fix: save and return PKCE code_challenge in OAuth2 authorization code

[subhaushsingh]

Proposed changes (including videos or screenshots)

The PKCE flow in Rocket.Chat's third-party OAuth2 login was broken. When a client
initiated authorization with a code_challenge, the saveAuthorizationCode method
was silently dropping the codeChallenge and codeChallengeMethod fields due to a
restrictive Pick<> type — so they were never saved to MongoDB.

When the client then sent the code_verifier at the token endpoint,
getAuthorizationCode had nothing to return for those fields, leaving the
@node-oauth/oauth2-server library with nothing to verify against, resulting in
invalid_grant: code verifier is invalid.

Fix:

• Added codeChallenge? and codeChallengeMethod? to IOAuthAuthCode interface
• Widened Pick<> type in saveAuthorizationCode to include both PKCE fields
• Persisted both fields to MongoDB in the $set block
• Returned both fields from getAuthorizationCode so the library can verify them

The implicit flow (no PKCE) is completely unaffected.

Issue(s)

Fixes #39459
Related to #35419

Steps to test or reproduce

1. Create a third-party OAuth app in Admin > Third-party login
2. Go to https://oauthdebugger.com/debug
3. Fill in the Authorization URI, Client ID, and Token URI
4. Enable "Use PKCE?" and select SHA-256
5. Send the request and authorize at Rocket.Chat
6. Before fix: token exchange fails with invalid_grant: code verifier is invalid
7. After fix: token exchange succeeds and returns an access token

Further comments

This is a follow-up to #35419 which was partially fixed in #37707.
That PR fixed the implicit flow but the PKCE flow remained broken.
A new e2e test covering the full PKCE flow has been added to oauth-server.ts.

Summary by CodeRabbit

• Bug Fixes

  • PKCE code verifier is now correctly saved and verified in third‑party OAuth2 login flows.

• Tests

  • Added end-to-end tests covering PKCE workflows: app authorization, code generation, token exchange, and userinfo access.

• Chores

  • Patch release note added to the changelog for the PKCE fix.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

🦋 Changeset detected

Latest commit: 3f38217

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 41 packages

Name	Type
@rocket.chat/meteor	Patch
@rocket.chat/core-typings	Patch
@rocket.chat/uikit-playground	Patch
@rocket.chat/api-client	Patch
@rocket.chat/apps	Patch
@rocket.chat/core-services	Patch
@rocket.chat/cron	Patch
@rocket.chat/ddp-client	Patch
@rocket.chat/fuselage-ui-kit	Patch
@rocket.chat/gazzodown	Patch
@rocket.chat/http-router	Patch
@rocket.chat/livechat	Patch
@rocket.chat/model-typings	Patch
@rocket.chat/rest-typings	Patch
@rocket.chat/ui-avatar	Patch
@rocket.chat/ui-client	Patch
@rocket.chat/ui-contexts	Patch
@rocket.chat/ui-voip	Patch
@rocket.chat/web-ui-registration	Patch
@rocket.chat/account-service	Patch
@rocket.chat/authorization-service	Patch
@rocket.chat/ddp-streamer	Patch
@rocket.chat/omnichannel-transcript	Patch
@rocket.chat/presence-service	Patch
@rocket.chat/queue-worker	Patch
@rocket.chat/abac	Patch
@rocket.chat/federation-matrix	Patch
@rocket.chat/license	Patch
@rocket.chat/media-calls	Patch
@rocket.chat/omnichannel-services	Patch
@rocket.chat/pdf-worker	Patch
@rocket.chat/presence	Patch
rocketchat-services	Patch
@rocket.chat/network-broker	Patch
@rocket.chat/omni-core-ee	Patch
@rocket.chat/mock-providers	Patch
@rocket.chat/models	Patch
@rocket.chat/ui-video-conf	Patch
@rocket.chat/instance-status	Patch
@rocket.chat/omni-core	Patch
@rocket.chat/server-fetch	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6d55beaf-d2ad-4294-a034-85acfc7db304

📥 Commits

Reviewing files that changed from the base of the PR and between b84e119 and 3f38217.

📒 Files selected for processing (4)

• .changeset/fix-pkce-code-verifier.md
• apps/meteor/server/oauth2-server/model.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts
• packages/core-typings/src/IOAuthAuthCode.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/meteor/tests/end-to-end/api/oauth-server.ts
• packages/core-typings/src/IOAuthAuthCode.ts
• .changeset/fix-pkce-code-verifier.md

📜 Recent review details

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• apps/meteor/server/oauth2-server/model.ts

🧠 Learnings (4)

📓 Common learnings

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

📚 Learning: 2026-01-17T01:51:47.764Z

Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 38219
File: packages/core-typings/src/cloud/Announcement.ts:5-6
Timestamp: 2026-01-17T01:51:47.764Z
Learning: In packages/core-typings/src/cloud/Announcement.ts, the AnnouncementSchema.createdBy field intentionally overrides IBannerSchema.createdBy (object with _id and optional username) with a string enum ['cloud', 'system'] to match existing runtime behavior. This is documented as technical debt with a FIXME comment at apps/meteor/app/cloud/server/functions/syncWorkspace/handleCommsSync.ts:53 and should not be flagged as an error until the runtime behavior is corrected.

Applied to files:

• apps/meteor/server/oauth2-server/model.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• apps/meteor/server/oauth2-server/model.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• apps/meteor/server/oauth2-server/model.ts

🔇 Additional comments (2)

apps/meteor/server/oauth2-server/model.ts (2)

119-120: Returning the PKCE fields here fixes the read side of the flow.

getAuthorizationCode() now passes the stored codeChallenge and codeChallengeMethod back to the OAuth2 library, which is the missing data needed during verifier validation.

---

127-156: The save path is now correctly aligned with PKCE.

Expanding the picked AuthorizationCode fields and writing both PKCE properties into $set closes the drop-on-save gap that was breaking authorization-code exchanges.

---

Walkthrough

Persisted PKCE parameters by adding codeChallenge and codeChallengeMethod to the auth-code model and types, and added end-to-end PKCE tests and a changelog changeset documenting the fix.

Changes

Cohort / File(s)	Summary
Type Definitions packages/core-typings/src/IOAuthAuthCode.ts	Add optional codeChallenge and codeChallengeMethod properties to the IOAuthAuthCode interface.
OAuth2 Server Model apps/meteor/server/oauth2-server/model.ts	Extended saveAuthorizationCode signature and upsert payload to accept/persist codeChallenge and codeChallengeMethod; getAuthorizationCode now returns these fields.
End-to-End Tests apps/meteor/tests/end-to-end/api/oauth-server.ts	Added PKCE-specific tests and helpers (code verifier/challenge generation), test lifecycle for PKCE app creation, authorization, token exchange, and userinfo access.
Release Documentation .changeset/fix-pkce-code-verifier.md	Add patch changeset documenting the PKCE code verifier handling fix.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: fixing the persistence and return of PKCE code_challenge in OAuth2 authorization code.
Linked Issues check	✅ Passed	The PR successfully addresses the core objective from issue #39459 by persisting and returning codeChallenge and codeChallengeMethod fields needed for PKCE code verifier validation.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing PKCE support: type updates, persistence logic, test coverage, and changelog documentation. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/meteor/tests/end-to-end/api/oauth-server.ts">

<violation number="1" location="apps/meteor/tests/end-to-end/api/oauth-server.ts:206">
P2: PKCE cleanup hook unconditionally deletes using `pkceAppId` and expects 200 even when `pkceAppId` may be unset, which can mask the real failing test with a secondary teardown failure.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[coderabbitai]

🧹 Nitpick comments (3)

apps/meteor/tests/end-to-end/api/oauth-server.ts (2)

179-262: Inconsistent indentation style.

The PKCE test suite uses 4-space indentation while the rest of the file uses tabs. This should be consistent with the existing file style.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/tests/end-to-end/api/oauth-server.ts` around lines 179 - 262, The
new PKCE test block (describe('[PKCE flow]') including functions
generateCodeVerifier and generateCodeChallenge and tests that reference
pkceAppId/pkceClientId/pkceCode/etc.) uses 4-space indentation which is
inconsistent with the rest of the file's tab-based style; update the entire
describe block and its nested functions/its/it tests to use tabs for indentation
to match existing formatting in the file so linting/format checks pass.

---

247-257: Consider adding a negative test for invalid code_verifier.

To fully validate the PKCE implementation, consider adding a test that verifies token exchange fails when an incorrect code_verifier is provided.

📝 Suggested additional test

it('should fail token exchange with invalid code_verifier', async () => {
    const invalidVerifier = 'invalid_verifier_that_does_not_match';
    await request
        .post('/oauth/token')
        .type('form')
        .send({
            grant_type: 'authorization_code',
            code: pkceCode,
            client_id: pkceClientId,
            client_secret: pkceClientSecret,
            redirect_uri: pkceRedirectUri,
            code_verifier: invalidVerifier,
        })
        .expect(400);
});

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/tests/end-to-end/api/oauth-server.ts` around lines 247 - 257, Add
a negative PKCE test that attempts the token exchange with an incorrect
code_verifier to ensure the server rejects it: create a new it block (e.g.,
"should fail token exchange with invalid code_verifier") that posts to
'/oauth/token' using the same parameters (grant_type: 'authorization_code',
code: pkceCode, client_id: pkceClientId, client_secret: pkceClientSecret,
redirect_uri: pkceRedirectUri) but sets code_verifier to an invalid string and
asserts the response status is 400; reuse the request test helper and existing
pkce* variables (pkceCode, pkceClientId, pkceClientSecret, pkceRedirectUri) used
in the successful test.

apps/meteor/server/oauth2-server/model.ts (1)

155-156: Inconsistent indentation on line 156.

Line 156 appears to have extra leading whitespace compared to adjacent lines.

🔧 Suggested fix

 				codeChallenge: code.codeChallenge,
-    				codeChallengeMethod: code.codeChallengeMethod,
+				codeChallengeMethod: code.codeChallengeMethod,

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@apps/meteor/server/oauth2-server/model.ts` around lines 155 - 156, The line
assigning codeChallengeMethod has extra leading whitespace causing inconsistent
indentation; open the block where codeChallenge: code.codeChallenge and
codeChallengeMethod: code.codeChallengeMethod are set (look for those property
assignments in model.ts) and remove the extra spaces so codeChallengeMethod:
code.codeChallengeMethod aligns exactly with the codeChallenge line, preserving
the surrounding indentation style in that object literal or return statement.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@apps/meteor/server/oauth2-server/model.ts`:
- Around line 155-156: The line assigning codeChallengeMethod has extra leading
whitespace causing inconsistent indentation; open the block where codeChallenge:
code.codeChallenge and codeChallengeMethod: code.codeChallengeMethod are set
(look for those property assignments in model.ts) and remove the extra spaces so
codeChallengeMethod: code.codeChallengeMethod aligns exactly with the
codeChallenge line, preserving the surrounding indentation style in that object
literal or return statement.

In `@apps/meteor/tests/end-to-end/api/oauth-server.ts`:
- Around line 179-262: The new PKCE test block (describe('[PKCE flow]')
including functions generateCodeVerifier and generateCodeChallenge and tests
that reference pkceAppId/pkceClientId/pkceCode/etc.) uses 4-space indentation
which is inconsistent with the rest of the file's tab-based style; update the
entire describe block and its nested functions/its/it tests to use tabs for
indentation to match existing formatting in the file so linting/format checks
pass.
- Around line 247-257: Add a negative PKCE test that attempts the token exchange
with an incorrect code_verifier to ensure the server rejects it: create a new it
block (e.g., "should fail token exchange with invalid code_verifier") that posts
to '/oauth/token' using the same parameters (grant_type: 'authorization_code',
code: pkceCode, client_id: pkceClientId, client_secret: pkceClientSecret,
redirect_uri: pkceRedirectUri) but sets code_verifier to an invalid string and
asserts the response status is 400; reuse the request test helper and existing
pkce* variables (pkceCode, pkceClientId, pkceClientSecret, pkceRedirectUri) used
in the successful test.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5f61cea3-b08d-48d1-b5f8-87bc4bf13094

📥 Commits

Reviewing files that changed from the base of the PR and between 4f43a85 and b84e119.

📒 Files selected for processing (4)

• .changeset/fix-pkce-code-verifier.md
• apps/meteor/server/oauth2-server/model.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts
• packages/core-typings/src/IOAuthAuthCode.ts

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: cubic · AI code reviewer

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

• packages/core-typings/src/IOAuthAuthCode.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts
• apps/meteor/server/oauth2-server/model.ts

🧠 Learnings (13)

📓 Common learnings

Learnt from: ggazzo
Repo: RocketChat/Rocket.Chat PR: 35995
File: apps/meteor/app/api/server/v1/rooms.ts:1107-1112
Timestamp: 2026-02-23T17:53:18.785Z
Learning: In Rocket.Chat PR reviews, maintain strict scope boundaries—when a PR is focused on a specific endpoint (e.g., rooms.favorite), avoid reviewing or suggesting changes to other endpoints that were incidentally refactored (e.g., rooms.invite) unless explicitly requested by maintainers.

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

• packages/core-typings/src/IOAuthAuthCode.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts
• apps/meteor/server/oauth2-server/model.ts

📚 Learning: 2026-02-26T19:25:44.063Z

Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

• packages/core-typings/src/IOAuthAuthCode.ts
• apps/meteor/tests/end-to-end/api/oauth-server.ts
• apps/meteor/server/oauth2-server/model.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Ensure tests run reliably in parallel without shared state conflicts

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Utilize Playwright fixtures (`test`, `page`, `expect`) for consistency in test files

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.{ts,spec.ts} : Follow Page Object Model pattern consistently in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/page-objects/**/*.ts : Utilize existing page objects pattern from `apps/meteor/tests/e2e/page-objects/`

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Use `test.beforeAll()` and `test.afterAll()` for setup/teardown in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2025-11-24T17:08:17.065Z

Learnt from: CR
Repo: RocketChat/Rocket.Chat PR: 0
File: .cursor/rules/playwright.mdc:0-0
Timestamp: 2025-11-24T17:08:17.065Z
Learning: Applies to apps/meteor/tests/e2e/**/*.spec.ts : Maintain test isolation between test cases in Playwright tests

Applied to files:

• apps/meteor/tests/end-to-end/api/oauth-server.ts

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: Rocket.Chat repo context: When a workspace manifest on develop already pins a dependency version (e.g., packages/web-ui-registration → "rocket.chat/ui-contexts": "27.0.1"), a lockfile change in a feature PR that upgrades only that dependency’s resolution is considered a manifest-driven sync and can be kept, preferably as a small "chore: sync yarn.lock with manifests" commit.

Applied to files:

• .changeset/fix-pkce-code-verifier.md

📚 Learning: 2026-02-24T19:09:09.561Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38974
File: apps/meteor/app/api/server/v1/im.ts:220-221
Timestamp: 2026-02-24T19:09:09.561Z
Learning: In RocketChat/Rocket.Chat OpenAPI migration PRs for apps/meteor/app/api/server/v1 endpoints, maintainers prefer to avoid any logic changes; style-only cleanups (like removing inline comments) may be deferred to follow-ups to keep scope tight.

Applied to files:

• .changeset/fix-pkce-code-verifier.md

📚 Learning: 2026-02-25T20:10:16.987Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 38913
File: packages/ddp-client/src/legacy/types/SDKLegacy.ts:34-34
Timestamp: 2026-02-25T20:10:16.987Z
Learning: In the RocketChat/Rocket.Chat monorepo, packages/ddp-client and apps/meteor do not use TypeScript project references. Module augmentations in apps/meteor (e.g., declare module 'rocket.chat/rest-typings') are not visible when compiling packages/ddp-client in isolation, which is why legacy SDK methods that depend on OperationResult types for OpenAPI-migrated endpoints must remain commented out.

Applied to files:

• .changeset/fix-pkce-code-verifier.md

📚 Learning: 2026-02-24T19:05:56.710Z

Learnt from: ahmed-n-abdeltwab
Repo: RocketChat/Rocket.Chat PR: 0
File: :0-0
Timestamp: 2026-02-24T19:05:56.710Z
Learning: In Rocket.Chat PRs, keep feature PRs free of unrelated lockfile-only dependency bumps; prefer reverting lockfile drift or isolating such bumps into a separate "chore" commit/PR, and always use yarn install --immutable with the Yarn version pinned in package.json via Corepack.

Applied to files:

• .changeset/fix-pkce-code-verifier.md

🔇 Additional comments (4)

.changeset/fix-pkce-code-verifier.md (1)

1-6: LGTM!

The changeset correctly identifies the affected packages and provides an accurate description of the fix.

packages/core-typings/src/IOAuthAuthCode.ts (1)

8-9: LGTM!

The optional PKCE fields are correctly typed and appropriately added to support both PKCE and non-PKCE flows.

apps/meteor/server/oauth2-server/model.ts (2)

119-120: LGTM!

The PKCE fields are correctly retrieved from the database and included in the returned AuthorizationCode object, enabling the OAuth2 library to verify the code_verifier during token exchange.

---

126-127: LGTM. The Pick type correctly includes codeChallenge and codeChallengeMethod for PKCE support, aligning with @node-oauth/oauth2-server v5's AuthorizationCode interface.