[SOU-123] Fix GitLab token refresh with redirect_uri parameter

[msukkari]

Description

Fixes GitLab OAuth token refresh failures caused by missing redirect_uri parameter. GitLab's OAuth implementation requires the redirect_uri parameter to be included in token refresh requests and must match the original authorization request URI.

Changes

• Modified tokenRefresh.ts: Added support for including the redirect_uri parameter in GitLab token refresh requests

  • Refactored request body construction to handle provider-specific parameters
  • Uses URL constructor to normalize the redirect URI and handle trailing slashes correctly
  • Added clarifying comments explaining GitLab's OAuth requirements

• Added docker-compose-niteshift.yml: Development configuration for local testing with Redis and PostgreSQL services

Technical Details

The error invalid_grant occurs because GitLab validates that the redirect_uri parameter in the refresh request matches the original authorization request. Previously, this parameter was omitted from the refresh token request, causing validation to fail.

The fix:

1. Constructs the redirect URI using the URL constructor to ensure proper formatting
2. Adds the redirect URI to the request body only for GitLab provider
3. Maintains backward compatibility for other OAuth providers

Related Issues

View Niteshift Task

Summary by CodeRabbit

• Bug Fixes
  • Fixed GitLab OAuth token refresh failures by ensuring the required redirect_uri parameter is properly included in token refresh requests.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This pull request fixes GitLab OAuth token refresh failures by refactoring the token refresh request to include a conditionally-added redirect_uri parameter when the provider is GitLab, using a dedicated bodyParams object and URL normalization for trailing slashes.

Changes

Cohort / File(s)	Summary
OAuth Token Refresh Fix packages/web/src/ee/features/permissionSyncing/tokenRefresh.ts	Refactored token request body construction from inline URLSearchParams to a dedicated bodyParams object. Added conditional redirect_uri parameter for GitLab provider using URL normalization to handle trailing slashes. Request body now uses URLSearchParams(bodyParams) instead of literal construction.
Documentation CHANGELOG.md	Added changelog entry documenting the fix for GitLab OAuth token refresh failures by including the required redirect_uri parameter.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: fixing GitLab token refresh by adding the redirect_uri parameter.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@packages/web/src/ee/features/permissionSyncing/tokenRefresh.ts`:
- Around line 122-143: The GitLab redirect_uri is built via string concatenation
in tokenRefresh.ts (bodyParams and provider) and will produce double slashes if
env.AUTH_URL has a trailing slash; change the assignment so when provider ===
'gitlab' you set bodyParams.redirect_uri by normalizing with the URL constructor
(e.g., construct the callback path against env.AUTH_URL to produce a canonical
URL) instead of string concatenation, ensuring the final redirect_uri exactly
matches the original authorization request format.

🧹 Nitpick comments (1)

docker-compose-niteshift.yml (1)

9-23: Prefer named volumes (or configurable paths) for portability.

Line 10 and Line 23 hard-code /root/... which will fail for non-root users and on macOS/Windows. Named volumes keep local dev friction low and avoid path permissions issues.

♻️ Suggested refactor

 services:
   redis:
@@
-    volumes:
-      - /root/.niteshift/data/redis:/data
+    volumes:
+      - redis_data:/data
@@
   postgres:
@@
-    volumes:
-      - /root/.niteshift/data/postgres:/var/lib/postgresql/data
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
@@
+volumes:
+  redis_data:
+  postgres_data: