chore: migrate OAuth services admin DDP methods to REST

[ggazzo]

Summary

Continues the DDP→REST sweep (#40659, #40711, #40675, #40724, #40728, #40734, #40736). This batch migrates the three OAuth services admin DDP methods that backed the Admin → OAuth settings group. DDP methods stay registered for external SDK/mobile clients with deprecation logs pointing at the new routes.

Endpoints

DDP method	REST endpoint	Notes
addOAuthService	POST /v1/settings.addCustomOAuth	already exists, DDP now logs deprecation
removeOAuthService	POST /v1/settings.removeCustomOAuth (new)	add-oauth-service perm + twoFactorRequired
refreshOAuthService	POST /v1/settings.refreshOAuthServices (new)	add-oauth-service perm + twoFactorRequired

Implementation

• removeOAuthServiceMethod + refreshOAuthServiceMethod extracted from the DDP method files into exported functions, reused by both DDP entrypoints (now thin + deprecation-logged) and the REST handlers.
• Same add-oauth-service permission check + twoFactorRequired gate as the existing settings.addCustomOAuth endpoint.

Client changes

OAuthGroupPage.tsx swapped from three useMethod hooks to three useEndpoint hooks. addOAuthService now sends { name }; removeOAuthService now sends { name }.

Test plan

• CI green (lint + typecheck)
• Admin → OAuth → Add custom OAuth → fill name → modal closes, settings group appears
• Admin → OAuth → Remove custom OAuth (confirm danger modal) → settings group disappears, settings rows deleted
• Admin → OAuth → Refresh OAuth services → toast OK, login page reflects updated providers
• Hit endpoints with curl and confirm 401/403 without the add-oauth-service perm, 2FA prompt without a valid 2FA challenge

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added REST support for managing custom OAuth services from the admin settings area.
  • Added endpoints to remove a custom OAuth service and refresh OAuth services.
• Bug Fixes
  • Admin OAuth actions now use the newer endpoint-based flow while keeping the same success/error behavior.
  • Existing OAuth actions continue to work during the transition, with deprecation notices shown for older calls.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is targeting the wrong base branch. It should target 8.6.0, but it targets 8.7.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 45bb3c7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@rocket.chat/meteor	Minor
@rocket.chat/rest-typings	Minor
@rocket.chat/core-typings	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Migrates the Admin OAuth services page from DDP useMethod to REST useEndpoint. Two new REST endpoints (POST /v1/settings.removeCustomOAuth and POST /v1/settings.refreshOAuthServices) are added with auth and 2FA guards. The corresponding Meteor method logic is extracted into exported helpers, and legacy DDP methods now log deprecation notices.

OAuth Admin DDP → REST Migration

Layer / File(s)	Summary
REST type definitions for new OAuth endpoints packages/rest-typings/src/v1/settings.ts	SettingsEndpoints is extended with POST /v1/settings.removeCustomOAuth (accepts { name: string }) and POST /v1/settings.refreshOAuthServices (no params).
Extracted server-side OAuth method helpers apps/meteor/app/lib/server/methods/removeOAuthService.ts, apps/meteor/app/lib/server/methods/refreshOAuthService.ts, apps/meteor/app/lib/server/methods/addOAuthService.ts	removeOAuthServiceMethod and refreshOAuthServiceMethod are extracted as exported async helpers encapsulating permission checks, name normalization, settings removal/notification, and refresh logic. Legacy Meteor methods delegate to these helpers and now call methodDeprecationLogger.
New REST API endpoints registration apps/meteor/app/api/server/v1/settings.ts	Registers POST settings.removeCustomOAuth and POST settings.refreshOAuthServices with authentication, 2FA enforcement, body schema validation, and 200/400/401/403 response schemas.
OAuthGroupPage migrated to useEndpoint apps/meteor/client/views/admin/settings/groups/OAuthGroupPage/OAuthGroupPage.tsx	Replaces useMethod with useEndpoint for all three OAuth operations; call signatures updated to pass object payloads { name } instead of raw strings.
Changeset entries .changeset/ddp-migrate-batch7-oauth-caller.md, .changeset/rest-settings-oauth-admin.md	Documents endpoint mappings, deprecation timeline through 9.0.0, permission/2FA reuse, and dependency bumps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

type: chore

Suggested reviewers

• KevLehman
• tassoevan
• ricardogarim

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: migrating OAuth admin DDP methods to REST.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

❌ Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.19%. Comparing base (275a6ed) to head (45bb3c7).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #40737      +/-   ##
===========================================
+ Coverage    70.13%   70.19%   +0.05%     
===========================================
  Files         3368     3368              
  Lines       130022   130022              
  Branches     22582    23002     +420     
===========================================
+ Hits         91191    91266      +75     
+ Misses       35519    35435      -84     
- Partials      3312     3321       +9     

Flag	Coverage Δ
e2e	59.35% <0.00%> (+0.01%)	⬆️
e2e-api	47.12% <ø> (+0.85%)	⬆️
unit	70.15% <ø> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/app/lib/server/methods/removeOAuthService.ts`:
- Around line 23-56: Reject service names that normalize to an empty key in
removeOAuthService before building settingsIds. The current normalization in
removeOAuthService can turn inputs like punctuation-only names into an empty
string, which then produces invalid shared setting IDs. Add a guard right after
computing normalized (using capitalize(...) and the sanitizing replace) and fail
fast when normalized is empty so the DDP/REST path never constructs
Accounts_OAuth_Custom-* entries for a non-existent provider.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 32248713-6cfa-4c65-bf98-d29b2a2b13d5

📥 Commits

Reviewing files that changed from the base of the PR and between 275a6ed and 45bb3c7.

📒 Files selected for processing (8)

• .changeset/ddp-migrate-batch7-oauth-caller.md
• .changeset/rest-settings-oauth-admin.md
• apps/meteor/app/api/server/v1/settings.ts
• apps/meteor/app/lib/server/methods/addOAuthService.ts
• apps/meteor/app/lib/server/methods/refreshOAuthService.ts
• apps/meteor/app/lib/server/methods/removeOAuthService.ts
• apps/meteor/client/views/admin/settings/groups/OAuthGroupPage/OAuthGroupPage.tsx
• packages/rest-typings/src/v1/settings.ts

📜 Review details

⏰ Context from checks skipped due to timeout. (2)

• GitHub Check: cubic · AI code reviewer
• GitHub Check: Hacktron Security Check

⚠️ CI failures not shown inline (4)

GitHub Actions: CI / ✅ Tests Done: chore: migrate OAuth services admin DDP methods to REST

Conclusion: failure

View job details

##[group]Run if [[ 'success' != 'success' ]]; then
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'failure' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mecho finished�[0m
 shell: /usr/bin/bash -e {0}
 env:
   TOOL_NODE_FLAGS: --max_old_space_size=4096
 ##[endgroup]
 ##[error]Process completed with exit code 1.

---

GitHub Actions: CI / 0_✅ Tests Done.txt: chore: migrate OAuth services admin DDP methods to REST

Conclusion: failure

View job details

##[group]Run if [[ 'success' != 'success' ]]; then
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'failure' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mif [[ 'success' != 'success' ]]; then�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mecho finished�[0m
 shell: /usr/bin/bash -e {0}
 env:
   TOOL_NODE_FLAGS: --max_old_space_size=4096
 ##[endgroup]
 ##[error]Process completed with exit code 1.

---

GitHub Actions: CI / 17_📦 Track Image Sizes.txt: chore: migrate OAuth services admin DDP methods to REST

Conclusion: failure

View job details

##[group]Run current_total=$(jq -r '.total' current-sizes.json)
 �[36;1mcurrent_total=$(jq -r '.total' current-sizes.json)�[0m
 �[36;1m�[0m
 �[36;1mif [[ ! -f baseline-sizes.json ]]; then�[0m
 �[36;1m  echo "No baseline available"�[0m
 �[36;1m  echo "size-diff=0" >> $GITHUB_OUTPUT�[0m
 �[36;1m  echo "size-diff-percent=0" >> $GITHUB_OUTPUT�[0m
 �[36;1m  echo "comment-triggered=false" >> $GITHUB_OUTPUT�[0m
 �[36;1m�[0m
 �[36;1m  cat > report.md << 'EOF'�[0m
 �[36;1m# 📦 Docker Image Size Report�[0m
 �[36;1m�[0m
 �[36;1m**Status:** First measurement - no baseline for comparison�[0m
 �[36;1m�[0m
 �[36;1m**Total Size:** $(numfmt --to=iec-i --suffix=B $current_total)�[0m
 �[36;1mEOF�[0m
 �[36;1m  exit 0�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mbaseline_total=$(jq -r '.total' baseline-sizes.json)�[0m
 �[36;1mdiff=$((current_total - baseline_total))�[0m
 �[36;1m�[0m
 �[36;1mif [[ $baseline_total -gt 0 ]]; then�[0m
 �[36;1m  percent=$(awk "BEGIN {printf \"%.2f\", ($diff / $baseline_total) * 100}")�[0m
 �[36;1melse�[0m
 �[36;1m  percent=0�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mecho "size-diff=$diff" >> $GITHUB_OUTPUT�[0m
 �[36;1mecho "size-diff-percent=$percent" >> $GITHUB_OUTPUT�[0m
 �[36;1m�[0m
 �[36;1m# Only comment when size is bigger than baseline; optionally require per-image thresholds�[0m
 �[36;1mTHRESHOLDS="$SIZE_THRESHOLDS"�[0m
 �[36;1mFAIL_THRESHOLDS="$FAIL_THRESHOLDS"�[0m
 �[36;1mcomment_triggered=false�[0m
 �[36;1mfail_triggered=false�[0m
 �[36;1mif [[ $diff -gt 0 ]]; then�[0m
 �[36;1m  if [[ -z "$THRESHOLDS" ]] || [[ "$THRESHOLDS" == "{}" ]]; then�[0m
 �[36;1m    comment_triggered=true�[0m
 �[36;1m  fi�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mcolor="gray"�[0m
 �[36;1mif (( $(awk "BEGIN {print ($percent > 0.01)}") )); then�[0m
 �[36;1m  color="red"�[0m
 �[36;1melif (( $(awk "BEGIN {print ($percent < -0.01)}") )); then�[0m
 �[36;1m  color="green"�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1m# Generate report�[0m
 �[36;1mif [[ $diff -gt 0 ]]; then�[0m
 �[36;1m  emoji=...

---

GitHub Actions: CI / 28_🔨 Test Unit _ Unit Tests.txt: chore: migrate OAuth services admin DDP methods to REST

Conclusion: failure

View job details

s�[0m
 �[36;1mfor cmd in bash git curl; do�[0m
 �[36;1m  if ! command -v "$cmd" >/dev/null 2>&1; then�[0m
 �[36;1m    missing_deps="$missing_deps $cmd"�[0m
 �[36;1m  fi�[0m
 �[36;1mdone�[0m
 �[36;1m�[0m
 �[36;1m# Check for gpg only if validation is not being skipped�[0m
 �[36;1mif [ "$INPUT_SKIP_VALIDATION" != "true" ]; then�[0m
 �[36;1m  if ! command -v gpg >/dev/null 2>&1; then�[0m
 �[36;1m    missing_deps="$missing_deps gpg"�[0m
 �[36;1m  fi�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1m# Report missing required dependencies�[0m
 �[36;1mif [ -n "$missing_deps" ]; then�[0m
 �[36;1m  echo "Error: The following required dependencies are missing:$missing_deps"�[0m
 �[36;1m  echo "Please install these dependencies before using this action."�[0m
 �[36;1m  exit 1�[0m
 �[36;1mfi�[0m
 �[36;1m�[0m
 �[36;1mecho "All required system dependencies are available."�[0m
 shell: /usr/bin/sh -e {0}
 env:
   MONGO_URL: mongodb://localhost:27017/rocketchat?replicaSet=rs0&directConnection=true
   TOOL_NODE_FLAGS: --max_old_space_size=4096
   ENTERPRISE_LICENSE: Uo7Jcr6WW0XYA8ydHd+Sk6pZ9/0V6dIASnyTwvUrNym/zJg2Ma3eYNKkC8osXLCc72y1ahohnWY7/+7IYkvono3GYXQR+IGvYbbrVgNR6OjMahd9P/odHZL1GFTm2qHrEL5Hh/XEOG+YluFeRdWPzCizQlp4zGGOi0+PkQo096TR9NVCLrsErVl2MW1WM6ZM1W5EUJG9pKly4BQnaOTUAlor1im6i8qPTDCKrISZfLiZEWuQKaPW/GE3mRKjQNjDh0CabX1N2S880pRRGoozBYAnp2NmFfrQW0+5ihKisBTIeMbMZ7K5NE5PkYU1nhQDcc+rpDHtwG9Ceg5X0J+oea3UfrPTmDON2aSI0iO22kvL6G7QI3fyrEIvJrMbxcNKxAFeQYgnjisw/b06+chWSG4jG686Fx58XrVS87dFhWL9WoGltsk1dJCntUQvI1sX6zOfpvyg1iWRnHfYDOrwoWlX57XMm29fWineEoqnOOTOVnA/uP+DKEhercQ9Xuo7Cr6zJxpQpwd03e7ODVjiEbTDqlkZE687rmxRCD4Wmu8L86WIl2xSEIajKLX301Ww5mz/FdLqk+Mg32lkW66W3azQKvJ1440NBrYxhpJ+dl9vSFMb3s1+xnz1cYUbjUcq9mARvORcgy5mLwKulmqT6Sq0Uvbv10YCO0TW0beXYW8=
   NODE_VERSION: 22.22.3
   DENO_VERSION: 2.3.1
   MONGOMS_DOWNLOAD_DIR: /home/runner/work/_temp/mongodb-memory-server
   MONGOMS_PREFER_GLOBAL_PATH: false
   TURBOGHA_PORT: 41230
   TURBO_API: http://localhost:41230
   TURBO_***REDACTED***
   TURBO_TEAM: tur...

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/app/lib/server/methods/addOAuthService.ts
• packages/rest-typings/src/v1/settings.ts
• apps/meteor/client/views/admin/settings/groups/OAuthGroupPage/OAuthGroupPage.tsx
• apps/meteor/app/lib/server/methods/refreshOAuthService.ts
• apps/meteor/app/api/server/v1/settings.ts
• apps/meteor/app/lib/server/methods/removeOAuthService.ts

🧠 Learnings (8)

📚 Learning: 2026-03-16T21:50:37.589Z

Learnt from: amitb0ra
Repo: RocketChat/Rocket.Chat PR: 39676
File: .changeset/migrate-users-register-openapi.md:3-3
Timestamp: 2026-03-16T21:50:37.589Z
Learning: For changes related to OpenAPI migrations in Rocket.Chat/OpenAPI, when removing endpoint types and validators from rocket.chat/rest-typings (e.g., UserRegisterParamsPOST, /v1/users.register) document this as a minor changeset (not breaking) per RocketChat/Rocket.Chat-Open-API#150 Rule 7. Note that the endpoint type is re-exposed via a module augmentation .d.ts in the consuming package (e.g., packages/web-ui-registration/src/users-register.d.ts). In reviews, ensure the changeset clearly states: this is a non-breaking change, the major version should not be bumped, and the changeset reflects a minor version bump. Do not treat this as a breaking change during OpenAPI migrations.

Applied to files:

• .changeset/rest-settings-oauth-admin.md
• .changeset/ddp-migrate-batch7-oauth-caller.md

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/app/lib/server/methods/addOAuthService.ts
• packages/rest-typings/src/v1/settings.ts
• apps/meteor/app/lib/server/methods/refreshOAuthService.ts
• apps/meteor/app/api/server/v1/settings.ts
• apps/meteor/app/lib/server/methods/removeOAuthService.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/app/lib/server/methods/addOAuthService.ts
• packages/rest-typings/src/v1/settings.ts
• apps/meteor/app/lib/server/methods/refreshOAuthService.ts
• apps/meteor/app/api/server/v1/settings.ts
• apps/meteor/app/lib/server/methods/removeOAuthService.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/app/lib/server/methods/addOAuthService.ts
• packages/rest-typings/src/v1/settings.ts
• apps/meteor/client/views/admin/settings/groups/OAuthGroupPage/OAuthGroupPage.tsx
• apps/meteor/app/lib/server/methods/refreshOAuthService.ts
• apps/meteor/app/api/server/v1/settings.ts
• apps/meteor/app/lib/server/methods/removeOAuthService.ts

📚 Learning: 2026-05-11T23:14:59.316Z

Learnt from: ricardogarim
Repo: RocketChat/Rocket.Chat PR: 40469
File: packages/rest-typings/src/v1/users.ts:337-337
Timestamp: 2026-05-11T23:14:59.316Z
Learning: In Rocket.Chat REST endpoint typings (e.g., packages/rest-typings/src/v1/users.ts and other rest-typings files), keep the established convention of deriving field types from the domain model (e.g., use IUser indexed access like IUser['statusExpiresAt']) rather than swapping individual fields to serialized primitives (like string) in an ad-hoc way. If a truly different “serialized” representation is needed, perform the refactor consistently across the codebase (not just a single endpoint/field) and ensure all related REST typings stay aligned with the shared serialization types.

Applied to files:

• packages/rest-typings/src/v1/settings.ts

📚 Learning: 2026-03-27T14:52:56.865Z

Learnt from: dougfabris
Repo: RocketChat/Rocket.Chat PR: 39892
File: apps/meteor/client/views/room/contextualBar/Threads/Thread.tsx:150-155
Timestamp: 2026-03-27T14:52:56.865Z
Learning: In Rocket.Chat, there are two different `ModalBackdrop` components with different prop APIs. During review, confirm the import source: (1) `rocket.chat/fuselage` `ModalBackdrop` uses `ModalBackdropProps` based on `BoxProps` (so it supports `onClick` and other Box/DOM props) and does not have an `onDismiss` prop; (2) `rocket.chat/ui-client` `ModalBackdrop` uses a narrower props interface like `{ children?: ReactNode; onDismiss?: () => void }` and handles Escape keypress and outside mouse-up, and it does not forward arbitrary DOM props such as `onClick`. Flag mismatched props (e.g., `onDismiss` passed to the fuselage component or `onClick` passed to the ui-client component) and ensure the usage matches the correct component being imported.

Applied to files:

• apps/meteor/client/views/admin/settings/groups/OAuthGroupPage/OAuthGroupPage.tsx

📚 Learning: 2026-02-23T17:53:06.802Z

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:06.802Z
Learning: During PR reviews that touch endpoint files under apps/meteor/app/api/server/v1, enforce strict scope: if a PR targets a specific endpoint (e.g., rooms.favorite), do not propose changes to unrelated endpoints (e.g., rooms.invite) unless maintainers explicitly request them. Focus feedback on the touched endpoint's behavior, API surface, and related tests; avoid broad cross-endpoint changes in the same PR unless requested.

Applied to files:

• apps/meteor/app/api/server/v1/settings.ts

📚 Learning: 2026-02-24T19:09:01.522Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:01.522Z
Learning: In Rocket.Chat OpenAPI migration PRs for endpoints under apps/meteor/app/api/server/v1, avoid introducing logic changes. Only perform scope-tight changes that preserve behavior; style-only cleanups (e.g., removing inline comments) may be deferred to follow-ups to keep the migration PR focused.

Applied to files:

• apps/meteor/app/api/server/v1/settings.ts

🔇 Additional comments (4)

apps/meteor/client/views/admin/settings/groups/OAuthGroupPage/OAuthGroupPage.tsx (1)

5-5: LGTM!

Also applies to: 36-38, 41-49, 51-63, 69-82

.changeset/ddp-migrate-batch7-oauth-caller.md (1)

1-12: LGTM!

.changeset/rest-settings-oauth-admin.md (1)

1-12: LGTM!

packages/rest-typings/src/v1/settings.ts (1)

139-140: 🎯 Functional Correctness

No change needed useEndpoint already treats body-less POST endpoints as optional-arg calls, so refreshOAuthService(undefined) is compatible with POST: () => void.

			> Likely an incorrect or invalid review comment.

[coderabbitai]

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Reject names that normalize to an empty service key.

settings.removeCustomOAuth only rejects whitespace. Inputs like !!! still reach this helper, normalize to '', and make the shared DDP/REST path build bare IDs such as Accounts_OAuth_Custom-... for deletion instead of a real provider. Validate normalized before constructing settingsIds.

Suggested fix

 	const normalized = capitalize(name.toLowerCase().replace(/[^a-z0-9_]/g, ''));
+	if (!normalized) {
+		throw new Meteor.Error('error-invalid-name', 'The parameter "name" is invalid', {
+			method: 'removeOAuthService',
+		});
+	}
 
 	const settingsIds = [

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const normalized = capitalize(name.toLowerCase().replace(/[^a-z0-9_]/g, ''));
	const settingsIds = [
	`Accounts_OAuth_Custom-${normalized}`,
	`Accounts_OAuth_Custom-${normalized}-url`,
	`Accounts_OAuth_Custom-${normalized}-token_path`,
	`Accounts_OAuth_Custom-${normalized}-identity_path`,
	`Accounts_OAuth_Custom-${normalized}-authorize_path`,
	`Accounts_OAuth_Custom-${normalized}-scope`,
	`Accounts_OAuth_Custom-${normalized}-access_token_param`,
	`Accounts_OAuth_Custom-${normalized}-token_sent_via`,
	`Accounts_OAuth_Custom-${normalized}-identity_token_sent_via`,
	`Accounts_OAuth_Custom-${normalized}-id`,
	`Accounts_OAuth_Custom-${normalized}-secret`,
	`Accounts_OAuth_Custom-${normalized}-button_label_text`,
	`Accounts_OAuth_Custom-${normalized}-button_label_color`,
	`Accounts_OAuth_Custom-${normalized}-button_color`,
	`Accounts_OAuth_Custom-${normalized}-login_style`,
	`Accounts_OAuth_Custom-${normalized}-key_field`,
	`Accounts_OAuth_Custom-${normalized}-username_field`,
	`Accounts_OAuth_Custom-${normalized}-email_field`,
	`Accounts_OAuth_Custom-${normalized}-name_field`,
	`Accounts_OAuth_Custom-${normalized}-avatar_field`,
	`Accounts_OAuth_Custom-${normalized}-roles_claim`,
	`Accounts_OAuth_Custom-${normalized}-merge_roles`,
	`Accounts_OAuth_Custom-${normalized}-roles_to_sync`,
	`Accounts_OAuth_Custom-${normalized}-merge_users`,
	`Accounts_OAuth_Custom-${normalized}-show_button`,
	`Accounts_OAuth_Custom-${normalized}-groups_claim`,
	`Accounts_OAuth_Custom-${normalized}-channels_admin`,
	`Accounts_OAuth_Custom-${normalized}-map_channels`,
	`Accounts_OAuth_Custom-${normalized}-groups_channel_map`,
	`Accounts_OAuth_Custom-${normalized}-merge_users_distinct_services`,
	];
	const normalized = capitalize(name.toLowerCase().replace(/[^a-z0-9_]/g, ''));
	if (!normalized) {
	throw new Meteor.Error('error-invalid-name', 'The parameter "name" is invalid', {
	method: 'removeOAuthService',
	});
	}
	const settingsIds = [
	`Accounts_OAuth_Custom-${normalized}`,
	`Accounts_OAuth_Custom-${normalized}-url`,
	`Accounts_OAuth_Custom-${normalized}-token_path`,
	`Accounts_OAuth_Custom-${normalized}-identity_path`,
	`Accounts_OAuth_Custom-${normalized}-authorize_path`,
	`Accounts_OAuth_Custom-${normalized}-scope`,
	`Accounts_OAuth_Custom-${normalized}-access_token_param`,
	`Accounts_OAuth_Custom-${normalized}-token_sent_via`,
	`Accounts_OAuth_Custom-${normalized}-identity_token_sent_via`,
	`Accounts_OAuth_Custom-${normalized}-id`,
	`Accounts_OAuth_Custom-${normalized}-secret`,
	`Accounts_OAuth_Custom-${normalized}-button_label_text`,
	`Accounts_OAuth_Custom-${normalized}-button_label_color`,
	`Accounts_OAuth_Custom-${normalized}-button_color`,
	`Accounts_OAuth_Custom-${normalized}-login_style`,
	`Accounts_OAuth_Custom-${normalized}-key_field`,
	`Accounts_OAuth_Custom-${normalized}-username_field`,
	`Accounts_OAuth_Custom-${normalized}-email_field`,
	`Accounts_OAuth_Custom-${normalized}-name_field`,
	`Accounts_OAuth_Custom-${normalized}-avatar_field`,
	`Accounts_OAuth_Custom-${normalized}-roles_claim`,
	`Accounts_OAuth_Custom-${normalized}-merge_roles`,
	`Accounts_OAuth_Custom-${normalized}-roles_to_sync`,
	`Accounts_OAuth_Custom-${normalized}-merge_users`,
	`Accounts_OAuth_Custom-${normalized}-show_button`,
	`Accounts_OAuth_Custom-${normalized}-groups_claim`,
	`Accounts_OAuth_Custom-${normalized}-channels_admin`,
	`Accounts_OAuth_Custom-${normalized}-map_channels`,
	`Accounts_OAuth_Custom-${normalized}-groups_channel_map`,
	`Accounts_OAuth_Custom-${normalized}-merge_users_distinct_services`,
	];

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/app/lib/server/methods/removeOAuthService.ts` around lines 23 -
56, Reject service names that normalize to an empty key in removeOAuthService
before building settingsIds. The current normalization in removeOAuthService can
turn inputs like punctuation-only names into an empty string, which then
produces invalid shared setting IDs. Add a guard right after computing
normalized (using capitalize(...) and the sanitizing replace) and fail fast when
normalized is empty so the DDP/REST path never constructs
Accounts_OAuth_Custom-* entries for a non-existent provider.

[cubic-dev-ai]

1 issue found across 8 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/app/api/server/v1/settings.ts">

<violation number="1" location="apps/meteor/app/api/server/v1/settings.ts:249">
P3: Add the add-oauth-service permission gate to the REST route metadata, not only the shared helper, so this public API boundary enforces the same authorization contract as other guarded routes.

(Based on your team's feedback about permission checks at entry points.) [FEEDBACK_USED]</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P3: Add the add-oauth-service permission gate to the REST route metadata, not only the shared helper, so this public API boundary enforces the same authorization contract as other guarded routes.

(Based on your team's feedback about permission checks at entry points.)

View Feedback

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/app/api/server/v1/settings.ts, line 249:

<comment>Add the add-oauth-service permission gate to the REST route metadata, not only the shared helper, so this public API boundary enforces the same authorization contract as other guarded routes.

(Based on your team's feedback about permission checks at entry points.) </comment>

<file context>
@@ -243,6 +245,59 @@ API.v1.post(
 );
 
+API.v1.post(
+	'settings.removeCustomOAuth',
+	{
+		authRequired: true,
</file context>

Suggested change

	'settings.removeCustomOAuth',
	{
	authRequired: true,
	twoFactorRequired: true,
	'settings.removeCustomOAuth',
	{
	authRequired: true,
	permissionsRequired: {
	POST: { permissions: ['add-oauth-service'], operation: 'hasAll' },
	},
	twoFactorRequired: true,

[KevLehman]

Suggested change

	Migrated the Admin → OAuth services group page from `useMethod` (DDP) to `useEndpoint` (REST):
	Migrates the Admin → OAuth services group page from `useMethod` (DDP) to `useEndpoint` (REST):

[KevLehman]

Suggested change

	Added two new REST endpoints completing the Custom OAuth admin surface:
	Adds two new REST endpoints completing the Custom OAuth admin surface:

[KevLehman]

If you add the permission check to the api level & keep the check on the method, you don't need to create the refreshOauthServieMethod proxy

[KevLehman]

same here: u can keep the permission check on api/method level and remove it from here.