feat: Linear OAuth 2.0 (#10851)

Fixes https://linear.app/chatwoot/issue/CW-3417/oauth-20-authentication
We are planning to publish the Chatwoot app in the Linear [integration
list](https://linear.app/docs/integration-directory). While we currently
use token-based authentication, Linear recommends OAuth2 authentication.
This PR implements OAuth2 support.

---------

Co-authored-by: Sivin Varghese <64252451+iamsivin@users.noreply.github.com>
Co-authored-by: Shivam Mishra <scm.mymail@gmail.com>

spec/controllers/api/v1/accounts/integrations/linear_controller_spec.rb

@@ -12,6 +12,16 @@ RSpec.describe 'Linear Integration API', type: :request do
     allow(Integrations::Linear::ProcessorService).to receive(:new).with(account: account).and_return(processor_service)
   end
 
+  describe 'DELETE /api/v1/accounts/:account_id/integrations/linear' do
+    it 'deletes the linear integration' do
+      delete "/api/v1/accounts/#{account.id}/integrations/linear",
+             headers: agent.create_new_auth_token,
+             as: :json
+      expect(response).to have_http_status(:ok)
+      expect(account.hooks.count).to eq(0)
+    end
+  end
+
   describe 'GET /api/v1/accounts/:account_id/integrations/linear/teams' do
     context 'when it is an authenticated user' do
       context 'when data is retrieved successfully' do

spec/controllers/linear/callbacks_controller_spec.rb

@@ -0,0 +1,88 @@
+require 'rails_helper'
+
+RSpec.describe Linear::CallbacksController, type: :request do
+  let(:account) { create(:account) }
+  let(:code) { SecureRandom.hex(10) }
+  let(:state) { SecureRandom.hex(10) }
+  let(:linear_redirect_uri) { "#{ENV.fetch('FRONTEND_URL', '')}/app/accounts/#{account.id}/settings/integrations/linear" }
+
+  describe 'GET /linear/callback' do
+    let(:access_token) { SecureRandom.hex(10) }
+    let(:response_body) do
+      {
+        'access_token' => access_token,
+        'token_type' => 'Bearer',
+        'expires_in' => 7200,
+        'scope' => 'read,write'
+      }
+    end
+
+    before do
+      stub_const('ENV', ENV.to_hash.merge('FRONTEND_URL' => 'http://www.example.com'))
+
+      controller = described_class.new
+      allow(controller).to receive(:verify_linear_token).with(state).and_return(account.id)
+      allow(described_class).to receive(:new).and_return(controller)
+    end
+
+    context 'when successful' do
+      before do
+        stub_request(:post, 'https://api.linear.app/oauth/token')
+          .to_return(
+            status: 200,
+            body: response_body.to_json,
+            headers: { 'Content-Type' => 'application/json' }
+          )
+      end
+
+      it 'creates a new integration hook' do
+        expect do
+          get linear_callback_path, params: { code: code, state: state }
+        end.to change(Integrations::Hook, :count).by(1)
+
+        hook = Integrations::Hook.last
+        expect(hook.access_token).to eq(access_token)
+        expect(hook.app_id).to eq('linear')
+        expect(hook.status).to eq('enabled')
+        expect(hook.settings).to eq(
+          'token_type' => 'Bearer',
+          'expires_in' => 7200,
+          'scope' => 'read,write'
+        )
+        expect(response).to redirect_to(linear_redirect_uri)
+      end
+    end
+
+    context 'when the code is missing' do
+      before do
+        stub_request(:post, 'https://api.linear.app/oauth/token')
+          .to_return(
+            status: 200,
+            body: response_body.to_json,
+            headers: { 'Content-Type' => 'application/json' }
+          )
+      end
+
+      it 'redirects to the linear_redirect_uri' do
+        get linear_callback_path, params: { state: state }
+        expect(response).to redirect_to(linear_redirect_uri)
+      end
+    end
+
+    context 'when the token is invalid' do
+      before do
+        stub_request(:post, 'https://api.linear.app/oauth/token')
+          .to_return(
+            status: 400,
+            body: { error: 'invalid_grant' }.to_json,
+            headers: { 'Content-Type' => 'application/json' }
+          )
+      end
+
+      it 'redirects to the linear_redirect_uri' do
+        get linear_callback_path, params: { code: code, state: state }
+        expect(response).to redirect_to(linear_redirect_uri)
+      end
+    end
+  end
+end

spec/factories/integrations/hooks.rb

@@ -29,7 +29,7 @@ FactoryBot.define do
 
     trait :linear do
       app_id { 'linear' }
-      settings { { api_key: 'api_key' } }
+      access_token { SecureRandom.hex }
     end
   end
 end

spec/helpers/linear/integration_helper_spec.rb

@@ -0,0 +1,81 @@
+require 'rails_helper'
+
+RSpec.describe Linear::IntegrationHelper do
+  include described_class
+
+  describe '#generate_linear_token' do
+    let(:account_id) { 1 }
+    let(:client_secret) { 'test_secret' }
+    let(:current_time) { Time.current }
+
+    before do
+      allow(ENV).to receive(:fetch).with('LINEAR_CLIENT_SECRET', nil).and_return(client_secret)
+      allow(Time).to receive(:current).and_return(current_time)
+    end
+
+    it 'generates a valid JWT token with correct payload' do
+      token = generate_linear_token(account_id)
+      decoded_token = JWT.decode(token, client_secret, true, algorithm: 'HS256').first
+
+      expect(decoded_token['sub']).to eq(account_id)
+      expect(decoded_token['iat']).to eq(current_time.to_i)
+    end
+
+    context 'when client secret is not configured' do
+      let(:client_secret) { nil }
+
+      it 'returns nil' do
+        expect(generate_linear_token(account_id)).to be_nil
+      end
+    end
+
+    context 'when an error occurs' do
+      before do
+        allow(JWT).to receive(:encode).and_raise(StandardError.new('Test error'))
+      end
+
+      it 'logs the error and returns nil' do
+        expect(Rails.logger).to receive(:error).with('Failed to generate Linear token: Test error')
+        expect(generate_linear_token(account_id)).to be_nil
+      end
+    end
+  end
+
+  describe '#verify_linear_token' do
+    let(:account_id) { 1 }
+    let(:client_secret) { 'test_secret' }
+    let(:valid_token) do
+      JWT.encode({ sub: account_id, iat: Time.current.to_i }, client_secret, 'HS256')
+    end
+
+    before do
+      allow(ENV).to receive(:fetch).with('LINEAR_CLIENT_SECRET', nil).and_return(client_secret)
+    end
+
+    it 'successfully verifies and returns account_id from valid token' do
+      expect(verify_linear_token(valid_token)).to eq(account_id)
+    end
+
+    context 'when token is blank' do
+      it 'returns nil' do
+        expect(verify_linear_token('')).to be_nil
+        expect(verify_linear_token(nil)).to be_nil
+      end
+    end
+
+    context 'when client secret is not configured' do
+      let(:client_secret) { nil }
+
+      it 'returns nil' do
+        expect(verify_linear_token(valid_token)).to be_nil
+      end
+    end
+
+    context 'when token is invalid' do
+      it 'logs the error and returns nil' do
+        expect(Rails.logger).to receive(:error).with(/Unexpected error verifying Linear token:/)
+        expect(verify_linear_token('invalid_token')).to be_nil
+      end
+    end
+  end
+end

spec/lib/linear_spec.rb

@@ -1,10 +1,10 @@
 require 'rails_helper'
 
 describe Linear do
-  let(:api_key) { 'valid_api_key' }
+  let(:access_token) { 'valid_access_token' }
   let(:url) { 'https://api.linear.app/graphql' }
-  let(:linear_client) { described_class.new(api_key) }
-  let(:headers) { { 'Content-Type' => 'application/json', 'Authorization' => api_key } }
+  let(:linear_client) { described_class.new(access_token) }
+  let(:headers) { { 'Content-Type' => 'application/json', 'Authorization' => "Bearer #{access_token}" } }
 
   it 'raises an exception if the API key is absent' do
     expect { described_class.new(nil) }.to raise_error(ArgumentError, 'Missing Credentials')