chore: hash rate limit trackers api v2

[ThyMinimalDev]

What does this PR do?

• Fixes #XXXX (GitHub issue number)
• Fixes CAL-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[coderabbitai]

Walkthrough

The changes across the codebase involve renaming the hashing function used for API key and token handling from hashAPIKey to sha256Hash. All imports and invocations of the function in controllers, services, authentication strategies, guards, and test files have been updated accordingly. In addition, the function's parameter name was changed from apiKey to token. In the throttler guard, the update also ensures that all identifiers (API key, access token, OAuth client ID, and IP address) used for rate limiting are now consistently hashed using SHA-256. No changes were made to the logic, control flow, or public API signatures, except for the function renaming.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Complexity: Simple
• Rationale: The changes are systematic and repetitive, focusing on renaming a function and updating its usage across several files, with a minor increase in hashing coverage in one guard. No significant logic or architectural changes are present.

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee073cd and 0fdad42.

📒 Files selected for processing (7)

• apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (2 hunks)
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (2 hunks)
• apps/api/v2/src/lib/api-key/index.ts (1 hunks)
• apps/api/v2/src/lib/throttler-guard.ts (2 hunks)
• apps/api/v2/src/modules/api-keys/services/api-keys.service.ts (2 hunks)
• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (2 hunks)
• apps/api/v2/src/modules/organizations/organizations/organizations-organizations.controller.e2e-spec.ts (3 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**/*.{js,jsx,ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code. Functions like .add, .diff, .isBefore, and .isAfter are slow, especially in timezone mode. Prefer .utc() for better performance. Where possible, replace with native Date and direct .valueOf() comparisons for faster execution. Recommend using native methods or Day.js .utc() consistently in hot paths like loops.

Files:

• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts
• apps/api/v2/src/modules/api-keys/services/api-keys.service.ts
• apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts
• apps/api/v2/src/lib/api-key/index.ts
• apps/api/v2/src/modules/organizations/organizations/organizations-organizations.controller.e2e-spec.ts
• apps/api/v2/src/lib/throttler-guard.ts
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts

🧠 Learnings (5)

📓 Common learnings

Learnt from: alishaz-polymath
PR: calcom/cal.com#22304
File: packages/prisma/schema.prisma:1068-1071
Timestamp: 2025-07-16T05:10:22.891Z
Learning: In PR #22304 for Cal.com private link expiration features, the `maxUsageCount` field was intentionally set to default to 1 (non-nullable) as a breaking change, making all existing private links single-use after migration. This was a deliberate design decision by alishaz-polymath.

apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (1)

Learnt from: CR
PR: calcom/cal.com#0
File: .cursor/rules/review.mdc:0-0
Timestamp: 2025-07-21T13:54:11.770Z
Learning: Applies to backend/**/*.{ts,tsx} : Make sure the credential.key field is never returned back from tRPC endpoints or APIs.

apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (2)

Learnt from: eunjae-lee
PR: #22702
File: packages/lib/server/service/insightsBooking.ts:120-124
Timestamp: 2025-07-24T08:39:06.185Z
Learning: In the InsightsBookingService (packages/lib/server/service/insightsBooking.ts), the constructor stores null for invalid options or filters but this is handled safely through null checks in buildFilterConditions() and buildAuthorizationConditions() methods. The service uses defensive programming to return safe fallback conditions (null or NOTHING_CONDITION) rather than throwing errors on invalid inputs.

Learnt from: eunjae-lee
PR: #22106
File: packages/features/insights/components/FailedBookingsByField.tsx:65-71
Timestamp: 2025-07-15T12:59:34.389Z
Learning: In the FailedBookingsByField component (packages/features/insights/components/FailedBookingsByField.tsx), although routingFormId is typed as optional in useInsightsParameters, the system automatically enforces a routing form filter, so routingFormId is always present in practice. This means the data always contains only one entry, making the single-entry destructuring approach safe.

apps/api/v2/src/lib/throttler-guard.ts (1)

Learnt from: CR
PR: calcom/cal.com#0
File: .cursor/rules/review.mdc:0-0
Timestamp: 2025-07-21T13:54:11.770Z
Learning: Applies to backend/**/*.{ts,tsx} : Make sure the credential.key field is never returned back from tRPC endpoints or APIs.

apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (1)

Learnt from: eunjae-lee
PR: #22702
File: packages/lib/server/service/insightsBooking.ts:120-124
Timestamp: 2025-07-24T08:39:06.185Z
Learning: In the InsightsBookingService (packages/lib/server/service/insightsBooking.ts), the constructor stores null for invalid options or filters but this is handled safely through null checks in buildFilterConditions() and buildAuthorizationConditions() methods. The service uses defensive programming to return safe fallback conditions (null or NOTHING_CONDITION) rather than throwing errors on invalid inputs.

🧬 Code Graph Analysis (6)

apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• sha256Hash (3-3)

apps/api/v2/src/modules/api-keys/services/api-keys.service.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• sha256Hash (3-3)

apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• sha256Hash (3-3)

apps/api/v2/src/modules/organizations/organizations/organizations-organizations.controller.e2e-spec.ts (1)

apps/api/v2/src/lib/api-key/index.ts (2)

• sha256Hash (3-3)
• stripApiKey (8-8)

apps/api/v2/src/lib/throttler-guard.ts (2)

apps/api/v2/src/lib/api-key/index.ts (2)

• sha256Hash (3-3)
• stripApiKey (8-8)

packages/platform/constants/api.ts (1)

• X_CAL_CLIENT_ID (50-50)

apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• sha256Hash (3-3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Detect changes
• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (14)

apps/api/v2/src/lib/api-key/index.ts (1)

3-3: LGTM! Clean function rename improves genericity.

The rename from hashAPIKey to sha256Hash with parameter change from apiKey to token makes the function more generic and reusable for hashing various types of tokens, not just API keys. The implementation remains correct.

apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (2)

1-1: LGTM! Import correctly updated.

The import statement has been properly updated to use the renamed sha256Hash function.

---

229-229: LGTM! Function call correctly updated.

The function call has been properly updated to use sha256Hash instead of hashAPIKey. The context and usage remain the same.

apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (2)

8-8: LGTM! Import correctly updated.

The import statement has been properly updated to use the renamed sha256Hash function.

---

389-389: LGTM! Function call correctly updated.

The function call in the getOwnerId method has been properly updated to use sha256Hash. The usage context remains the same - hashing the stripped API key for database lookup.

apps/api/v2/src/modules/api-keys/services/api-keys.service.ts (2)

1-1: LGTM! Import correctly updated.

The import statement has been properly updated to use the renamed sha256Hash function.

---

64-64: LGTM! Function call correctly updated.

The function call in the refreshApiKey method has been properly updated to use sha256Hash. The usage remains consistent - hashing the stripped API key for database lookup.

apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (2)

14-14: LGTM! Import correctly updated.

The import statement has been properly updated to use the renamed sha256Hash function.

---

678-678: LGTM! Function call correctly updated.

The function call in the createBookingRequestOwnerId method has been properly updated to use sha256Hash. The usage context remains the same - hashing the stripped API key for database operations.

apps/api/v2/src/modules/organizations/organizations/organizations-organizations.controller.e2e-spec.ts (3)

4-4: LGTM - Import updated to reflect function rename.

The import correctly reflects the renaming of hashAPIKey to sha256Hash. The function behavior remains identical.

---

286-286: LGTM - Test assertion correctly uses renamed hashing function.

The test correctly uses sha256Hash to verify the stored hashed API key matches the expected hash. The logic and behavior remain unchanged.

---

487-487: LGTM - API key refresh test correctly uses renamed hashing function.

The test correctly uses sha256Hash to verify the refreshed API key is properly hashed and stored. The logic remains consistent with the previous implementation.

apps/api/v2/src/lib/throttler-guard.ts (2)

2-2: LGTM - Import updated to reflect function rename.

The import correctly reflects the renaming of hashAPIKey to sha256Hash. The function behavior remains identical.

---

220-231: Excellent security improvement - All identifiers now consistently hashed.

This change significantly improves security by ensuring all rate limiting identifiers (API keys, access tokens, OAuth client IDs, and IP addresses) are consistently hashed using SHA-256. This prevents sensitive information from being stored in plain text in the rate limiting system, logs, or cache.

The implementation correctly:

• Strips API key prefix before hashing (line 220)
• Hashes access tokens directly (line 221)
• Hashes OAuth client IDs (line 227)
• Hashes IP addresses after converting to string (line 231)

This maintains the same rate limiting functionality while significantly improving the security posture.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch hash-rate-limit-tracker-v2

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
cal	⬜️ Ignored (Inspect)			Jul 30, 2025 8:06am
cal-eu	⬜️ Ignored (Inspect)			Jul 30, 2025 8:06am

[github-actions]

E2E results are ready!

• Workflow #69895.2 latest results