
• apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/app/gitlab/server/lib.ts
• packages/web-ui-registration/src/LoginServices.tsx
• apps/meteor/server/settings/oauth.ts
• apps/meteor/app/dolphin/server/lib.ts
• apps/meteor/app/nextcloud/server/lib.ts
• apps/meteor/app/drupal/server/lib.ts
• apps/meteor/app/wordpress/server/lib.ts

📚 Learning: 2026-03-27T14:52:56.865Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.

Applied to files:

• packages/web-ui-registration/src/LoginServices.tsx

🔇 Additional comments (12)

apps/meteor/server/settings/oauth.ts (1)

7-11: LGTM!

packages/i18n/src/locales/en.i18n.json (1)

361-362: LGTM!

apps/meteor/server/lib/oauth/configureOAuthServices.ts (1)

84-89: LGTM!

apps/meteor/server/configuration/configurePassport.ts (1)

87-89: LGTM!

packages/web-ui-registration/src/LoginServices.tsx (1)

21-23: LGTM!

apps/meteor/server/lib/oauth/addPassportCustomOAuth.ts (1)

48-60: LGTM!

apps/meteor/app/dolphin/server/lib.ts (1)

62-74: LGTM!

apps/meteor/app/drupal/server/lib.ts (1)

28-66: LGTM!

apps/meteor/app/gitlab/server/lib.ts (1)

24-67: LGTM!

apps/meteor/app/nextcloud/server/lib.ts (1)

24-60: LGTM!

apps/meteor/app/wordpress/server/lib.ts (2)

72-85: LGTM!

---

104-107: LGTM!

[cubic-dev-ai]

2 issues found across 11 files (changes from recent commits).

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>