RocketChat · pierre-lehnen-rc · Apr 25, 2025 · kodus-ai · Apr 25, 2025 · kodus-ai
diff --git a/apps/meteor/.meteor/packages b/apps/meteor/.meteor/packages
@@ -15,15 +15,15 @@ rocketchat:user-presence
 
 [email protected]
 [email protected]
-[email protected]
 [email protected]
 [email protected]
 [email protected]
 [email protected]
-[email protected]
 
 [email protected]
 [email protected]
+# oauth1 is used only by twitter oauth
+[email protected]
 [email protected]
 
 [email protected]

diff --git a/apps/meteor/.meteor/versions b/apps/meteor/.meteor/versions
@@ -1,11 +1,9 @@
 [email protected]
 [email protected]
-[email protected]
 [email protected]
 [email protected]
 [email protected]
 [email protected]
-[email protected]
 [email protected]
 [email protected]
 [email protected]
@@ -35,7 +33,6 @@ [email protected]
 [email protected]
 [email protected]
 [email protected]
-[email protected]
 [email protected]
 [email protected]
 [email protected]
@@ -85,7 +82,6 @@ [email protected]
 [email protected]
 [email protected]
 [email protected]
-[email protected]
 [email protected]
 [email protected]
 [email protected]

@@ -0,0 +1,19 @@
+import type { Meteor } from 'meteor/meteor';
+
+export type RequestCredentialOptions = Meteor.LoginWithExternalServiceOptions;
+export type RequestCredentialCallback = (credentialTokenOrError?: string | Error) => void;
+
+// Receives a function that accepts an options object and an optional callback
+// Returns the same function but with the signature changed to also accept only the callback
+// With this, you can make a function that accepts the arguments in any way that Meteor's login handlers may send them, without having to validate the params or mess with the signature types
+export function wrapLoginHandlerFn(
+	loginHandlerFn: (options: RequestCredentialOptions, callback?: RequestCredentialCallback) => Promise<void> | void,
+) {
+	return (options?: RequestCredentialOptions | RequestCredentialCallback, callback?: RequestCredentialCallback) => {
+		if (!callback && typeof options === 'function') {
+			return loginHandlerFn({}, options);
+		}
+
+		return loginHandlerFn(options as RequestCredentialOptions, callback);
+	};
+}
@@ -1,12 +1,9 @@
 import type { OAuthConfiguration } from '@rocket.chat/core-typings';
 import { Accounts } from 'meteor/accounts-base';
-import type { Meteor } from 'meteor/meteor';
 import { OAuth } from 'meteor/oauth';
 
 import { loginServices } from './loginServices';
-
-type RequestCredentialOptions = Meteor.LoginWithExternalServiceOptions;
-type RequestCredentialCallback = (credentialTokenOrError?: string | Error) => void;
+import { type RequestCredentialOptions, type RequestCredentialCallback, wrapLoginHandlerFn } from './wrapLoginHandlerFn';
 
 type RequestCredentialConfig<T extends Partial<OAuthConfiguration>> = {
 	config: T;
@@ -38,15 +35,7 @@ export function wrapRequestCredentialFn<T extends Partial<OAuthConfiguration>>(
 		});
 	};
 
-	return (
-		options?: RequestCredentialOptions | RequestCredentialCallback,
-		credentialRequestCompleteCallback?: RequestCredentialCallback,
-	) => {
-		if (!credentialRequestCompleteCallback && typeof options === 'function') {
-			void wrapped({}, options);
-			return;
-		}
-
-		void wrapped(options as RequestCredentialOptions, credentialRequestCompleteCallback);
-	};
+	return wrapLoginHandlerFn((...args) => {
+		void wrapped(...args);
+	});
 }
@@ -0,0 +1,25 @@
+import { Accounts } from 'meteor/accounts-base';
+
+import { createOAuthTotpLoginMethod } from './oauth';
+import type { IOAuthProvider } from '../../definitions/IOAuthProvider';
+import { overrideLoginMethod, type LoginCallback } from '../../lib/2fa/overrideLoginMethod';
+import { wrapLoginHandlerFn } from '../../lib/wrapLoginHandlerFn';
+
+export const createOAuthLoginFn = (provider: IOAuthProvider) => {
+	const loginHandler = wrapLoginHandlerFn((options, callback) => {
+		const credentialRequestCompleteCallback = Accounts.oauth.credentialRequestCompleteHandler(callback);
+		provider.requestCredential(options, credentialRequestCompleteCallback);
+	});
+
+	Accounts.oauth.registerService(provider.name);
+	Accounts.registerClientLoginFunction(provider.name, loginHandler);
+
+	const loginWithProvider = (options: Meteor.LoginWithExternalServiceOptions | undefined, cb: LoginCallback) =>
+		Accounts.applyLoginFunction(provider.name, [options, cb]);
+
+	const loginWithProviderAndTOTP = createOAuthTotpLoginMethod(provider);
+
+	return (options: Meteor.LoginWithExternalServiceOptions | undefined, callback?: LoginCallback) => {
+		overrideLoginMethod(loginWithProvider, [options], callback, loginWithProviderAndTOTP);
+	};
+};
@@ -1,42 +1,38 @@
 import { Random } from '@rocket.chat/random';
 import { Accounts } from 'meteor/accounts-base';
-import { Github } from 'meteor/github-oauth';
 import { Meteor } from 'meteor/meteor';
 import { OAuth } from 'meteor/oauth';
 
-import { createOAuthTotpLoginMethod } from './oauth';
-import { overrideLoginMethod } from '../../lib/2fa/overrideLoginMethod';
+import { createOAuthLoginFn } from './createOAuthLoginFn';
 import { wrapRequestCredentialFn } from '../../lib/wrapRequestCredentialFn';
 
-const { loginWithGithub } = Meteor;
-const loginWithGithubAndTOTP = createOAuthTotpLoginMethod(Github);
-Meteor.loginWithGithub = (options, callback) => {
-	overrideLoginMethod(loginWithGithub, [options], callback, loginWithGithubAndTOTP);
-};
+Meteor.loginWithGithub = createOAuthLoginFn({
+	name: 'github',
 
-Github.requestCredential = wrapRequestCredentialFn('github', ({ config, loginStyle, options, credentialRequestCompleteCallback }) => {
-	const credentialToken = Random.secret();
-	const scope = options?.requestPermissions || ['user:email'];
-	const flatScope = scope.map(encodeURIComponent).join('+');
+	requestCredential: wrapRequestCredentialFn('github', ({ config, loginStyle, options, credentialRequestCompleteCallback }) => {
+		const credentialToken = Random.secret();
+		const scope = options?.requestPermissions || ['user:email'];
+		const flatScope = scope.map(encodeURIComponent).join('+');
 
-	let allowSignup = '';
-	if (Accounts._options?.forbidClientAccountCreation) {
-		allowSignup = '&allow_signup=false';
-	}
+		let allowSignup = '';
+		if (Accounts._options?.forbidClientAccountCreation) {
+			allowSignup = '&allow_signup=false';
+		}
 
-	const loginUrl =
-		`https://github.com/login/oauth/authorize` +
-		`?client_id=${config.clientId}` +
-		`&scope=${flatScope}` +
-		`&redirect_uri=${OAuth._redirectUri('github', config)}` +
-		`&state=${OAuth._stateParam(loginStyle, credentialToken, options.redirectUrl)}${allowSignup}`;
+		const loginUrl =
+			`https://github.com/login/oauth/authorize` +
+			`?client_id=${config.clientId}` +
+			`&scope=${flatScope}` +
+			`&redirect_uri=${OAuth._redirectUri('github', config)}` +
+			`&state=${OAuth._stateParam(loginStyle, credentialToken, options.redirectUrl)}${allowSignup}`;
 
-	OAuth.launchLogin({
-		loginService: 'github',
-		loginStyle,
-		loginUrl,
-		credentialRequestCompleteCallback,
-		credentialToken,
-		popupOptions: { width: 900, height: 450 },
-	});
+		OAuth.launchLogin({
+			loginService: 'github',
+			loginStyle,
+			loginUrl,
+			credentialRequestCompleteCallback,
+			credentialToken,
+			popupOptions: { width: 900, height: 450 },
+		});
+	}),
 });
@@ -2,55 +2,53 @@ import type { TwitterOAuthConfiguration } from '@rocket.chat/core-typings';
 import { Random } from '@rocket.chat/random';
 import { Meteor } from 'meteor/meteor';
 import { OAuth } from 'meteor/oauth';
-import { Twitter } from 'meteor/twitter-oauth';
 
-import { createOAuthTotpLoginMethod } from './oauth';
-import { overrideLoginMethod } from '../../lib/2fa/overrideLoginMethod';
+import { createOAuthLoginFn } from './createOAuthLoginFn';
 import { wrapRequestCredentialFn } from '../../lib/wrapRequestCredentialFn';
 
-const { loginWithTwitter } = Meteor;
-const loginWithTwitterAndTOTP = createOAuthTotpLoginMethod(Twitter);
-Meteor.loginWithTwitter = (options, callback) => {
-	overrideLoginMethod(loginWithTwitter, [options], callback, loginWithTwitterAndTOTP);
-};
-
-Twitter.requestCredential = wrapRequestCredentialFn<TwitterOAuthConfiguration>(
-	'twitter',
-	({ loginStyle, options: requestOptions, credentialRequestCompleteCallback }) => {
-		const options = requestOptions as Record<string, string>;
-		const credentialToken = Random.secret();
-
-		let loginPath = `_oauth/twitter/?requestTokenAndRedirect=true&state=${OAuth._stateParam(
-			loginStyle,
-			credentialToken,
-			options?.redirectUrl,
-		)}`;
-
-		if (Meteor.isCordova) {
-			loginPath += '&cordova=true';
-			if (/Android/i.test(navigator.userAgent)) {
-				loginPath += '&android=true';
-			}
-		}
-
-		// Support additional, permitted parameters
-		if (options) {
-			const hasOwn = Object.prototype.hasOwnProperty;
-			Twitter.validParamsAuthenticate.forEach((param: string) => {
-				if (hasOwn.call(options, param)) {
-					loginPath += `&${param}=${encodeURIComponent(options[param])}`;
+const validParamsAuthenticate = ['force_login', 'screen_name'];
+
+Meteor.loginWithTwitter = createOAuthLoginFn({
+	name: 'twitter',
+
+	requestCredential: wrapRequestCredentialFn<TwitterOAuthConfiguration>(
+		'twitter',
+		({ loginStyle, options: requestOptions, credentialRequestCompleteCallback }) => {
+			const options = requestOptions as Record<string, string>;
+			const credentialToken = Random.secret();
+
+			let loginPath = `_oauth/twitter/?requestTokenAndRedirect=true&state=${OAuth._stateParam(
+				loginStyle,
+				credentialToken,
+				options?.redirectUrl,
+			)}`;
+
+			if (Meteor.isCordova) {
+				loginPath += '&cordova=true';
+				if (/Android/i.test(navigator.userAgent)) {
+					loginPath += '&android=true';
 				}
+			}
+
+			// Support additional, permitted parameters
+			if (options) {
+				const hasOwn = Object.prototype.hasOwnProperty;
+				validParamsAuthenticate.forEach((param: string) => {
+					if (hasOwn.call(options, param)) {
+						loginPath += `&${param}=${encodeURIComponent(options[param])}`;
+					}
+				});
+			}
+
+			const loginUrl = Meteor.absoluteUrl(loginPath);
+
+			OAuth.launchLogin({
+				loginService: 'twitter',
+				loginStyle,
+				loginUrl,
+				credentialRequestCompleteCallback,
+				credentialToken,
 			});
-		}
-
-		const loginUrl = Meteor.absoluteUrl(loginPath);
-
-		OAuth.launchLogin({
-			loginService: 'twitter',
-			loginStyle,
-			loginUrl,
-			credentialRequestCompleteCallback,
-			credentialToken,
-		});
-	},
-);
+		},
+	),
+});
diff --git a/apps/meteor/definition/externals/meteor/accounts-base.d.ts b/apps/meteor/definition/externals/meteor/accounts-base.d.ts
@@ -45,6 +45,13 @@ declare module 'meteor/accounts-base' {
 
 		function config(options: { clientStorage: 'session' | 'local' }): void;
 
+		function registerClientLoginFunction(
+			funcName: string,
+			func: (options?: RequestCredentialOptions | RequestCredentialCallback, callback?: RequestCredentialCallback) => void,
+		);
+
+		function applyLoginFunction(funcName: string, ...args: unknown[]): void;
+
 		class ConfigError extends Error {}
 
 		class LoginCancelledError extends Error {

diff --git a/apps/meteor/definition/externals/meteor/oauth.d.ts b/apps/meteor/definition/externals/meteor/oauth.d.ts
@@ -12,9 +12,44 @@ declare module 'meteor/oauth' {
 			| string;
 	}
 
+	interface IOAuth1BindingConstructor {
+		new (config, urls): IOAuth1Binding;
+	}
+
+	type HandledOauthRequest = { serviceData: Record<string, any>; options?: Record<string, any> } | null;
+
+	interface IOAuth1Binding {
+		accessToken: string | string[];
+		accessTokenSecret: string | string[];
+
+		prepareRequestToken(callbackUrl: string): void;
+		getAsync(
+			url: string,
+			params?: Record<string, any>,
+			callback?: unknown,
+		): Promise<{
+			content: string;
+			data: Record<string, any>;
+			headers: Record<string, string>;
+			redirected: boolean;
+			ok: boolean;
+			statusCode: number;
+		}>;
+	}
+
+	interface IOAuth1Urls {
+		requestToken: string | ((oauthBinding: IOAuth1Binding) => string);
+		authorize: string | ((oauthBinding: IOAuth1Binding) => string);
+		accessToken: string | ((oauthBinding: IOAuth1Binding) => string);
+		authenticate: string | ((oauthBinding: IOAuth1Binding, authParams: Record<string, any>) => string);
+	}
+
 	namespace OAuth {
 		function _retrievePendingCredential(key: string, ...args: string[]): Promise<string | Error | void>;
 		function openSecret(secret: string): string;
+		function sealSecret<T extends Record<string, any> | string | string[]>(
+			secret: T,
+		): T | { iv: string; ciphertext: string; algorithm: string; authTag: string };
 		function retrieveCredential(credentialToken: string, credentialSecret: string);
 		function _retrieveCredentialSecret(credentialToken: string): string | null;
 		const _pendingCredentials: Mongo.Collection<IOauthCredentials>;
@@ -42,5 +77,35 @@ declare module 'meteor/oauth' {
 		): string;
 
 		function _loginStyle(serviceName: string, config: { loginStyle?: string }, options?: Meteor.LoginWithExternalServiceOptions): string;
+
+		function registerService(
+			name: string,
+			version: 1,
+			urls: IOAuth1Urls,
+			handleOauthRequest: (binding: IOAuth1Binding, query?: Record<string, any>) => Promise<HandledOauthRequest>,
+		): void;
+		function registerService(
+			name: string,
+			version: 2,
+			urls: null,
+			handleOauthRequest: (query: Record<string, any>) => Promise<HandledOauthRequest>,
+		): void;
+		function registerService(
+			name: string,
+			version: 1 | 2,
+			urls: IOAuth1Urls | null,
+			handleOauthRequest:
+				| ((binding: IOAuth1Binding, query?: Record<string, any>) => Promise<HandledOauthRequest>)
+				| ((query: Record<string, any>) => Promise<HandledOauthRequest>),
+		): void;
+
+		function _queryParamsWithAuthTokenUrl(
+			authUrl: string,
+			oauthBinding: IOAuth1Binding,
+			params: Record<string, any>,
+			whitelistedQueryParams: string[],
+		): string;
+
+		function _fetch(url: string, method: 'GET' | 'POST', options: Record<string, any>): Promise<Response>;
 	}
 }