chore: Passport Twitter OAuth

[yash-rajpal]

Proposed changes (including videos or screenshots)

Issue(s)

Steps to test or reproduce

Further comments

PRM-39

Summary by CodeRabbit

• New Features
  • Twitter OAuth authentication is now supported. Users can sign in and register accounts using their Twitter credentials, with automatic synchronization of email and profile information.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: 92a69a6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

This PR adds Twitter OAuth authentication support to Rocket.Chat. It installs the passport-twitter library and types, registers Twitter as a new OAuth provider with email and profile scopes, and configures the strategy initialization to use consumerKey and consumerSecret fields while logging authentication profiles.

Changes

Twitter OAuth Integration

Layer / File(s)	Summary
Twitter OAuth dependencies apps/meteor/package.json	Adds passport-twitter (^1.0.4) and @types/passport-twitter (^1) to enable the Twitter OAuth strategy.
Twitter OAuth provider registration apps/meteor/server/lib/oauth/oauthConfigs.ts	Imports TwitterStrategy and registers twitter as a new OAuth provider in OAuthConfigs with email and profile scopes, extending the exported Provider type.
Twitter OAuth service initialization apps/meteor/server/lib/oauth/configureOAuthServices.ts	Configures the Twitter strategy to map consumerKey and consumerSecret from OAuth config fields, and adds console logging of the Passport profile object during the authentication callback.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

type: feature

Suggested reviewers

• KevLehman
• tassoevan

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: Passport Twitter OAuth' directly relates to the main changes: adding Twitter OAuth support via Passport with dependencies, configuration, and integration code.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.77%. Comparing base (500e008) to head (92a69a6).
⚠️ Report is 1 commits behind head on feat/phishing-resistant-mfa.

Additional details and impacted files

@@                       Coverage Diff                       @@
##           feat/phishing-resistant-mfa   #40563      +/-   ##
===============================================================
+ Coverage                        69.72%   69.77%   +0.04%     
===============================================================
  Files                             3303     3297       -6     
  Lines                           121715   120969     -746     
  Branches                         21563    21540      -23     
===============================================================
- Hits                             84871    84411     -460     
+ Misses                           33575    33295     -280     
+ Partials                          3269     3263       -6     

Flag	Coverage Δ
unit	70.48% <ø> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/meteor/server/lib/oauth/configureOAuthServices.ts`:
- Line 41: Remove the raw OAuth profile logging in configureOAuthServices (the
console.log('profile - ', profile) call) to avoid PII exposure; instead either
delete the log or replace it with a safe, minimal diagnostic message that only
logs non-sensitive identifiers (e.g., provider name or user id) after redacting
or extracting specific allowed fields, and ensure this change occurs inside the
configureOAuthServices function handling the OAuth callback/profile processing.

In `@apps/meteor/server/lib/oauth/oauthConfigs.ts`:
- Around line 25-28: The twitter provider config currently passes OAuth2-style
scopes (scope: ['email','profile']) which passport-twitter (TwitterStrategy)
ignores; change the twitter config to remove those scopes (e.g., scope: []) and
instead add provider-specific strategy options to request email via
includeEmail: true when constructing/initializing TwitterStrategy or its options
object; update the code that builds/instantiates TwitterStrategy (referencing
TwitterStrategy and the twitter config object) to merge provider-specific
options (includeEmail: true) so profile.emails will be populated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 28f1c4fd-6ac9-441b-b1da-efae22775b39

📥 Commits

Reviewing files that changed from the base of the PR and between 500e008 and 92a69a6.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (3)

• apps/meteor/package.json
• apps/meteor/server/lib/oauth/configureOAuthServices.ts
• apps/meteor/server/lib/oauth/oauthConfigs.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

🧠 Learnings (3)

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

📚 Learning: 2026-05-06T12:21:44.083Z

Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

• apps/meteor/server/lib/oauth/oauthConfigs.ts
• apps/meteor/server/lib/oauth/configureOAuthServices.ts

🔇 Additional comments (2)

apps/meteor/package.json (1)

272-272: LGTM!

Also applies to: 404-404

apps/meteor/server/lib/oauth/configureOAuthServices.ts (1)

29-30: LGTM!

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove raw OAuth profile logging (PII exposure).

Line 41 logs the full external profile payload, which can leak personal data into logs.

Safe fix

-					console.log('profile - ', profile);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

console.log('profile - ', profile);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/server/lib/oauth/configureOAuthServices.ts` at line 41, Remove
the raw OAuth profile logging in configureOAuthServices (the
console.log('profile - ', profile) call) to avoid PII exposure; instead either
delete the log or replace it with a safe, minimal diagnostic message that only
logs non-sensitive identifiers (e.g., provider name or user id) after redacting
or extracting specific allowed fields, and ensure this change occurs inside the
configureOAuthServices function handling the OAuth callback/profile processing.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

For passport-twitter@1.0.4, what options are supported by Strategy/authenticate for requesting email? Is OAuth2-style scope: ['email','profile']honored, or shouldincludeEmail: true be used instead?

💡 Result:

For the passport-twitter package (which uses OAuth 1.0a), you should use the includeEmail: true option in the strategy configuration to request the user's email address [1][2]. The OAuth2-style scope: ['email', 'profile'] is not honored by passport-twitter because it is an OAuth 1.0a strategy, not an OAuth 2.0 strategy [3][4]. To successfully retrieve the email address: 1. Ensure you have enabled the Request email addresses from users permission in your Twitter application settings on the Twitter Developer Portal [5][1]. 2. Add includeEmail: true to the options object when initializing the TwitterStrategy [1][2]. Example configuration: passport.use(new TwitterStrategy({ consumerKey: TWITTER_CONSUMER_KEY, consumerSecret: TWITTER_CONSUMER_SECRET, callbackURL: "...", includeEmail: true }, function(token, tokenSecret, profile, done) { // profile.emails will now contain the email address if granted return done(null, profile); })); If you are using a different package that supports OAuth 2.0 (such as @superfaceai/passport-twitter-oauth2), the configuration and scope requirements will differ, as those strategies typically use the scope option during the authentication request [6][4].

Citations:

• 1: Get user email jaredhanson/passport-twitter#67
• 2: https://github.com/hewmen/passport-twitter-oauth2
• 3: https://github.com/jaredhanson/passport-twitter
• 4: https://www.npmjs.com/package/@superfaceai/passport-twitter-oauth2
• 5: https://github.com/KShewengger/ngx-express-passport-setup
• 6: https://dev.to/superface/how-to-use-twitter-oauth-20-and-passportjs-for-user-login-33fk

---

🏁 Script executed:

# First, let's look at the file in question and understand the config structure
cat -n apps/meteor/server/lib/oauth/oauthConfigs.ts | head -50

Repository: RocketChat/Rocket.Chat

Length of output: 1091

---

🏁 Script executed:

# Search for where oauthConfigs is used and how the scope property is handled
rg "oauthConfigs" apps/meteor/server --type ts -A 3 -B 1

Repository: RocketChat/Rocket.Chat

Length of output: 965

---

🏁 Script executed:

# Look for TwitterStrategy usage to understand how the config is applied
rg "TwitterStrategy" apps/meteor/server --type ts -A 5 -B 2

Repository: RocketChat/Rocket.Chat

Length of output: 1224

---

🏁 Script executed:

# Check if there's any code that extracts and uses the scope property
rg "\.scope" apps/meteor/server --type ts -B 2 -A 2

Repository: RocketChat/Rocket.Chat

Length of output: 5130

---

🏁 Script executed:

cat -n apps/meteor/server/lib/oauth/configureOAuthServices.ts

Repository: RocketChat/Rocket.Chat

Length of output: 3868

---

🏁 Script executed:

# Also check for any Twitter-specific configuration logic
rg "twitter" apps/meteor/server/lib/oauth -i --type ts -B 3 -A 5

Repository: RocketChat/Rocket.Chat

Length of output: 3136

---

🏁 Script executed:

rg "includeEmail" apps/meteor --type ts

Repository: RocketChat/Rocket.Chat

Length of output: 48

---

🏁 Script executed:

# Check if there's any provider-specific strategy initialization logic
rg "twitter|Twitter" apps/meteor/server --type ts -i | head -20

Repository: RocketChat/Rocket.Chat

Length of output: 1483

---

Twitter scope config is incompatible with passport-twitter OAuth 1.0a.

At Line 27, using ['email', 'profile'] applies OAuth2 scope semantics, but passport-twitter v1.0.4 is an OAuth 1.0a strategy that does not honor these scopes. Email must be requested via includeEmail: true in the strategy constructor options instead. With the current configuration, profile.emails will not be populated in the callback, causing downstream user provisioning to lack email addresses even though the code attempts to extract them.

The suggested change to scope: [] correctly removes the invalid scopes, but the codebase architecture would need to support provider-specific options (like includeEmail: true for Twitter) to fully resolve email retrieval.

Suggested adjustment in this file

 	twitter: {
 		strategy: TwitterStrategy,
-		scope: ['email', 'profile'],
+		scope: [],
 	},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/meteor/server/lib/oauth/oauthConfigs.ts` around lines 25 - 28, The
twitter provider config currently passes OAuth2-style scopes (scope:
['email','profile']) which passport-twitter (TwitterStrategy) ignores; change
the twitter config to remove those scopes (e.g., scope: []) and instead add
provider-specific strategy options to request email via includeEmail: true when
constructing/initializing TwitterStrategy or its options object; update the code
that builds/instantiates TwitterStrategy (referencing TwitterStrategy and the
twitter config object) to merge provider-specific options (includeEmail: true)
so profile.emails will be populated.

[cubic-dev-ai]

2 issues found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/server/lib/oauth/configureOAuthServices.ts">

<violation number="1" location="apps/meteor/server/lib/oauth/configureOAuthServices.ts:41">
P2: Remove the debug `console.log` of the OAuth profile to avoid leaking user profile/PII data into server logs.</violation>
</file>

<file name="apps/meteor/server/lib/oauth/oauthConfigs.ts">

<violation number="1" location="apps/meteor/server/lib/oauth/oauthConfigs.ts:27">
P1: `passport-twitter` is an OAuth 1.0a strategy and does not honor OAuth 2.0-style `scope` arrays. This `['email', 'profile']` value is silently ignored, so `profile.emails` will never be populated. Email retrieval requires passing `includeEmail: true` in the strategy constructor options instead.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Re-trigger cubic}

[cubic-dev-ai]

P1: passport-twitter is an OAuth 1.0a strategy and does not honor OAuth 2.0-style scope arrays. This ['email', 'profile'] value is silently ignored, so profile.emails will never be populated. Email retrieval requires passing includeEmail: true in the strategy constructor options instead.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/server/lib/oauth/oauthConfigs.ts, line 27:

<comment>`passport-twitter` is an OAuth 1.0a strategy and does not honor OAuth 2.0-style `scope` arrays. This `['email', 'profile']` value is silently ignored, so `profile.emails` will never be populated. Email retrieval requires passing `includeEmail: true` in the strategy constructor options instead.</comment>

<file context>
@@ -21,6 +22,10 @@ export const OAuthConfigs: Record<string, OAuthConfig> = {
 	},
+	twitter: {
+		strategy: TwitterStrategy,
+		scope: ['email', 'profile'],
+	},
 } as const;
</file context>

[cubic-dev-ai]

P2: Remove the debug console.log of the OAuth profile to avoid leaking user profile/PII data into server logs.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/meteor/server/lib/oauth/configureOAuthServices.ts, line 41:

<comment>Remove the debug `console.log` of the OAuth profile to avoid leaking user profile/PII data into server logs.</comment>

<file context>
@@ -36,6 +38,8 @@ export const configureOAuthServices = (oauthServiceConfig: OAuthServiceConfig[],
 					const profileWithRaw = profile as Profile & { _json?: Record<string, unknown>; _raw?: string };
 					const { _json, _raw, ...restProfile } = profileWithRaw;
 
+					console.log('profile - ', profile);
+
 					// eslint-disable-next-line @typescript-eslint/await-thenable
</file context>