fix: Iframe support for passport OAuth

[yash-rajpal]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

PRM-52

Summary by CodeRabbit

• New Features
  • Added support for a modern custom OAuth login flow behind the Accounts_OAuth_Use_Modern_Flow setting. When enabled, initiating custom OAuth now uses a redirect-based approach to start authentication and, when available, preserves the current loginClient parameter for smoother handoffs. When disabled, the existing legacy custom OAuth flow remains the default to keep current behavior unchanged.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: efa3f09c-60f4-40a1-b888-79f6c2a0e1a3

📥 Commits

Reviewing files that changed from the base of the PR and between 15b3f77 and c7228d5.

📒 Files selected for processing (1)

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: 📦 Build Packages
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

---

Walkthrough

The useIframeCommands hook gains a new boolean derived from the Accounts_OAuth_Use_Modern_Flow setting. In the call-custom-oauth-login command handler, when that flag is true, it builds an /oauth/{service} URL, optionally appends the loginClient query parameter from the current URL, and redirects the top window immediately, skipping the legacy OAuth path. In the legacy flow path, the runtime type guard for typeof data.service === 'string' is removed, leaving only the window.ServiceConfiguration presence check. The useEffect dependency list is updated to track this new setting.

Changes

Modern OAuth iframe redirect flow

Layer / File(s)

Summary

Modern OAuth redirect in call-custom-oauth-login handler apps/meteor/client/views/root/hooks/useIframeCommands.ts

Reads Accounts_OAuth_Use_Modern_Flow into enableModernOAuthFlow; when true, the handler constructs an /oauth/{service} redirect URL, forwards loginClient from the current page query string if present, navigates window.top to that URL, and returns early to bypass the existing loginWithCustomOauth flow. The legacy branch removes the typeof data.service === 'string' type guard, keeping only the window.ServiceConfiguration presence check. The useEffect dependency array is updated to include enableModernOAuthFlow to ensure the hook responds to setting changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• ricardogarim
• KevLehman

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly describes a bug fix for OAuth functionality within iframe contexts, directly matching the main code changes that add modern OAuth flow support for iframes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• PRM-52: Request failed with status code 401

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/meteor/client/views/root/hooks/useIframeCommands.ts (1)

136-136: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

enableNewOAuthFlow missing from useEffect dependency array.

The enableNewOAuthFlow value is used inside the call-custom-oauth-login handler but is not included in the dependency array. If the setting changes at runtime, the listener will continue using the stale captured value, causing the feature toggle to malfunction.

Proposed fix

-	}, [iframeReceiveEnabled, iframeReceiveOrigin, loginWithToken, loginWithCustomOauth, logout]);
+	}, [iframeReceiveEnabled, iframeReceiveOrigin, loginWithToken, loginWithCustomOauth, logout, enableNewOAuthFlow]);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/client/views/root/hooks/useIframeCommands.ts` at line 136, The
useEffect hook in the file has a missing dependency that causes stale closures.
The enableNewOAuthFlow value is used inside the call-custom-oauth-login handler
but is not included in the dependency array at the end of the effect. Add
enableNewOAuthFlow to the dependency array alongside iframeReceiveEnabled,
iframeReceiveOrigin, loginWithToken, loginWithCustomOauth, and logout to ensure
the effect re-runs whenever this setting changes and the handler uses the
current value rather than a stale captured one.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/client/views/root/hooks/useIframeCommands.ts`:
- Around line 54-67: The new OAuth flow block guarded by enableNewOAuthFlow is
missing type validation for data.service before using it to construct the
redirect URL with /oauth/${data.service}. Add a type check (typeof data.service
=== 'string') similar to the validation in the legacy flow before constructing
the redirectUrl to prevent malformed URLs when data.service is undefined or not
a string.

---

Outside diff comments:
In `@apps/meteor/client/views/root/hooks/useIframeCommands.ts`:
- Line 136: The useEffect hook in the file has a missing dependency that causes
stale closures. The enableNewOAuthFlow value is used inside the
call-custom-oauth-login handler but is not included in the dependency array at
the end of the effect. Add enableNewOAuthFlow to the dependency array alongside
iframeReceiveEnabled, iframeReceiveOrigin, loginWithToken, loginWithCustomOauth,
and logout to ensure the effect re-runs whenever this setting changes and the
handler uses the current value rather than a stale captured one.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e5717fb0-bfc9-4ef9-9085-4b3ca0088212

📥 Commits

Reviewing files that changed from the base of the PR and between e80729e and 6b0c620.

📒 Files selected for processing (1)

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: 📦 Build Packages
• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check
• GitHub Check: CodeQL-Build
• GitHub Check: CodeQL-Build

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

🧠 Learnings (5)

📚 Learning: 2026-02-10T16:32:42.586Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38528
File: apps/meteor/client/startup/roles.ts:14-14
Timestamp: 2026-02-10T16:32:42.586Z
Learning: In Rocket.Chat's Meteor client code, DDP streams use EJSON and Date fields arrive as Date objects; do not manually construct new Date() in stream handlers (for example, in sdk.stream()). Only REST API responses return plain JSON where dates are strings, so implement explicit conversion there if needed. Apply this guidance to all TypeScript files under apps/meteor/client to ensure consistent date handling in DDP streams and REST responses.

Applied to files:

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

📚 Learning: 2026-05-11T20:30:35.265Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 40480
File: apps/meteor/client/meteor/startup/accounts.ts:59-61
Timestamp: 2026-05-11T20:30:35.265Z
Learning: In Rocket.Chat’s Meteor client code, when calling `dispatchToastMessage` with `{ type: 'error' }`, pass the raw caught error object as `message` without manual normalization. `dispatchToastMessage` is designed to accept `message: unknown` for error toasts, so avoid converting errors to strings (e.g., `String(error)`) or extracting `error.message` before passing them.

Applied to files:

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/client/views/root/hooks/useIframeCommands.ts

🔇 Additional comments (1)

apps/meteor/client/views/root/hooks/useIframeCommands.ts (1)

20-20: LGTM!

[cubic-dev-ai]

2 issues found across 1 file

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[codecov]

Codecov Report

❌ Patch coverage is 9.09091% with 10 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (feat/phishing-resistant-mfa@026ca89). Learn more about missing BASE report.

Additional details and impacted files

@@                      Coverage Diff                       @@
##             feat/phishing-resistant-mfa   #40949   +/-   ##
==============================================================
  Coverage                               ?   69.62%           
==============================================================
  Files                                  ?     3340           
  Lines                                  ?   123352           
  Branches                               ?    21982           
==============================================================
  Hits                                   ?    85888           
  Misses                                 ?    34099           
  Partials                               ?     3365           

Flag	Coverage Δ
e2e	59.14% <9.09%> (?)
e2e-api	45.90% <ø> (?)
unit	70.48% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c7228d5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR