LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

feat(linear): Support refresh tokens and migrate legacy OAuth tokens (#13721)

Browse Source 
Linear is deprecating long-lived OAuth2 access tokens (valid for 10
years) in favor of short-lived access tokens with refresh tokens.
Starting October 1, 2025, all new OAuth2 apps will default to refresh
tokens. Linear will no longer issue long-lived access tokens. Please
read more details
[here](https://linear.app/developers/oauth-2-0-authentication#migrate-to-using-refresh-tokens)
We currently use long-lived tokens in our Linear integration (valid for
up to 10 years). To remain compatible, this PR ensures compatibility by
supporting refresh-token-based auth and migrating existing legacy
tokens.

Fixes
https://linear.app/chatwoot/issue/CW-5541/migrate-linear-oauth2-integration-to-support-refresh-tokens
This commit is contained in:
Muhsin Keloth
2026-03-17 13:09:03 +04:00
committed by GitHub
parent 2a90652f05
commit a8d53a6df4
8 changed files with 487 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
spec/controllers/linear/callbacks_controller_spec.rb
View File

@@ -9,9 +9,11 @@ RSpec.describe Linear::CallbacksController, type: :request do
describe 'GET /linear/callback' do
let(:access_token) { SecureRandom.hex(10) }
let(:refresh_token) { SecureRandom.hex(10) }
let(:response_body) do
{
'access_token' => access_token,
'refresh_token' => refresh_token,
'token_type' => 'Bearer',
'expires_in' => 7200,
'scope' => 'read,write'
@@ -35,7 +37,7 @@ RSpec.describe Linear::CallbacksController, type: :request do
)
end
it 'creates a new integration hook' do
it 'creates a new integration hook', :aggregate_failures do
expect do
get linear_callback_path, params: { code: code, state: state }
end.to change(Integrations::Hook, :count).by(1)
@@ -44,11 +46,11 @@ RSpec.describe Linear::CallbacksController, type: :request do
expect(hook.access_token).to eq(access_token)
expect(hook.app_id).to eq('linear')
expect(hook.status).to eq('enabled')
expect(hook.settings).to eq(
'token_type' => 'Bearer',
'expires_in' => 7200,
'scope' => 'read,write'
)
expect(hook.settings['token_type']).to eq('Bearer')
expect(hook.settings['expires_in']).to eq(7200)
expect(hook.settings['scope']).to eq('read,write')
expect(hook.settings['refresh_token']).to eq(refresh_token)
expect(hook.settings['expires_on']).to be_present
expect(response).to redirect_to(linear_redirect_uri)
end
end
@@ -69,6 +71,106 @@ RSpec.describe Linear::CallbacksController, type: :request do
end
end
context 'when state is missing' do
it 'redirects to frontend root' do
get linear_callback_path, params: { code: code }
expect(response).to redirect_to('http://www.example.com')
end
end
context 'when state is invalid' do
it 'redirects to frontend root' do
get linear_callback_path, params: { code: code, state: 'invalid-state' }
expect(response).to redirect_to('http://www.example.com')
end
end
context 'when hook exists and response omits refresh_token' do
let!(:existing_hook) do
create(
:integrations_hook,
:linear,
account: account,
settings: {
'refresh_token' => 'existing_refresh_token',
'token_type' => 'Bearer',
'scope' => 'read,write',
'expires_on' => 1.day.from_now.utc.to_s
}
)
end
let(:response_body) do
{
'access_token' => access_token,
'token_type' => 'Bearer',
'expires_in' => 7200,
'scope' => 'read,write'
}
end
before do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(
status: 200,
body: response_body.to_json,
headers: { 'Content-Type' => 'application/json' }
)
end
it 'preserves existing refresh token', :aggregate_failures do
get linear_callback_path, params: { code: code, state: state }
existing_hook.reload
expect(existing_hook.access_token).to eq(access_token)
expect(existing_hook.settings['refresh_token']).to eq('existing_refresh_token')
end
end
context 'when hook exists and response omits access_token' do
let!(:existing_hook) do
create(
:integrations_hook,
:linear,
account: account,
access_token: 'existing_access_token',
settings: {
'refresh_token' => 'existing_refresh_token',
'token_type' => 'Bearer',
'scope' => 'read,write',
'expires_on' => 1.day.from_now.utc.to_s
}
)
end
let(:response_body) do
{
'refresh_token' => refresh_token,
'token_type' => 'Bearer',
'expires_in' => 7200,
'scope' => 'read,write'
}
end
before do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(
status: 200,
body: response_body.to_json,
headers: { 'Content-Type' => 'application/json' }
)
end
it 'does not overwrite the existing hook', :aggregate_failures do
expect do
get linear_callback_path, params: { code: code, state: state }
end.not_to change(Integrations::Hook, :count)
existing_hook.reload
expect(existing_hook.access_token).to eq('existing_access_token')
expect(existing_hook.settings['refresh_token']).to eq('existing_refresh_token')
expect(response).to redirect_to(linear_redirect_uri)
end
end
context 'when the token is invalid' do
before do
stub_request(:post, 'https://api.linear.app/oauth/token')

178
spec/lib/integrations/linear/access_token_service_spec.rb Normal file
View File

@@ -0,0 +1,178 @@
require 'rails_helper'
describe Integrations::Linear::AccessTokenService do
let(:account) { create(:account) }
let(:client_id) { 'linear_client_id' }
let(:client_secret) { 'linear_client_secret' }
before do
allow(GlobalConfigService).to receive(:load).and_call_original
allow(GlobalConfigService).to receive(:load).with('LINEAR_CLIENT_ID', nil).and_return(client_id)
allow(GlobalConfigService).to receive(:load).with('LINEAR_CLIENT_SECRET', nil).and_return(client_secret)
end
describe '#access_token' do
context 'when access token is still valid' do
let(:hook) do
create(
:integrations_hook,
:linear,
account: account,
access_token: 'valid_access_token',
settings: {
refresh_token: 'refresh_token',
token_type: 'Bearer',
scope: 'read,write',
expires_on: 30.minutes.from_now.utc.to_s
}
)
end
it 'returns the current access token' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(status: 200, body: {}.to_json, headers: { 'Content-Type' => 'application/json' })
stub_request(:post, 'https://api.linear.app/oauth/migrate_old_token')
.to_return(status: 200, body: {}.to_json, headers: { 'Content-Type' => 'application/json' })
service = described_class.new(hook: hook)
expect(service.access_token).to eq('valid_access_token')
expect(WebMock).not_to have_requested(:post, 'https://api.linear.app/oauth/token')
expect(WebMock).not_to have_requested(:post, 'https://api.linear.app/oauth/migrate_old_token')
end
end
context 'when access token is expired and refresh token is present' do
let(:hook) do
create(
:integrations_hook,
:linear,
account: account,
access_token: 'expired_access_token',
settings: {
refresh_token: 'old_refresh_token',
token_type: 'Bearer',
scope: 'read,write',
expires_on: 1.hour.ago.utc.to_s
}
)
end
it 'refreshes the token and persists new values' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(
status: 200,
body: {
access_token: 'new_access_token',
refresh_token: 'new_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('new_access_token')
hook.reload
expect(hook.access_token).to eq('new_access_token')
expect(hook.settings['refresh_token']).to eq('new_refresh_token')
expect(hook.settings['expires_in']).to eq(7200)
expect(hook.settings['expires_on']).to be_present
end
it 'falls back to latest persisted token on refresh failure' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(status: 401, body: { error: 'invalid_grant' }.to_json, headers: { 'Content-Type' => 'application/json' })
Integrations::Hook.find(hook.id).update!(access_token: 'rotated_access_token')
service = described_class.new(hook: hook)
expect(service.access_token).to eq('rotated_access_token')
end
it 'does not overwrite the existing token on malformed success response' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(
status: 200,
body: {
refresh_token: 'new_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('expired_access_token')
hook.reload
expect(hook.access_token).to eq('expired_access_token')
expect(hook.settings['refresh_token']).to eq('old_refresh_token')
end
end
context 'when refresh token is missing and legacy migration is applicable' do
let(:hook) do
create(
:integrations_hook,
:linear,
account: account,
access_token: 'legacy_access_token',
settings: {
token_type: 'Bearer',
scope: 'read,write'
}
)
end
it 'migrates the legacy token and persists refresh token data' do
stub_request(:post, 'https://api.linear.app/oauth/migrate_old_token')
.to_return(
status: 200,
body: {
access_token: 'migrated_access_token',
refresh_token: 'migrated_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('migrated_access_token')
hook.reload
expect(hook.access_token).to eq('migrated_access_token')
expect(hook.settings['refresh_token']).to eq('migrated_refresh_token')
expect(hook.settings['expires_in']).to eq(7200)
expect(hook.settings['expires_on']).to be_present
end
it 'does not overwrite the existing token on malformed migration success response' do
stub_request(:post, 'https://api.linear.app/oauth/migrate_old_token')
.to_return(
status: 200,
body: {
refresh_token: 'migrated_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('legacy_access_token')
hook.reload
expect(hook.access_token).to eq('legacy_access_token')
expect(hook.settings['token_type']).to eq('Bearer')
end
end
end
end

28
spec/lib/linear_spec.rb
View File

@@ -2,7 +2,9 @@ require 'rails_helper'
describe Linear do
let(:access_token) { 'valid_access_token' }
let(:refresh_token) { 'valid_refresh_token' }
let(:url) { 'https://api.linear.app/graphql' }
let(:revoke_url) { 'https://api.linear.app/oauth/revoke' }
let(:linear_client) { described_class.new(access_token) }
let(:headers) { { 'Content-Type' => 'application/json', 'Authorization' => "Bearer #{access_token}" } }
@@ -433,4 +435,30 @@ describe Linear do
end
end
end
context 'when revoking a token' do
it 'uses the refresh token when present' do
client = described_class.new(access_token, refresh_token: refresh_token)
stub_request(:post, revoke_url)
.with(
headers: { 'Content-Type' => 'application/x-www-form-urlencoded' },
body: { token: refresh_token, token_type_hint: 'refresh_token' }
)
.to_return(status: 200, body: '', headers: {})
expect(client.revoke_token).to be(true)
end
it 'falls back to the access token when refresh token is absent' do
stub_request(:post, revoke_url)
.with(
headers: { 'Content-Type' => 'application/x-www-form-urlencoded' },
body: { token: access_token, token_type_hint: 'access_token' }
)
.to_return(status: 200, body: '', headers: {})
expect(linear_client.revoke_token).to be(true)
end
end
end