From 71e9771f7ca697d1e4f7fff80fe570cfc01d10d0 Mon Sep 17 00:00:00 2001
From: Pierre Lehnen <55164754+pierre-lehnen-rc@users.noreply.github.com>
Date: Thu, 24 Apr 2025 17:53:22 -0300
Subject: [PATCH] fix: OAuth errors are not handled properly due to an internal
 exception on the error handling code (#35852)

---
 .changeset/three-parrots-lie.md                    | 5 +++++
 apps/meteor/app/2fa/server/loginHandler.ts         | 2 +-
 apps/meteor/definition/externals/meteor/oauth.d.ts | 9 ++++++++-
 3 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/three-parrots-lie.md

diff --git a/.changeset/three-parrots-lie.md b/.changeset/three-parrots-lie.md
new file mode 100644
index 00000000000..609fa5183e7
--- /dev/null
+++ b/.changeset/three-parrots-lie.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fixes an issue where rocket.chat would not properly log OAuth errors nor remove the credential with the error from the internal list
diff --git a/apps/meteor/app/2fa/server/loginHandler.ts b/apps/meteor/app/2fa/server/loginHandler.ts
index b554330e140..1d039c7a89e 100644
--- a/apps/meteor/app/2fa/server/loginHandler.ts
+++ b/apps/meteor/app/2fa/server/loginHandler.ts
@@ -85,7 +85,7 @@ OAuth._retrievePendingCredential = async function (key, ...args): Promise<string
 	}
 
 	if (isCredentialWithError(pendingCredential.credential)) {
-		OAuth._pendingCredentials.remove({
+		await OAuth._pendingCredentials.removeAsync({
 			_id: pendingCredential._id,
 		});
 		return recreateError(pendingCredential.credential.error);
diff --git a/apps/meteor/definition/externals/meteor/oauth.d.ts b/apps/meteor/definition/externals/meteor/oauth.d.ts
index ff14ee1b854..6592418b946 100644
--- a/apps/meteor/definition/externals/meteor/oauth.d.ts
+++ b/apps/meteor/definition/externals/meteor/oauth.d.ts
@@ -2,6 +2,12 @@ declare module 'meteor/oauth' {
 	import type { IRocketChatRecord } from '@rocket.chat/core-typings';
 	import type { Mongo } from 'meteor/mongo';
 
+	// These functions may only be used on the client's Mongo.Collection
+	type MeteorServerMongoCollection<T extends MongoNpmModule.Document, U = T> = Omit<
+		Mongo.Collection<T, U>,
+		'remove' | 'findOne' | 'insert' | 'update' | 'upsert'
+	>;
+
 	interface IOauthCredentials extends IRocketChatRecord {
 		key: string;
 		credentialSecret: string;
@@ -17,7 +23,8 @@ declare module 'meteor/oauth' {
 		function openSecret(secret: string): string;
 		function retrieveCredential(credentialToken: string, credentialSecret: string);
 		function _retrieveCredentialSecret(credentialToken: string): string | null;
-		const _pendingCredentials: Mongo.Collection<IOauthCredentials>;
+		// luckily we don't have any reference to this collection on the client code, so let's type it according to what can be used on the server
+		const _pendingCredentials: MeteorServerMongoCollection<IOauthCredentials>;
 		const _storageTokenPrefix: string;
 
 		function launchLogin(options: {