LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

feat(linear): Support refresh tokens and migrate legacy OAuth tokens (#13721)

Browse Source 
Linear is deprecating long-lived OAuth2 access tokens (valid for 10
years) in favor of short-lived access tokens with refresh tokens.
Starting October 1, 2025, all new OAuth2 apps will default to refresh
tokens. Linear will no longer issue long-lived access tokens. Please
read more details
[here](https://linear.app/developers/oauth-2-0-authentication#migrate-to-using-refresh-tokens)
We currently use long-lived tokens in our Linear integration (valid for
up to 10 years). To remain compatible, this PR ensures compatibility by
supporting refresh-token-based auth and migrating existing legacy
tokens.

Fixes
https://linear.app/chatwoot/issue/CW-5541/migrate-linear-oauth2-integration-to-support-refresh-tokens
This commit is contained in:
Muhsin Keloth
2026-03-17 13:09:03 +04:00
committed by GitHub
parent 2a90652f05
commit a8d53a6df4
8 changed files with 487 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
spec/lib/linear_spec.rb
View File

@@ -2,7 +2,9 @@ require 'rails_helper'
describe Linear do
let(:access_token) { 'valid_access_token' }
let(:refresh_token) { 'valid_refresh_token' }
let(:url) { 'https://api.linear.app/graphql' }
let(:revoke_url) { 'https://api.linear.app/oauth/revoke' }
let(:linear_client) { described_class.new(access_token) }
let(:headers) { { 'Content-Type' => 'application/json', 'Authorization' => "Bearer #{access_token}" } }
@@ -433,4 +435,30 @@ describe Linear do
end
end
end
context 'when revoking a token' do
it 'uses the refresh token when present' do
client = described_class.new(access_token, refresh_token: refresh_token)
stub_request(:post, revoke_url)
.with(
headers: { 'Content-Type' => 'application/x-www-form-urlencoded' },
body: { token: refresh_token, token_type_hint: 'refresh_token' }
)
.to_return(status: 200, body: '', headers: {})
expect(client.revoke_token).to be(true)
end
it 'falls back to the access token when refresh token is absent' do
stub_request(:post, revoke_url)
.with(
headers: { 'Content-Type' => 'application/x-www-form-urlencoded' },
body: { token: access_token, token_type_hint: 'access_token' }
)
.to_return(status: 200, body: '', headers: {})
expect(linear_client.revoke_token).to be(true)
end
end
end