calcom · supalarry · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026 · Jan 30, 2026
@@ -1,13 +1,20 @@
 import { PrismaAccessCodeRepository } from "@/lib/repositories/prisma-access-code.repository";
 import { PrismaOAuthClientRepository } from "@/lib/repositories/prisma-oauth-client.repository";
+import { PrismaOAuthRefreshTokenRepository } from "@/lib/repositories/prisma-oauth-refresh-token.repository";
 import { PrismaTeamRepository } from "@/lib/repositories/prisma-team.repository";
 import { OAuthService } from "@/lib/services/oauth.service";
 import { PrismaModule } from "@/modules/prisma/prisma.module";
 import { Module } from "@nestjs/common";
 
 @Module({
   imports: [PrismaModule],
-  providers: [PrismaAccessCodeRepository, PrismaOAuthClientRepository, PrismaTeamRepository, OAuthService],
+  providers: [
+    PrismaAccessCodeRepository,
+    PrismaOAuthClientRepository,
+    PrismaOAuthRefreshTokenRepository,
+    PrismaTeamRepository,
+    OAuthService,
+  ],
   exports: [OAuthService],
 })
 export class oAuthServiceModule {}
@@ -0,0 +1,12 @@
+import { PrismaWriteService } from "@/modules/prisma/prisma-write.service";
+import { Injectable } from "@nestjs/common";
+
+import { PrismaOAuthRefreshTokenRepository as PrismaOAuthRefreshTokenRepositoryLib } from "@calcom/platform-libraries/repositories";
+import type { PrismaClient } from "@calcom/prisma";
+
+@Injectable()
+export class PrismaOAuthRefreshTokenRepository extends PrismaOAuthRefreshTokenRepositoryLib {
+  constructor(private readonly dbWrite: PrismaWriteService) {
+    super(dbWrite.prisma as unknown as PrismaClient);
+  }
+}
@@ -3,6 +3,7 @@ import { OAuthService as BaseOAuthService } from "@calcom/platform-libraries";
 import { Injectable } from "@nestjs/common";
 import { PrismaAccessCodeRepository } from "@/lib/repositories/prisma-access-code.repository";
 import { PrismaOAuthClientRepository } from "@/lib/repositories/prisma-oauth-client.repository";
+import { PrismaOAuthRefreshTokenRepository } from "@/lib/repositories/prisma-oauth-refresh-token.repository";
 import { PrismaTeamRepository } from "@/lib/repositories/prisma-team.repository";
 import type { OAuth2ExchangeInput } from "@/modules/auth/oauth2/inputs/exchange.input";
 import { OAuth2ExchangeConfidentialInput } from "@/modules/auth/oauth2/inputs/exchange.input";
@@ -15,11 +16,13 @@ export class OAuthService extends BaseOAuthService {
   constructor(
     accessCodeRepository: PrismaAccessCodeRepository,
     oAuthClientRepository: PrismaOAuthClientRepository,
+    oAuthRefreshTokenRepository: PrismaOAuthRefreshTokenRepository,
     teamsRepository: PrismaTeamRepository
   ) {
     super({
       accessCodeRepository: accessCodeRepository,
       oAuthClientRepository: oAuthClientRepository,
+      oAuthRefreshTokenRepository: oAuthRefreshTokenRepository,
       teamsRepository: teamsRepository,
     });
   }

diff --git a/apps/api/v2/src/modules/auth/oauth2/controllers/oauth2.controller.e2e-spec.ts b/apps/api/v2/src/modules/auth/oauth2/controllers/oauth2.controller.e2e-spec.ts
@@ -5,6 +5,7 @@ import type { INestApplication } from "@nestjs/common";
 import type { NestExpressApplication } from "@nestjs/platform-express";
 import type { TestingModule } from "@nestjs/testing";
 import { Test } from "@nestjs/testing";
+import jwt from "jsonwebtoken";
 import request from "supertest";
 import { ApiKeysRepositoryFixture } from "test/fixtures/repository/api-keys.repository.fixture";
 import { MembershipRepositoryFixture } from "test/fixtures/repository/membership.repository.fixture";
@@ -91,16 +92,15 @@ describe("OAuth2 Controller Endpoints", () => {
 
     /** Generate an authorization code directly via the service (bypasses HTTP layer). */
     async function generateAuthCode(
-      scopes: AccessScope[] = [AccessScope.READ_BOOKING],
-      teamSlug?: string
+      scopes: AccessScope[] = [AccessScope.READ_BOOKING]
     ): Promise<string> {
       const result = await oAuthService.generateAuthorizationCode(
         testClientId,
         authenticatedUser.id,
         testRedirectUri,
         scopes,
         undefined,
-        teamSlug ?? team.slug
+        team.slug ?? undefined
       );
       const redirectUrl = new URL(result.redirectUrl);
       return redirectUrl.searchParams.get("code") as string;
@@ -381,6 +381,113 @@ describe("OAuth2 Controller Endpoints", () => {
           expect(response.body.refresh_token).toBeDefined();
           expect(response.body.token_type).toBe("bearer");
           expect(response.body.expires_in).toBe(1800);
+
+          refreshToken = response.body.refresh_token;
+        });
+
+        it("should reject reuse of old refresh token after rotation", async () => {
+          // Get a fresh token pair
+          const code = await generateAuthCode();
+          const tokenResponse = await request(app.getHttpServer())
+            .post("/api/v2/auth/oauth2/token")
+            .type("form")
+            .send({
+              client_id: testClientId,
+              grant_type: "authorization_code",
+              code,
+              client_secret: testClientSecret,
+              redirect_uri: testRedirectUri,
+            })
+            .expect(200);
+
+          const oldRefreshToken = tokenResponse.body.refresh_token;
+
+          // Use the refresh token once (rotates it)
+          await request(app.getHttpServer())
+            .post("/api/v2/auth/oauth2/token")
+            .type("form")
+            .send({
+              client_id: testClientId,
+              grant_type: "refresh_token",
+              refresh_token: oldRefreshToken,
+              client_secret: testClientSecret,
+            })
+            .expect(200);
+
+          // Try to reuse the old refresh token — should be rejected
+          const response = await request(app.getHttpServer())
+            .post("/api/v2/auth/oauth2/token")
+            .type("form")
+            .send({
+              client_id: testClientId,
+              grant_type: "refresh_token",
+              refresh_token: oldRefreshToken,
+              client_secret: testClientSecret,
+            })
+            .expect(400);
+
+          expect(response.body.error).toBe("invalid_grant");
+          expect(response.body.error_description).toBe("refresh_token_revoked");
+        });
+
+        it("should accept legacy refresh token without secret and reject it after rotation", async () => {
+          const secretKey = process.env.CALENDSO_ENCRYPTION_KEY;
+          // Sign a legacy refresh token (no secret field)
+          const legacyRefreshToken = jwt.sign(
+            {
+              userId: authenticatedUser.id,
+              teamId: team.id,
+              scope: [AccessScope.READ_BOOKING],
+              token_type: "Refresh Token",
+              clientId: testClientId,
+            },
+            secretKey!,
+            { expiresIn: 30 * 24 * 60 * 60 }
+          );
+
+          // Legacy token should be accepted (one-time pass)
+          const firstResponse = await request(app.getHttpServer())
+            .post("/api/v2/auth/oauth2/token")
+            .type("form")
+            .send({
+              client_id: testClientId,
+              grant_type: "refresh_token",
+              refresh_token: legacyRefreshToken,
+              client_secret: testClientSecret,
+            })
+            .expect(200);
+
+          expect(firstResponse.body.access_token).toBeDefined();
+          expect(firstResponse.body.refresh_token).toBeDefined();
+
+          const newRefreshToken = firstResponse.body.refresh_token;
+
+          // Use the new token (has secret, triggers rotation)
+          await request(app.getHttpServer())
+            .post("/api/v2/auth/oauth2/token")
+            .type("form")
+            .send({
+              client_id: testClientId,
+              grant_type: "refresh_token",
+              refresh_token: newRefreshToken,
+              client_secret: testClientSecret,
+            })
+            .expect(200);
+
+          // Reuse the new token — should be rejected
+          const reuseResponse = await request(app.getHttpServer())
+            .post("/api/v2/auth/oauth2/token")
+            .type("form")
+            .send({
+              client_id: testClientId,
+              grant_type: "refresh_token",
+              refresh_token: newRefreshToken,
+              client_secret: testClientSecret,
+            })
+            .expect(400);
+
+          expect(reuseResponse.body.error).toBe("invalid_grant");
+          expect(reuseResponse.body.error_description).toBe("refresh_token_revoked");
         });
       });
 

diff --git a/apps/web/app/api/auth/oauth/refreshToken/route.ts b/apps/web/app/api/auth/oauth/refreshToken/route.ts
@@ -45,7 +45,13 @@ async function handler(req: NextRequest) {
     );
   } catch (err) {
     if (err instanceof ErrorWithCode) {
-      return NextResponse.json({ error: err.message }, { status: getHttpStatusCode(err) });
+      return NextResponse.json(
+        {
+          error: err.message,
+          error_description: (err.data?.reason as string | undefined) ?? err.message,
+        },
+        { status: getHttpStatusCode(err) }
+      );
     }
     return NextResponse.json({ error: "server_error" }, { status: 500 });
   }

diff --git a/apps/web/playwright/oauth/oauth-refresh-tokens.e2e.ts b/apps/web/playwright/oauth/oauth-refresh-tokens.e2e.ts
@@ -1,9 +1,10 @@
 import { expect } from "@playwright/test";
 import { randomBytes } from "node:crypto";
-import jwt from "jsonwebtoken";
+import process from "node:process";
 
 import { test } from "../lib/fixtures";
 import type { PrismaClient } from "@calcom/prisma";
+import jwt from "jsonwebtoken";
 
 test.describe("OAuth - refresh tokens", () => {
   test.afterEach(async ({ prisma, users }, testInfo) => {
@@ -66,6 +67,84 @@ test.describe("OAuth - refresh tokens", () => {
     );
   }
 
+  test("legacy refresh token without secret is accepted", async ({ page, users, prisma }, testInfo) => {
+    const user = await users.create({ username: "oauth-refresh-legacy" });
+    await user.apiLogin();
+
+    const testPrefix = `e2e-oauth-refresh-status-${testInfo.testId}-`;
+    const client = await createOAuthClient({
+      prisma,
+      name: `${testPrefix}approved-${Date.now()}`,
+      status: "APPROVED",
+      clientType: "PUBLIC",
+    });
+
+    // Legacy token has no secret field — should be accepted once
+    const legacyToken = signRefreshToken(client.clientId, user.id);
+
+    const response = await page.request.post("/api/auth/oauth/refreshToken", {
+      form: {
+        grant_type: "refresh_token",
+        client_id: client.clientId,
+        refresh_token: legacyToken,
+      },
+    });
+    expect(response.status()).toBe(200);
+
+    const json = await response.json();
+    expect(json.access_token).toBeDefined();
+    expect(json.refresh_token).toBeDefined();
+  });
+
+  test("reusing a rotated refresh token is rejected", async ({ page, users, prisma }, testInfo) => {
+    const user = await users.create({ username: "oauth-refresh-rotation" });
+    await user.apiLogin();
+
+    const testPrefix = `e2e-oauth-refresh-status-${testInfo.testId}-`;
+    const client = await createOAuthClient({
+      prisma,
+      name: `${testPrefix}approved-${Date.now()}`,
+      status: "APPROVED",
+      clientType: "PUBLIC",
+    });
+
+    // Use a legacy token to get a new-format token with a secret
+    const legacyToken = signRefreshToken(client.clientId, user.id);
+    const firstResponse = await page.request.post("/api/auth/oauth/refreshToken", {
+      form: {
+        grant_type: "refresh_token",
+        client_id: client.clientId,
+        refresh_token: legacyToken,
+      },
+    });
+    expect(firstResponse.status()).toBe(200);
+    const newRefreshToken = (await firstResponse.json()).refresh_token;
+
+    // Use the new token once (rotates it)
+    const secondResponse = await page.request.post("/api/auth/oauth/refreshToken", {
+      form: {
+        grant_type: "refresh_token",
+        client_id: client.clientId,
+        refresh_token: newRefreshToken,
+      },
+    });
+    expect(secondResponse.status()).toBe(200);
+
+    // Reuse the same token — should be rejected
+    const reuseResponse = await page.request.post("/api/auth/oauth/refreshToken", {
+      form: {
+        grant_type: "refresh_token",
+        client_id: client.clientId,
+        refresh_token: newRefreshToken,
+      },
+    });
+    expect(reuseResponse.status()).toBe(400);
+
+    const reuseJson = await reuseResponse.json();
+    expect(reuseJson.error).toBe("invalid_grant");
+    expect(reuseJson.error_description).toBe("refresh_token_revoked");
+  });
+
   test("token refresh fails if client is not approved", async ({ page, users, prisma }, testInfo) => {
     const user = await users.create({ username: "oauth-refresh-status-check" });
     await user.apiLogin();

diff --git a/packages/features/oauth/di/OAuthRefreshTokenRepository.module.ts b/packages/features/oauth/di/OAuthRefreshTokenRepository.module.ts
@@ -0,0 +1,23 @@
+import { bindModuleToClassOnToken, createModule, type ModuleLoader } from "@calcom/features/di/di";
+import { moduleLoader as prismaModuleLoader } from "@calcom/features/di/modules/Prisma";
+import { OAuthRefreshTokenRepository } from "@calcom/features/oauth/repositories/OAuthRefreshTokenRepository";
+import { OAUTH_DI_TOKENS } from "./tokens";
+
+const thisModule = createModule();
+const token = OAUTH_DI_TOKENS.OAUTH_REFRESH_TOKEN_REPOSITORY;
+const moduleToken = OAUTH_DI_TOKENS.OAUTH_REFRESH_TOKEN_REPOSITORY_MODULE;
+
+const loadModule = bindModuleToClassOnToken({
+  module: thisModule,
+  moduleToken,
+  token,
+  classs: OAuthRefreshTokenRepository,
+  dep: prismaModuleLoader,
+});
+
+export const moduleLoader: ModuleLoader = {
+  token,
+  loadModule,
+};
+
+export type { OAuthRefreshTokenRepository };
diff --git a/packages/features/oauth/di/OAuthService.module.ts b/packages/features/oauth/di/OAuthService.module.ts
@@ -1,8 +1,8 @@
 import { bindModuleToClassOnToken, createModule, type ModuleLoader } from "@calcom/features/di/di";
 import { OAuthService } from "@calcom/features/oauth/services/OAuthService";
-
 import { moduleLoader as accessCodeRepositoryModuleLoader } from "./AccessCodeRepository.module";
 import { moduleLoader as oAuthClientRepositoryModuleLoader } from "./OAuthClientRepository.module";
+import { moduleLoader as oAuthRefreshTokenRepositoryModuleLoader } from "./OAuthRefreshTokenRepository.module";
 import { moduleLoader as teamRepositoryModuleLoader } from "./TeamRepository.module";
 import { OAUTH_DI_TOKENS } from "./tokens";
 
@@ -18,6 +18,7 @@ const loadModule = bindModuleToClassOnToken({
   depsMap: {
     oAuthClientRepository: oAuthClientRepositoryModuleLoader,
     accessCodeRepository: accessCodeRepositoryModuleLoader,
+    oAuthRefreshTokenRepository: oAuthRefreshTokenRepositoryModuleLoader,
     teamsRepository: teamRepositoryModuleLoader,
   },
 });

diff --git a/packages/features/oauth/di/tokens.ts b/packages/features/oauth/di/tokens.ts
@@ -3,6 +3,8 @@ export const OAUTH_DI_TOKENS = {
   OAUTH_CLIENT_REPOSITORY_MODULE: Symbol("OAuthClientRepositoryModule"),
   ACCESS_CODE_REPOSITORY: Symbol("AccessCodeRepository"),
   ACCESS_CODE_REPOSITORY_MODULE: Symbol("AccessCodeRepositoryModule"),
+  OAUTH_REFRESH_TOKEN_REPOSITORY: Symbol("OAuthRefreshTokenRepository"),
+  OAUTH_REFRESH_TOKEN_REPOSITORY_MODULE: Symbol("OAuthRefreshTokenRepositoryModule"),
   OAUTH_SERVICE: Symbol("OAuthService"),
   OAUTH_SERVICE_MODULE: Symbol("OAuthServiceModule"),
 };