LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

feat(linear): Support refresh tokens and migrate legacy OAuth tokens (#13721)

Browse Source 
Linear is deprecating long-lived OAuth2 access tokens (valid for 10
years) in favor of short-lived access tokens with refresh tokens.
Starting October 1, 2025, all new OAuth2 apps will default to refresh
tokens. Linear will no longer issue long-lived access tokens. Please
read more details
[here](https://linear.app/developers/oauth-2-0-authentication#migrate-to-using-refresh-tokens)
We currently use long-lived tokens in our Linear integration (valid for
up to 10 years). To remain compatible, this PR ensures compatibility by
supporting refresh-token-based auth and migrating existing legacy
tokens.

Fixes
https://linear.app/chatwoot/issue/CW-5541/migrate-linear-oauth2-integration-to-support-refresh-tokens
This commit is contained in:
Muhsin Keloth
2026-03-17 13:09:03 +04:00
committed by GitHub
parent 2a90652f05
commit a8d53a6df4
8 changed files with 487 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
spec/lib/integrations/linear/access_token_service_spec.rb Normal file
View File

@@ -0,0 +1,178 @@
require 'rails_helper'
describe Integrations::Linear::AccessTokenService do
let(:account) { create(:account) }
let(:client_id) { 'linear_client_id' }
let(:client_secret) { 'linear_client_secret' }
before do
allow(GlobalConfigService).to receive(:load).and_call_original
allow(GlobalConfigService).to receive(:load).with('LINEAR_CLIENT_ID', nil).and_return(client_id)
allow(GlobalConfigService).to receive(:load).with('LINEAR_CLIENT_SECRET', nil).and_return(client_secret)
end
describe '#access_token' do
context 'when access token is still valid' do
let(:hook) do
create(
:integrations_hook,
:linear,
account: account,
access_token: 'valid_access_token',
settings: {
refresh_token: 'refresh_token',
token_type: 'Bearer',
scope: 'read,write',
expires_on: 30.minutes.from_now.utc.to_s
}
)
end
it 'returns the current access token' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(status: 200, body: {}.to_json, headers: { 'Content-Type' => 'application/json' })
stub_request(:post, 'https://api.linear.app/oauth/migrate_old_token')
.to_return(status: 200, body: {}.to_json, headers: { 'Content-Type' => 'application/json' })
service = described_class.new(hook: hook)
expect(service.access_token).to eq('valid_access_token')
expect(WebMock).not_to have_requested(:post, 'https://api.linear.app/oauth/token')
expect(WebMock).not_to have_requested(:post, 'https://api.linear.app/oauth/migrate_old_token')
end
end
context 'when access token is expired and refresh token is present' do
let(:hook) do
create(
:integrations_hook,
:linear,
account: account,
access_token: 'expired_access_token',
settings: {
refresh_token: 'old_refresh_token',
token_type: 'Bearer',
scope: 'read,write',
expires_on: 1.hour.ago.utc.to_s
}
)
end
it 'refreshes the token and persists new values' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(
status: 200,
body: {
access_token: 'new_access_token',
refresh_token: 'new_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('new_access_token')
hook.reload
expect(hook.access_token).to eq('new_access_token')
expect(hook.settings['refresh_token']).to eq('new_refresh_token')
expect(hook.settings['expires_in']).to eq(7200)
expect(hook.settings['expires_on']).to be_present
end
it 'falls back to latest persisted token on refresh failure' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(status: 401, body: { error: 'invalid_grant' }.to_json, headers: { 'Content-Type' => 'application/json' })
Integrations::Hook.find(hook.id).update!(access_token: 'rotated_access_token')
service = described_class.new(hook: hook)
expect(service.access_token).to eq('rotated_access_token')
end
it 'does not overwrite the existing token on malformed success response' do
stub_request(:post, 'https://api.linear.app/oauth/token')
.to_return(
status: 200,
body: {
refresh_token: 'new_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('expired_access_token')
hook.reload
expect(hook.access_token).to eq('expired_access_token')
expect(hook.settings['refresh_token']).to eq('old_refresh_token')
end
end
context 'when refresh token is missing and legacy migration is applicable' do
let(:hook) do
create(
:integrations_hook,
:linear,
account: account,
access_token: 'legacy_access_token',
settings: {
token_type: 'Bearer',
scope: 'read,write'
}
)
end
it 'migrates the legacy token and persists refresh token data' do
stub_request(:post, 'https://api.linear.app/oauth/migrate_old_token')
.to_return(
status: 200,
body: {
access_token: 'migrated_access_token',
refresh_token: 'migrated_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('migrated_access_token')
hook.reload
expect(hook.access_token).to eq('migrated_access_token')
expect(hook.settings['refresh_token']).to eq('migrated_refresh_token')
expect(hook.settings['expires_in']).to eq(7200)
expect(hook.settings['expires_on']).to be_present
end
it 'does not overwrite the existing token on malformed migration success response' do
stub_request(:post, 'https://api.linear.app/oauth/migrate_old_token')
.to_return(
status: 200,
body: {
refresh_token: 'migrated_refresh_token',
token_type: 'Bearer',
expires_in: 7200,
scope: 'read,write'
}.to_json,
headers: { 'Content-Type' => 'application/json' }
)
service = described_class.new(hook: hook)
expect(service.access_token).to eq('legacy_access_token')
hook.reload
expect(hook.access_token).to eq('legacy_access_token')
expect(hook.settings['token_type']).to eq('Bearer')
end
end
end
end

28
spec/lib/linear_spec.rb
View File

@@ -2,7 +2,9 @@ require 'rails_helper'
describe Linear do
let(:access_token) { 'valid_access_token' }
let(:refresh_token) { 'valid_refresh_token' }
let(:url) { 'https://api.linear.app/graphql' }
let(:revoke_url) { 'https://api.linear.app/oauth/revoke' }
let(:linear_client) { described_class.new(access_token) }
let(:headers) { { 'Content-Type' => 'application/json', 'Authorization' => "Bearer #{access_token}" } }
@@ -433,4 +435,30 @@ describe Linear do
end
end
end
context 'when revoking a token' do
it 'uses the refresh token when present' do
client = described_class.new(access_token, refresh_token: refresh_token)
stub_request(:post, revoke_url)
.with(
headers: { 'Content-Type' => 'application/x-www-form-urlencoded' },
body: { token: refresh_token, token_type_hint: 'refresh_token' }
)
.to_return(status: 200, body: '', headers: {})
expect(client.revoke_token).to be(true)
end
it 'falls back to the access token when refresh token is absent' do
stub_request(:post, revoke_url)
.with(
headers: { 'Content-Type' => 'application/x-www-form-urlencoded' },
body: { token: access_token, token_type_hint: 'access_token' }
)
.to_return(status: 200, body: '', headers: {})
expect(linear_client.revoke_token).to be(true)
end
end
end