RocketChat
fix: third-party login is broken
Proposed changes (including videos or screenshots)
Issue(s)
SUP-943 https://github.com/RocketChat/Rocket.Chat/issues/35419
Steps to test or reproduce
Further comments
Summary by CodeRabbit
-
Bug Fixes
- Fixed an issue that prevented third-party login from working properly, restoring authentication through external identity providers.
βοΈ Tip: You can customize this high-level summary in your review settings.
π¦ Changeset detected
Latest commit: e61f20927acf6ed49e28f65e40c6728ca1a4a87a
The changes in this PR will be included in the next version bump.
This PR includes changesets to release 41 packages
| Name | Type |
|---|---|
| @rocket.chat/meteor | Patch |
| @rocket.chat/core-typings | Patch |
| @rocket.chat/rest-typings | Patch |
| @rocket.chat/uikit-playground | Patch |
| @rocket.chat/api-client | Patch |
| @rocket.chat/apps | Patch |
| @rocket.chat/core-services | Patch |
| @rocket.chat/cron | Patch |
| @rocket.chat/ddp-client | Patch |
| @rocket.chat/freeswitch | Patch |
| @rocket.chat/fuselage-ui-kit | Patch |
| @rocket.chat/gazzodown | Patch |
| @rocket.chat/http-router | Patch |
| @rocket.chat/livechat | Patch |
| @rocket.chat/model-typings | Patch |
| @rocket.chat/ui-avatar | Patch |
| @rocket.chat/ui-client | Patch |
| @rocket.chat/ui-contexts | Patch |
| @rocket.chat/ui-voip | Patch |
| @rocket.chat/web-ui-registration | Patch |
| @rocket.chat/account-service | Patch |
| @rocket.chat/authorization-service | Patch |
| @rocket.chat/ddp-streamer | Patch |
| @rocket.chat/omnichannel-transcript | Patch |
| @rocket.chat/presence-service | Patch |
| @rocket.chat/queue-worker | Patch |
| @rocket.chat/stream-hub-service | Patch |
| @rocket.chat/federation-matrix | Patch |
| @rocket.chat/license | Patch |
| @rocket.chat/media-calls | Patch |
| @rocket.chat/omnichannel-services | Patch |
| @rocket.chat/pdf-worker | Patch |
| @rocket.chat/presence | Patch |
| rocketchat-services | Patch |
| @rocket.chat/models | Patch |
| @rocket.chat/network-broker | Patch |
| @rocket.chat/omni-core-ee | Patch |
| @rocket.chat/mock-providers | Patch |
| @rocket.chat/ui-video-conf | Patch |
| @rocket.chat/instance-status | Patch |
| @rocket.chat/omni-core | Patch |
Not sure what this means? Click here to learn what changesets are.
Click here if you're a maintainer who wants to add another changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
Walkthrough
Replaces PartialThis with a route-context model (GenericRouteExecutionContext) across API auth and parsing paths, converts auth methods to async route-context functions returning IUser | undefined, tightens OAuth2 header/query types and return shape, and updates middleware, integrations, and handlers to use the new context and safer runtime guards.
Changes
| Cohort / File(s) | Summary |
|---|---|
Changeset documentation \.changeset/rich-dogs-wonder.md`` |
Adds a patch-level changeset noting a fix for third-party login. |
API core & typings apps/meteor/app/api/server/ApiClass.ts, apps/meteor/app/api/server/definition.ts, apps/meteor/app/api/server/helpers/parseJsonQuery.ts |
Replace PartialThis with GenericRouteExecutionContext/RouteExecutionContext; add logger and queryFields to ActionThis; change APIClass auth method types and addAuthMethod to accept `(routeContext) => Promise<IUser |
OAuth2 server & integration apps/meteor/app/oauth2-server-config/server/oauth/oauth2-server.ts |
Tighten oAuth2ServerAuth input types to `{ headers: Record<string,string |
Authentication middleware apps/meteor/app/api/server/middlewares/authentication.ts |
Call oAuth2ServerAuth with explicit { headers, query } typed as `Record<string,string |
Integrations & handlers apps/meteor/app/integrations/server/api/api.ts, apps/meteor/ee/server/apps/communication/endpoints/appLogsExportHandler.ts |
Update authenticatedRoute signatures to accept route-context (GenericRouteExecutionContext) and adapt internal header/access patterns and super calls to use routeContext.request.*; guard bodyParams/query with isPlainObject. |
Utility typing apps/meteor/lib/utils/isPlainObject.ts |
Make isPlainObject a TypeScript type predicate: `value is Record<string |
Tests apps/meteor/tests/end-to-end/api/oauth-server.ts |
Add end-to-end OAuth credential tests exercising refreshed access token for v1 endpoints. |
Manifest / package package.json, other manifest entries |
Changes included in diff manifest (changeset added); no other manifest details in summary. |
Sequence Diagram(s)
sequenceDiagram
participant Client as Client (HTTP)
participant Middleware as Auth Middleware
participant API as APIClass / Router
participant OAuth as oAuth2ServerAuth
participant DB as Token / User Store
Client->>Middleware: HTTP request -> build routeContext (request, headers, query)
Middleware->>API: pass routeContext to handler
API->>API: for each authMethod: call authMethod(routeContext)
alt authMethod is oAuth2ServerAuth
API->>OAuth: oAuth2ServerAuth({ headers, query })
OAuth->>DB: validate token / lookup access token & user
DB-->>OAuth: access token / user or invalid
OAuth-->>API: return IUser or undefined
end
alt user found
API-->>API: set routeContext.request.user and continue to handler
API-->>Client: handler response (authenticated)
else no user found
API-->>Client: unauthorized / no user
end
Estimated code review effort
π― 4 (Complex) | β±οΈ ~45 minutes
- Areas needing careful review:
-
APIClasspublic signature changes (authMethods,addAuthMethod) and all call sites. -
oAuth2ServerAuthreturn-type and input-shape changes and its callers (middleware, API auth wiring). -
parseJsonQueryruntime-guard changes and their impact on query parsing. - Conversions from
req.headerstorouteContext.request.headersacross integrations and handlers. - Type-guard change in
isPlainObjectaffecting consumer typings.
-
Suggested labels
stat: ready to merge, stat: QA assured
Suggested reviewers
- scuciatto
Poem
π I hopped through headers, tokens, and types,
Switched contexts and bounded the auth pipes.
Methods line up, checking each in turn,
Tokens found β the server's wheels now churn.
π₯ A rabbit's cheer for login paths that learn!
Pre-merge checks and finishing touches
β Failed checks (1 warning)
| Check name | Status | Explanation | Resolution |
|---|---|---|---|
| Docstring Coverage | β οΈ Warning | Docstring coverage is 14.29% which is insufficient. The required threshold is 80.00%. | You can run @coderabbitai generate docstrings to improve docstring coverage. |
β Passed checks (4 passed)
| Check name | Status | Explanation |
|---|---|---|
| Title check | β Passed | Title clearly summarizes the main change: fixing third-party login functionality that was broken. |
| Linked Issues check | β Passed | The changes properly refactor authentication flow and OAuth2 integration to restore third-party login functionality, addressing the root cause of authentication failures in SUP-943. |
| Out of Scope Changes check | β Passed | All changes are focused on refactoring the authentication context to fix third-party login; no unrelated modifications detected. |
| Description Check | β Passed | Check skipped - CodeRabbitβs high-level summary is enabled. |
β¨ Finishing touches
- [ ] π Generate docstrings
π§ͺ Generate unit tests (beta)
- [ ] Create PR with unit tests
- [ ] Post copyable unit tests in a comment
- [ ] Commit unit tests in branch
fix/third-party-login
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.
Comment @coderabbitai help to get the list of available commands and usage tips.
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
![dionisio-bot[bot] avatar](https://avatars.githubusercontent.com/in/257776?v=4 "Published by a pub.dev verified publisher"){kind=small}
β Actions performed
Review triggered.
Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.
β Actions performed
Review triggered.
Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.
π¦ Docker Image Size Report
π Changes 
| Service | Current | Baseline | Change | Percent |
|---|---|---|---|---|
| sum of all images | 1.2GiB | 1.2GiB | +12MiB | |
| rocketchat | 358MiB | 347MiB | +12MiB |  |
| omnichannel-transcript-service | 132MiB | 132MiB | -243B |  |
| queue-worker-service | 132MiB | 132MiB | +539B |  |
| ddp-streamer-service | 126MiB | 126MiB | +559B | |
| account-service | 113MiB | 113MiB | -51B | |
| stream-hub-service | 110MiB | 110MiB | +92B | |
| authorization-service | 110MiB | 110MiB | +212B | |
| presence-service | 110MiB | 110MiB | -621B | |
π Historical Trend
---
config:
theme: "dark"
xyChart:
width: 900
height: 400
---
xychart
title "Image Size Evolution by Service (Last 30 Days + This PR)"
x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/21 16:49", "11/24 17:34", "11/27 22:32", "11/28 19:05", "12/01 23:01", "12/02 21:57", "12/03 21:00", "12/04 18:17", "12/05 21:56", "12/08 20:15", "12/09 22:17", "12/10 23:26", "12/11 21:56", "12/12 22:45", "12/13 01:34", "12/15 22:31", "12/16 19:43", "12/16 19:59 (PR)"]
y-axis "Size (GB)" 0 --> 0.5
line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13, 0.13]
line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.34, 0.35]
line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
Statistics (last 22 days):
- π Average: 1.5GiB
- β¬οΈ Minimum: 1.2GiB
- β¬οΈ Maximum: 1.6GiB
- π― Current PR: 1.2GiB
βΉοΈ About this report
This report compares Docker image sizes from this build against the develop baseline.
-
Tag:
pr-37707 -
Baseline:
develop - Timestamp: 2025-12-16 19:59:40 UTC
- Historical data points: 22
Updated: Tue, 16 Dec 2025 19:59:41 GMT
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
β Actions performed
Initiated docstring generation; will generate only if new commits exist.
[!NOTE] Docstrings generation - SUCCESS Generated docstrings for this pull request at https://github.com/RocketChat/Rocket.Chat/pull/37741
β Actions performed
Review triggered.
Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 67.63%. Comparing base (f3dc2c1) to head (e61f209).
:warning: Report is 25 commits behind head on develop.
Additional details and impacted files
@@ Coverage Diff @@
## develop #37707 +/- ##
===========================================
- Coverage 67.63% 67.63% -0.01%
===========================================
Files 3457 3457
Lines 113662 113661 -1
Branches 20903 20903
===========================================
- Hits 76874 76872 -2
- Misses 34657 34659 +2
+ Partials 2131 2130 -1
| Flag | Coverage Ξ | |
|---|---|---|
| e2e | 57.29% <ΓΈ> (+<0.01%) |
:arrow_up: |
| e2e-api | 42.28% <ΓΈ> (+0.01%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
- :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@copilot evaluate the code changes in this PR and write end-to-end tests that guarantee oauth2 apps authentication works in the v1/ endpoints
@d-gubert I've opened a new pull request, #37784, to work on those changes. Once the pull request is ready, I'll request review from you.
