Conversation
Contributor
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
keithwillcode
added
core
Member
Author
This stack of pull requests is managed by Graphite. Learn more about stacking. |
7 tasks
hariombalhara
commented
Sep 30, 2025
| await attendeeRepository.deleteAllByBookingId(bookingToDelete.id); | ||
| } | ||
|
|
||
| const where: Prisma.BookingWhereUniqueInput = uid ? { uid } : { id }; |
Member
Author
There was a problem hiding this comment.
uid is always available for a booking. We can reliably get uid from bookingToDelete instead of using the uid and id passed in the request
hariombalhara
commented
Sep 30, 2025
hariombalhara
force-pushed
the
ariom/pri-305-bookingCancelService-skeleton
branch
from
32675a3 to
e9e4963
Compare
hariombalhara
force-pushed
the
09-30-chore_inject_repositories_instead_of_prisma_in_canellation_flow
branch
from
0575e13 to
9a5bf38
Compare
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
hariombalhara
changed the base branch from
ariom/pri-305-bookingCancelService-skeleton
to
graphite-base/24159
hariombalhara
changed the title
hariombalhara
changed the title
hariombalhara
force-pushed
the
graphite-base/24159
branch
from
e9e4963 to
da0a1e8
Compare
hariombalhara
force-pushed
the
09-30-chore_inject_repositories_instead_of_prisma_in_canellation_flow
branch
from
9a5bf38 to
711fdf0
Compare
hariombalhara
changed the base branch from
graphite-base/24159
to
ariom/pri-305-bookingCancelService-skeleton
hariombalhara
force-pushed
the
09-30-chore_inject_repositories_instead_of_prisma_in_canellation_flow
branch
from
711fdf0 to
809fc1d
Compare
hariombalhara
force-pushed
the
ariom/pri-305-bookingCancelService-skeleton
branch
2 times, most recently
from
58eb2d0 to
06460ee
Compare
hariombalhara
force-pushed
the
09-30-chore_inject_repositories_instead_of_prisma_in_canellation_flow
branch
from
809fc1d to
aa770b4
Compare
hariombalhara
changed the base branch from
ariom/pri-305-bookingCancelService-skeleton
to
graphite-base/24159
hariombalhara
force-pushed
the
graphite-base/24159
branch
from
06460ee to
870ad57
Compare
hariombalhara
force-pushed
the
09-30-chore_inject_repositories_instead_of_prisma_in_canellation_flow
branch
from
aa770b4 to
25ea87c
Compare
hariombalhara
changed the title
…risma_in_canellation_flow Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
Member
Author
|
@Udit-takkar done |
Contributor
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
6 tasks
* matched colour of icons across website (#26394)
* fix(auth): resolve session user by token subject ID (#26399)
* fix(auth): align session user resolution with token subject
* test(auth): add unit tests for getServerSession user resolution
* chore: release v6.0.7
* fix: Custom time input for availability (#26373)
* add custom time input
* add unit test
* add validation logic
* feat(companion): Add DropdownMenu and Alert Dialog for Android (#26385)
* feat(companion): add DropdownMenu for Android event types list
Replace Alert.alert with react-native-reusables DropdownMenu component
for Android event type list items, providing a native-feeling menu
experience that matches iOS functionality.
Changes:
- Install react-native-reusables dropdown-menu component and dependencies
(lucide-react-native, tailwindcss-animate, class-variance-authority,
clsx, tailwind-merge)
- Create EventTypeListItem.android.tsx with DropdownMenu implementation
- Single ellipsis button triggers dropdown menu
- Menu includes: Preview, Copy link, Edit, Duplicate, Delete
- Delete action marked as destructive variant
- Proper safe area insets handling
- Add PortalHost to app/_layout.tsx for portal rendering support
- Create lib/utils.ts with cn() helper for className merging
- Update global.css with theme CSS variables (popover, border, accent,
destructive, etc.) for dropdown menu styling
- Update tailwind.config.js with theme colors and tailwindcss-animate plugin
- Update metro.config.js with inlineRem: 16 for proper rem unit handling
- Remove Android Alert.alert fallback from event types index.tsx
- Fix lint issues in generated dropdown-menu.tsx (remove unnecessary fragments)
The Android experience now matches iOS with a single menu button that
opens a dropdown containing all event type actions, replacing the
previous Alert.alert dialog and separate action buttons.
Refs: https://reactnativereusables.com/docs/components/dropdown-menu
* adjust with of menu
* feat(companion): add DropdownMenu for Android booking and availability list items
- Add BookingListItem.android.tsx with DropdownMenu for booking actions
- Add BookingDetailScreen.android.tsx with DropdownMenu in header
- Add AvailabilityListItem.android.tsx with DropdownMenu for schedule actions
Actions include: Reschedule, Edit Location, Add Guests, View Recordings,
Meeting Session Details, Mark as No-Show, Report Booking, Cancel Event
for bookings; Set as Default, Duplicate, Delete for availability schedules.
* fix lint issues
* feat(android): replace native alerts with AlertDialog and Toast in event types
- Install AlertDialog and Alert components from react-native-reusables
- Create Android-specific event types screen (index.android.tsx)
- Replace native Alert.alert() with AlertDialog for delete confirmation
- Add inline validation errors (red border + error text) in create modal
- Implement Toast snackbar for success/error notifications (no layout shift)
- Auto-dismiss toast after 2.5 seconds
- Fix React Compiler compatibility by removing animated refs
This provides a more consistent and polished UI experience on Android,
matching the design system used in other parts of the app.
* feat(android): add AlertDialog for availability delete and booking cancel
- Add index.android.tsx for availability with AlertDialog for delete confirmation
- Add index.android.tsx for bookings with AlertDialog for cancel (with reason input)
- Both screens include Toast snackbar for success/error notifications
- Follows the same pattern as event types Android implementation
* feat(companion): add DropdownMenu and AlertDialog for Android
- Replace native Alert.alert context menus with DropdownMenu component
for event types, bookings, and availability lists
- Replace FullScreenModal with AlertDialog for create/delete/cancel flows
- Add toast notifications for success/error feedback on Android
- Set consistent 380px max-width for all AlertDialogs
- Fix layout headers showing "index" text on event-types and availability
- Create Android-specific More screen with AlertDialog logout confirmation
Uses react-native-reusables components for polished Android UI
* better code
* fix cubics comments
* refactor(android): revert delete confirmations to native Alert.alert()
- Logout: reverted to native Alert.alert() (simple yes/no)
- Event Types Delete: reverted to native Alert.alert() (simple yes/no)
- Availability Delete: reverted to native Alert.alert() (simple yes/no)
Keep AlertDialog only where user input is needed:
- Event Types Create (has TextInput for title)
- Availability Create (has TextInput for name)
- Bookings Cancel (has TextInput for cancellation reason)
* refactor(android): remove redundant index.android.tsx files
The main index.tsx files already handle Android via Platform.OS checks.
Android-specific behavior for actions is in the list item components:
- EventTypeListItem.android.tsx
- BookingListItem.android.tsx
- AvailabilityListItem.android.tsx
This consolidates the code and reduces duplication.
* corrected the implementation both native and alert dialog
* address cubics comments
* fix lint issue and address cubic comments
* chore: add logging in next-auth (#26404)
* Add logging in next-auth
* Add logging at other return
* fix: Make incomplete booking form mobile-responsive (#26413)
* fix: update bundle identifier (#26402)
* fix: patch React 19 vulnerabilities by upgrading to 19.2.3 (#26411)
* security: patch React 19 vulnerabilities by upgrading to 19.2.3
* chore: revert lingo.dev upgrade
* refactor(companion): event type details screen improvements (#26415)
* refactor(companion): move EventTypeDetail component to a new file and update routing
* refactor(companion): format code for better readability in TabLayout and EventTypeDetail components
* refactor(companion): improve code formatting and readability in EventTypeDetail component
* refactor(companion): enhance code readability and formatting in EventTypeDetail component
* refactor(companion): improve code formatting and readability in EventTypeDetail component
* refactor(companion): enhance code formatting and readability in EventTypeDetail component
* refactor(companion): improve code formatting and readability in TabLayout component
* fix: add vertical spacing when hovered (#26419)
* fix(seed): add missing Host entries for seeded round‑robin team events (#26426)
* feat(companion): new availability detail and actions pages for ios (#26424)
* version 1
* version 1.1
* better code
* covered all edge cases
* address cubics comments
* address cubics comments
* fix(auth): enhance SAML login handling by introducing userId field and updating JWT token structure (#26428)
* fix(ci): delete old prod build caches on cache miss (#26437)
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* fix(ci): add yarn prisma generate before cache key generation (#26439)
This ensures consistent cache keys between the Build Web App job and E2E
shards by running yarn prisma generate before generating the cache key.
The issue was that packages/prisma/enums/index.ts is:
1. Generated by yarn prisma generate
2. In .gitignore (not committed to git)
3. Included in the SOURCE_HASH (matches packages/**/**.[jt]s)
4. NOT excluded from the hash
E2E jobs already run yarn prisma generate before cache-build, but the
Build Web App job did not, causing different cache keys in the same
workflow run.
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* fix: show empty screen from event type availability tab (#26396)
* fix
* update
* fix
* Remove copying of App Store static files step
Removed step to copy App Store static files from the workflow.
* feat: queue or cancel payment reminder flow (#24889)
Co-authored-by: Pallav <90088723+Pallava-Joshi@users.noreply.github.com>
Co-authored-by: Ryukemeister <sahalrajiv6900@gmail.com>
Co-authored-by: Rajiv Sahal <sahalrajiv-extc@atharvacoe.ac.in>
Co-authored-by: Peer Richelsen <peeroke@gmail.com>
* feat: integrate BookingHistory with Bookings V3 design (#26301)
* Integrate BookingHistory with Bookings V3 design
* Enhance booking features by integrating booking audit functionality
- Updated the booking page to retrieve user feature statuses for "bookings-v3" and "booking-audit".
- Modified BookingDetailsSheet and BookingListContainer components to accept and utilize the new bookingAuditEnabled prop.
- Adjusted the BookingHistory display logic to conditionally render based on the bookingAuditEnabled state.
- Refactored SegmentedControl to support generic types for better type safety.
This change improves the user experience by allowing conditional access to booking audit features based on user permissions.
* Refactor BookingDetailsSheet to manage active segment state with Zustand store
- Removed local state management for active segment in BookingDetailsSheet and integrated Zustand store for better state synchronization.
- Introduced useActiveSegmentFromUrl hook to sync active segment with URL query parameters.
- Updated BookingDetailsSheet to handle derived active segment logic based on bookingAuditEnabled state.
- Adjusted SegmentedControl to ensure it defaults to "info" when activeSegment is null.
This refactor enhances the maintainability and responsiveness of the booking details component.
* refactor: rename useBiDirectionalSyncBetweenZustandAndNuqs to useBiDirectionalSyncBetweenStoreAndUrl
Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
---------
Co-authored-by: Udit Takkar <53316345+Udit-takkar@users.noreply.github.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: create BookingHistoryViewerService to combine audit logs with routing form submissions (#26045)
* feat: create BookingHistoryViewerService to combine audit logs with routing form submissions
Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
* refactor(booking): rename audit log query and enhance type safety
- Updated the booking logs view to use the new getBookingHistory query instead of getAuditLogs.
- Introduced DisplayBookingAuditLog type for improved clarity in BookingAuditViewerService.
- Refactored BookingHistoryViewerService to utilize the new DisplayBookingAuditLog type and added sorting functionality for history logs.
- Adjusted related types and methods to ensure consistency across services.
* refactor(routing-forms): streamline imports and enhance type definitions
- Consolidated type exports and imports from the features library for better organization.
- Removed redundant type definitions and functions in zod.ts, findFieldValueByIdentifier.ts, getFieldIdentifier.ts, and parseRoutingFormResponse.ts.
- Introduced new utility functions for handling field responses and parsing routing form responses.
- Improved type safety and clarity across routing form response handling.
* fix: remove double prefix from uniqueId in form submission entry
Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
* 1c97f9cc5d50416788c01876fe539bcc9750e9b2 (#26453)
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* chore: Ensure that uuid is available in server session[Booking Audit Prerequisite] (#25963)
## What does this PR do?
Similar to #25721, adds uuid in session so that BookingAudit has it readily available
Adds the user's UUID to the booking metadata by:
1. Extending the NextAuth `User` interface to include an optional `uuid` property from PrismaUser
2. Making `uuid` required on `Session.user` via intersection type (`User & { uuid: PrismaUser["uuid"] }`)
3. Adding `uuid` to the session user object in `getServerSession.ts`
4. Adding `uuid` to the `AdapterUser` transformation in `next-auth-custom-adapter.ts`
5. Passing `userUuid` from the session to the booking creation flow
6. Updating the API key verification flow to include `uuid` in the user data (repository, service, and type definitions)
7. Adding `req.userUuid` as a required field on the request object (like `req.userId`)
8. Adding `uuid` to mock session objects in web app routes and test context
9. Adding `uuid` to the `findByEmailAndIncludeProfilesAndPassword` query in UserRepository
Also removes commented-out code that was placeholder for future work and fixes lint warnings for unused variables.
## Mandatory Tasks (DO NOT REMOVE)
- [x] I have self-reviewed the code (A decent size PR without self-review might be rejected).
- [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - no documentation changes needed.
- [x] I confirm automated tests are in place that prove my fix is effective or that my feature works.
## How should this be tested?
1. Verify that the NextAuth session callback is already populating the `uuid` field on the user object
2. Create a booking and confirm `userUuid` is included in the booking metadata
3. Test API v1 endpoints (`/api/invites` POST and `/api/teams/[teamId]/publish`) to verify they receive the uuid from the authenticated user
4. Check that the booking flow works correctly with the new parameter
5. Test SAML login flow to verify session still works correctly (uuid is resolved from database after authentication)
## Human Review Checklist
- [ ] Verify the NextAuth session callback populates `uuid` - if not, this change will pass `undefined` at runtime
- [ ] Confirm `userUuid` is consumed downstream in the booking service
- [ ] Verify that `PrismaApiKeyRepository.findByHashedKey()` correctly fetches the user's uuid from the database
- [ ] Verify the discriminated union type in `ApiKeyService.ts` ensures `result.user` is always defined when `result.valid` is true
- [ ] Confirm all API v1 endpoints using `req.userUuid` go through the `verifyApiKey` middleware
- [ ] Verify `UserRepository.findByEmailAndIncludeProfilesAndPassword()` includes `uuid` in the select clause
- [ ] Verify SAML login still works correctly - uuid is now optional on User interface so SAML providers don't need to supply it at profile stage
## Updates since last revision
- **Made uuid optional on User, required on Session**: Changed the type strategy so `uuid` is optional on the NextAuth `User` interface but required on `Session.user` via intersection type. This allows SAML providers to not supply uuid at the profile stage while ensuring uuid is always present on the session after the user is resolved from the database.
- **Removed uuid from SAML functions**: Since uuid is now optional on User, the SAML profile and authorize functions no longer need to include it.
---
Link to Devin run: https://app.devin.ai/sessions/97e5603b719a420b9b35041252c9db26
Requested by: hariom@cal.com (@hariombalhara)
* fix: add @calcom/trpc#build dependency to @calcom/web#dev task (#26460)
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* fix(auth): make identityProviderId lookup case-insensitive (#26405)
SAML IdPs may send NameIDs with different casing than stored, causing login failures.
Aligns with the existing case-insensitive email lookup pattern
* fix: cancel running CI workflow before re-triggering and allow trusted GitHub Apps (#26461)
* fix: cancel running CI workflow before re-triggering and allow trusted bots
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
* fix: remove hardcoded bot allowlist, keep only cancel-and-rerun improvement
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
* fix: add app_id verification for trusted GitHub Apps (Graphite)
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
* fix: simplify trusted bot check to use sender type, login, and installation context
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
* chore: remove unnecessary comments
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: update translations via @LingoDotDev (#26445)
Co-authored-by: Lingo.dev <support@lingo.dev>
Co-authored-by: Keith Williams <keithwillcode@gmail.com>
* fix: remove installation requirement from trusted bot check (#26466)
* fix: remove installation requirement from trusted bot check
The installation object is not present in the webhook payload when
GitHub Apps add labels via pull_request_target events. This caused
graphite-app[bot] to fail the authorization check and fall through
to the human permission check, which doesn't work for bots.
The fix removes the installation requirement and relies on:
- sender.type === 'Bot'
- sender.login matching the trusted bot list
This is secure because the sender fields come from GitHub's webhook
payload and cannot be forged by contributors.
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
* chore: add extra logging about sender type
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
* chore: remove senderId from logging
Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
* Update run-ci.yml
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* refactor: Move trpc-dependent components from features to web [2] (#26420)
* fix
* move event types components to web
* update import paths
* mv apps components
* migrate form builder
* fix
* mv sso
* fix
* mv
* update import paths
* update import paths
* mv
* mv
* mv
* fix
* update Booker
* fix
* fix
* fix
* fix
* mv video
* mv embed components to web
* update import paths
* mv calendar weekly view components
* update import paths
* fix
* fixp
* fix
* fix
* fix
* fix: update FormBuilder imports to use @calcom/features/form-builder
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: update broken import paths after file migrations
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: correct import paths for platform atoms and moved components
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: apply CSS type fixes and add missing atoms exports
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: resolve type errors in test files after component migrations
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: resolve remaining type errors in test files
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix
* migrate
* fix: resolve type errors in test and mock files
- Add missing bookingForm, bookerFormErrorRef, instantConnectCooldownMs to Booker.test.tsx bookings prop
- Add all required BookerEvent properties to event.mock.ts
- Add vi import from vitest to all mock files
- Fix date parameter types in packages/dayjs/__mocks__/index.ts
- Add verificationCode and setVerificationCode to test-utils.tsx mock store
- Remove children.type access in Section.tsx mock to fix type error
- Fix lint issues: remove unused React imports, use import type where needed, add return types
- Add biome-ignore comments for pre-existing lint warnings in test files
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* migrate
* migrate
* migrate
* update import paths
* update import paths
* update import paths
* fix
* migrate data table
* migrate data table
* fix
* fix
* fix
* migrate insights components
* migrate insights components
* fix
* mv
* update import paths
* fix
* fix
* fix
* fix
* fix
* fix: resolve type errors in test mocks
- Booker.test.tsx: Add all required UseFormReturn methods to bookingForm mock
- event.mock.ts: Fix entity, subsetOfHosts, instantMeetingParameters, fieldTranslations, image types
- dayjs/__mocks__/index.ts: Use Object.assign for proper typing of mock properties
- Section.tsx: Change 'class' to 'className' in JSX with biome-ignore comment
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add missing hasDataErrors and dataErrors to bookings.errors mock
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add missing loadingStates properties to bookings mock
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add missing slots properties (setTentativeSelectedTimeslots, tentativeSelectedTimeslots, slotReservationId)
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: update quickAvailabilityChecks to include utcEndIso and use valid status type
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add missing bookerForm properties (formName, beforeVerifyEmail, formErrors)
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add missing UseFormReturn properties to bookerForm.bookingForm mock
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add hasFormErrors and formErrors to bookerForm.formErrors mock
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add hasFormErrors and formErrors to bookerForm.errors mock
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add missing isError property to mockEvent
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: use complete BookerEvent mock in Booker.test.tsx
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: use branded bookingFields type in event mock
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: add missing schedule mock properties (isError, isSuccess, isLoading, dataUpdatedAt)
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* revert
* fix
* fix
* fix
* fix build
* fix
* fix
* fix
* fix: correct AddMembersWithSwitch test wrapper to use initial assignAllTeamMembers value
- Fixed test wrapper to initialize useState with componentProps.assignAllTeamMembers
instead of hardcoded false, allowing tests to properly test different states
- Updated test expectations for ALL_TEAM_MEMBERS_ENABLED_AND_SEGMENT_NOT_APPLICABLE
state to match actual component behavior (toggle should be present and checked)
- Fixed 'should show Segment when toggled on' test to start with assignAllTeamMembers: false
to properly test the flow of enabling it
- Added explicit types to satisfy biome lint requirements
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
* fix: use JSX.Element instead of React.JSX.Element for type compatibility
Co-Authored-By: benny@cal.com <sldisek783@gmail.com>
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* chore(deps): update dependencies and add version constraints (#26390)
- Update sanitize-html to 2.17.0
- Remove unused Storybook dependencies from @calcom/ui
- Add resolutions for consistent dependency versions
- Clean up packageExtensions
* feat: add lightweight E2E session warmup page (#26451)
* feat: add lightweight E2E session warmup endpoint
- Add /api/__e2e__/session-warmup endpoint that triggers NextAuth session loading
- Update apiLogin fixture to use the new endpoint instead of navigating to /settings/my-account/profile
- The endpoint is gated by NEXT_PUBLIC_IS_E2E=1 (already set in playwright.config.ts)
- This reduces overhead in E2E tests by avoiding loading a full UI page just to warm up the session
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* refactor: move session warmup endpoint to App Router
- Move /api/__e2e__/session-warmup from pages/api to app/api
- Use App Router patterns (NextResponse, buildLegacyRequest)
- Maintains same functionality for E2E session warming
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* rename path
* refactor: switch from API route to minimal SSR page (Option 2)
- Replace /api/e2e/session-warmup API route with /e2e/session-warmup page
- Use App Router page pattern with getServerSession for session warmup
- Update apiLogin fixture to navigate to the page instead of API request
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* revert users fixture but with a new url
* render nothing on success
* clean up
* trying something
* Revert "trying something"
This reverts commit 2ae2f7dcb42612e54eb072a9f09857272020889a.
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Keith Williams <keithwillcode@gmail.com>
* Disable noReactSpecificProps as we use react (#26479)
* fix(auth): fix SAML tenant extraction and validation (#26482)
- Extract tenant from userInfo in saml-idp (IdP-initiated)
- Add profile.requested?.tenant fallback for OAuth (SP-initiated)
- Block invalid tenant format in hosted (security)
* fix: atoms build by updating import paths (#26489)
* fix build
* fix build
* fix: "New" button sizing inconsistent between Workflows and Event Types pages (#26066)
* fix: consistent button sizing between fab and button variants on desktop
* fix: consistent button sizing between fab and button variants on desktop
* fix(ui): align New button sizing across pages
* fix: New button sizing inconsistent between Workflows and Event Types pages
* Update Button.tsx
* test: fix unit test flake (#25557)
* fix: revalidate teams cache after accepting invite via token
When a user accepts a team invite via token on the /teams page, the
teams cache was not being invalidated. This caused the page to show
stale data (empty list) while the sidebar correctly showed the teams.
This fix adds a call to revalidateTeamsList() after processing an
invite token, ensuring the cache is invalidated and fresh data is
fetched immediately.
Co-Authored-By: anik@cal.com <adhabal2002@gmail.com>
* fix: revalidate teams cache after creating team in onboarding flow
Co-Authored-By: anik@cal.com <adhabal2002@gmail.com>
* Remove comments on teams cache revalidation
Removed comments about revalidating teams cache after invite processing.
* fix unit test flake
* Remove unused import in useCreateTeam hook
Removed unused import for revalidateTeamsList.
* Remove unused import for revalidateTeamsList
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* chore: Add impersonation context support to booking audit (#26014)
## What does this PR do?
Adds infrastructure to track impersonation context in booking audit records and displays it in the UI. When an admin impersonates another user and performs booking actions, the audit system now:
- Records the **admin** as the actor (who actually performed the action)
- Stores the **impersonated user's UUID** in a separate `context` field
- Displays **"Impersonated By"** in the booking logs UI when viewing audit details
This separation ensures audit trail integrity (the admin is accountable) while preserving full context about whose account was being used.
### Changes
- Added `uuid` to `impersonatedBy` session object for actor identification
- Added `uuid` to top-level `User` type in next-auth types for session enrichment
- Added `context Json?` field to `BookingAudit` Prisma model
- Added `BookingAuditContextSchema` for type-safe context handling with `actingAsUserUuid` field
- Updated producer service interface and implementation to pass context through all queue methods
- Updated consumer service to persist context to database
- Updated repository to store and fetch context in BookingAudit records
- Added `impersonatedBy` field to `EnrichedAuditLog` type in `BookingAuditViewerService`
- Added `enrichImpersonationContext` method to resolve impersonated user details
- Updated booking logs UI to display "Impersonated By" in expanded details
- Added `impersonated_by` translation key
Link to Devin run: https://app.devin.ai/sessions/3f1252527aef4ead9401bdf055c0817b
Requested by: hariom@cal.com (@hariombalhara)
## Mandatory Tasks (DO NOT REMOVE)
- [x] I have self-reviewed the code (A decent size PR without self-review might be rejected).
- [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - internal infrastructure change
- [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works.
## How should this be tested?
1. Verify type checks pass: `yarn type-check:ci --force`
2. Verify existing audit tests still pass: `TZ=UTC yarn test`
3. To fully test impersonation context display:
- Have an admin impersonate a user
- Perform a booking action (create, cancel, reschedule)
- Navigate to the booking's audit logs
- Expand the details for the action
- Verify "Impersonated By" row appears showing the impersonated user's name
- Verify the BookingAudit record has:
- `actorId` pointing to the admin's AuditActor
- `context` containing `{ actingAsUserUuid: "<impersonated-user-uuid>" }`
## Human Review Checklist
- [ ] Verify the `context` field schema design is appropriate for future extensibility
- [ ] Confirm the `uuid` addition to User type in next-auth doesn't break existing auth flows
- [ ] Check that the optional `context` parameter doesn't break existing queue method callers
- [ ] Verify no migration file is needed (or if squashing is handled separately)
- [ ] Verify the UI displays "Impersonated By" correctly when impersonation context is present
- [ ] Confirm `enrichImpersonationContext` handles edge cases (null context, invalid context, deleted user)
## Checklist
- [x] My code follows the style guidelines of this project
- [x] I have commented my code, particularly in hard-to-understand areas
- [x] I have checked if my changes generate no new warnings
* perf: improve cal video webhook (#26495)
* perf: improve cal video webhook
* save format
* refactor: use errorMs
* chore: change API codeowner to Foundation (#26504)
* chore(auth): add error logging for saml-idp silent failures (#26484)
* chore(auth): add error logging for saml-idp silent failures
* chore(auth): add warn-level logging for saml-idp silent failures
* chore(auth): change 'No user found' log to warn level
* chore(auth): add warn-level logging for silent auth failures
- saml-idp authorize: credentials, code, token, userInfo, user lookup
- callbacks:signIn: account type, email, name, catch-all
- callbacks:jwt: unknown account type (info → warn)
- saml:profile: missing email from IdP
- getServerSession: user not found for valid token
* feat(api): add team event-types webhooks controller (#26449)
* feat(api): add team event-types webhooks controller
- Add TeamsEventTypesWebhooksController for managing webhooks on team event types
- Add IsTeamEventTypeWebhookGuard for authorization
- Add TeamEventTypeWebhooksService for business logic
- Register new controller in TeamsEventTypesModule
- Enable unsafeParameterDecoratorsEnabled in biome.json for NestJS support
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* test(api): add e2e tests for team event-types webhooks controller
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix(api): restrict team event-type webhooks to admins/owners only
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix(api): use regular imports instead of type imports for DI and DTOs
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix(api): use regular imports for DI in guard file
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: circular depndency in modules
* delete teams in test
* fix roles guard
* fix biome
* fix guard
* resolve type import
* resolve review feedback
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* chore: remove Mintlify AI chat from CMD+K widget (#26485)
* chore: remove Mintlify AI chat from CMD+K widget
- Remove MintlifyChat component and related state from Kbar.tsx
- Delete packages/features/mintlify-chat directory (MintlifyChat.tsx, util.ts)
- Delete apps/web/app/api/mintlify-chat API routes and tests
- Delete packages/lib/server/mintlifyChatValidation.ts
- Remove Mintlify-related env vars from .env.example and turbo.json
- Refactor Kbar.tsx to fix lint issues (explicit types, exports at end)
Co-Authored-By: peer@cal.com <peer@cal.com>
* fix: use ReactNode import instead of JSX from react
The JSX type is not exported from 'react' module. Use the global
JSX.Element type (available in React projects) and import ReactNode
for the children prop type.
Co-Authored-By: peer@cal.com <peer@cal.com>
* feat: add all event-types and upcoming bookings to KBar
- Increase event types limit from 10 to 100 to show more event types
- Add useUpcomingBookingsAction hook to fetch and display upcoming bookings
- Bookings show title, date, and time in KBar search results
- Navigate to booking details page when selecting a booking
Co-Authored-By: peer@cal.com <peer@cal.com>
* Revert "feat: add all event-types and upcoming bookings to KBar"
This reverts commit 69d03397e3820e45e7207eb55b38117d269eae5e.
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: update translations via @LingoDotDev (#26497)
Co-authored-by: Lingo.dev <support@lingo.dev>
* feat: implement FeatureOptInService (#25805)
* feat: implement FeatureOptInService WIP
* clean up
* feat: consolidate feature repositories and add updateFeatureForUser
- Implement updateFeatureForUser in FeaturesRepository (similar to updateFeatureForTeam)
- Move getUserFeatureState and getTeamFeatureState from PrismaFeatureOptInRepository to FeaturesRepository
- Update FeatureOptInService to use only FeaturesRepository
- Add setUserFeatureState and setTeamFeatureState methods to FeatureOptInService
- Update _router.ts to remove PrismaFeatureOptInRepository usage
- Remove PrismaFeatureOptInRepository.ts and FeatureOptInRepositoryInterface.ts
- Update features.repository.interface.ts and features.repository.mock.ts
- Add integration tests for updateFeatureForUser, getUserFeatureState, getTeamFeatureState
- Update service.integration-test.ts to use FeaturesRepository
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* refactor: rename updateFeatureForUser to setUserFeatureState
Rename to match the convention used for setTeamFeatureState
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* refactor: return FeatureState type from getUserFeatureState and getTeamFeatureState
* fix integration tests
* clean up logics
* update services and router
* refactor: change getUserFeatureState and getTeamFeatureState to accept featureIds array
- Renamed getUserFeatureState to getUserFeatureStates
- Renamed getTeamFeatureState to getTeamFeatureStates
- Changed parameter from featureId: string to featureIds: string[]
- Changed return type from FeatureState to Record<string, FeatureState>
- Updated FeatureOptInService to use the new batch methods
- Added tests for querying multiple features in a single call
- Optimized listFeaturesForTeam to fetch all feature states in one query
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* feat: add getFeatureStateForTeams for batch querying multiple teams
- Added getFeatureStateForTeams method to query a single feature across multiple teams in one call
- Updated FeatureOptInService.resolveFeatureStateAcrossTeams to use the new batch method
- Replaces N+1 queries with a single database query for team states
- Added comprehensive integration tests for the new method
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* refactor: combine org and team state queries into single call
- Include orgId in the teamIds array passed to getFeatureStateForTeams
- Extract org state and team states from the combined result
- Reduces database queries from 3 to 2 in resolveFeatureStateAcrossTeams
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* refactor: use team.isOrganization and clarify computeEffectiveState comment
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* refactor: use MembershipRepository.findAllByUserId with isOrganization
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* feat: add featureId validation using isOptInFeature type guard
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* less queries
* add fallback value
* fix type error
* move files
* add autoOptInFeatures column
* use autoOptInFeatures flag within FeatureOptInService
* add setUserAutoOptIn and setTeamAutoOptIn
* fix computeEffectiveState logic
* rewrite computeEffectiveState
* clean up integration tests
* clean up in afterEach
* fix type error
* refactor: use FeaturesRepository methods instead of direct Prisma calls
Replace all manual userFeatures and teamFeatures Prisma operations with
the new setUserFeatureState and setTeamFeatureState repository methods.
Changes include:
- Admin handlers (assignFeatureToTeam, unassignFeatureFromTeam)
- Test fixtures and integration tests
- Playwright fixtures
- Development scripts
This ensures consistent feature flag management through the repository
pattern and supports the new tri-state semantics (enabled/disabled/inherit).
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* clean up
* fix the logic
* extract some logic into applyAutoOptIn()
* remove wrong code
* refactor: convert setUserFeatureState and setTeamFeatureState to object params with discriminated union
- Convert multiple positional parameters to single object parameter
- Use discriminated union types: assignedBy required for enabled/disabled, omitted for inherit
- Update all callers across repository, service, handlers, fixtures, and tests
* fix type error
* use Promise.all
* fix
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: add organization banner to user profile page (#26514)
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: Hubspot write to meeting object (#26039)
* feat: Hubspot write to meeting object
* fix: translate hardcoded strings and remove debug console.log
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* refactor
* fix: improve static value detection for placeholder replacement
- Changed condition from startsWith/endsWith to includes('{') to properly detect embedded placeholders
- Strings like 'Hello {name}!' are now correctly processed for placeholder replacement
- Pure placeholder tokens that can't be resolved return null
- Partially resolved values are returned as-is
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* refactor: split WriteToObjectSettings into types and utils files
- Extract interfaces, enums, and type definitions to WriteToObjectSettings.types.ts
- Extract constants and utility functions to WriteToObjectSettings.utils.ts
- Update main component to use the new utility functions
- Improves code organization and maintainability
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* revert: restore original static value detection logic
Per user request - the startsWith/endsWith check was intentional
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* test: add unit tests for HubSpot CRM service
Tests cover:
- ensureFieldsExistOnMeeting: field validation against HubSpot properties
- getTextValueFromBookingTracking: UTM parameter extraction
- getTextValueFromBookingResponse: placeholder replacement
- getDateFieldValue: date field resolution for different date types
- getFieldValue: main field value resolution for all field types
- generateWriteToMeetingBody: write-to-meeting body generation
- getContacts: contact search functionality
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* fix: correct type errors in HubSpot CRM service tests
- Import WhenToWrite enum from crm-enums
- Replace string literals with WhenToWrite.EVERY_BOOKING enum values
- Add missing whenToWrite property to field config objects
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* fix: use type casting for intentional type errors in tests
- Cast numeric fieldValue to string for testing non-string handling
- Cast invalid field type string to CrmFieldType for testing unsupported types
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* fix: prevent unhandled promise rejections in HubSpot CRM tests
- Re-apply mockGetAppKeysFromSlug implementation in beforeEach to ensure
mock is always set correctly after clearAllMocks
- Change vi.resetAllMocks() to vi.clearAllMocks() to preserve mock
implementations between tests
- Add explicit types to satisfy biome lint rules
- This fixes the 'Cannot read properties of undefined (reading client_id)'
errors that were causing CI to fail with exit code 1
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* refactor: convert HubSpot tests to black-box testing through public methods
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* fix: properly type mock CalendarEvent in HubSpot tests
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* fix: properly type TFunction in mock CalendarEvent
Co-Authored-By: amit@cal.com <samit91848@gmail.com>
* chore: graceful owner fail test
* refactor
* fix: type check
* fix: remove null fields
* Update packages/app-store/hubspot/lib/CrmService.ts
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* docs: add DTO location and naming conventions to knowledge base (#26478)
* docs: add DTO location and naming conventions to knowledge base
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* docs: clarify DTO location rules for new features vs refactored code
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
* docs: simplify DTO location - all DTOs go in packages/lib/dto/
Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* refactor: convert PrismaAttributeToUserRepository to accept Prisma as dependency (#26515)
* refactor: convert PrismaAttributeToUserRepository to accept Prisma as dependency
Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com>
* fix: use Prisma types from generated client instead of custom types
Co-Authored-By: joe@cal.com <j.auyeung419@gmail.com>
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* fix: handle existing users on invite token flow (#26217)
* fix(auth): validate user before signup with invite token
Validate if user already exists before creating account when
signing up with team or organization invite tokens. Existing users
are redirected to login to accept the invitation.
- Add user existence check in signup handlers
- Return 409 for existing users with redirect to login
- Extract signup fetch logic to dedicated module
- Add e2e test coverage
* fix(auth): address code review feedback
- Fix fetchSignup tests to use vi.spyOn for proper mock restoration
- Add content-type validation before parsing JSON response
- Guard against undefined error in Stripe callback
- Use t() for localized error message
- Fix race condition in handlers by catching P2002 on create
* fix(auth): address additional code review feedback
- Add INVALID_SERVER_RESPONSE constant to follow established pattern
- Check error.meta.target includes email before returning USER_ALREADY_EXISTS
to avoid false positives from other unique constraint violations
- Add select: { id: true } to user.create calls since downstream functions only
need the user id
* test: add unit tests for P2002 handling in signup handlers
- Add shared test suite covering all P2002 edge cases
- Ensure 409 only for email constraint violations
- Fix non-token paths to use atomic create + catch pattern
* fix: update error message copy per review feedback
* fix(auth): address code review feedback and prevent orphan Stripe customers
- Add user existence check before Stripe customer creation (token flow)
- Add select clause to user.create for consistency
- Fix showToast argument order (pre-existing bug)
- Use toHaveURL instead of waitForURL in E2E tests
* fix(auth): resolve 500 errors by fixing Prisma error detection across module boundaries
The instanceof check for PrismaClientKnownRequestError fails when different
Prisma client instances are loaded. Added fallback check by constructor name
* fix(auth): validate invitedTo before upsert on team invite signup
* test(auth): update P2002 tests for new invite flow
P2002 tests now use non-token flow since token flow uses upsert
Added tests for invitedTo validation on invite signup
* fix(auth): add guards and P2002 handling per review feedback
- Guard existingUser check with if (foundToken?.teamId)
- Guard username check with if (username) for premium flow
- Add `select` clause to findFirst/findUnique queries
- Add try-catch on upsert for race condition P2002 errors
* fix(auth): narrow P2002 handling to email/username targets
* chore: release v6.0.8
* fix: Support 10-digit phone numbers for Ivory Coast (+225) (#26465)
* fix: update ivory coast mask to 10 digits
* update formating for Benin numbers
---------
Co-authored-by: Dhairyashil Shinde <93669429+dhairyashiil@users.noreply.github.com>
Co-authored-by: Dhairyashil <dhairyashil10101010@gmail.com>
* fix(ci): use env vars for input interpolation in workflow run steps (#26520)
Co-authored-by: Alex van Andel <me@alexvanandel.com>
* refactor: use structured logger in video adapters (#26285)
- Remove debug console.log/console.error statements
- Add logger.debug for observability (meeting lifecycle events)
- Add logger.error with safe error pattern (message + name only)
- Fix error messages to avoid exposing response details
- Remove redundant try/catch blocks (errors propagate naturally)
* fix: validate owner email on platform org creation (#26286)
Remove isPlatform bypass from owner verification to ensure users can only create organizations where they are the designated owner. Add test coverage for create and intentToCreateOrg handlers:
- Regression tests for isPlatform bypass fix
- Happy path for admin creating org for another user
* perf: batch booking queries in output service (#25900)
Replace N sequential queries with single batch queries in:
- getOutputRecurringBookings
- getOutputRecurringSeatedBookings
Uses existing batch repository methods. Reduces database roundtrips
from O(n) to O(1) for recurring booking lookups
Co-authored-by: Morgan <33722304+ThyMinimalDev@users.noreply.github.com>
* Make booking-audit integration test utils reusable (#26526)
* fix: generate compliant passwords using meeting_password_requirement (#26148)
* fix(zoomvideo): generate compliant passwords using meeting_password_requirement
- Add meetingPasswordRequirementSchema to parse Zoom's password policy settings
- Implement validatePasswordAgainstRequirements() to check if a password meets the policy
- Implement generateCompliantPassword() to create passwords that comply with the policy
- Update translateEvent() to use getCompliantPassword() which validates the default password
or generates a new compliant one based on meeting_password_requirement
- Add meeting_password_requirement to the settings API filter
- Improve error handling for non-JSON responses in OAuthManager (XML validation errors)
This fixes the frequent 'Error in JSON parsing Zoom API response' errors caused by
Zoom returning XML validation errors when the password doesn't comply with the
account's password policy (e.g., numeric-only requirement).
Co-Authored-By: anik@cal.com <adhabal2002@gmail.com>
* refactor: use cleaner single-pass consecutive character check
- Replace nested-loop O(n*k) implementation with single-pass O(n) helper
- Add proper guard for consecutiveLength < 4 (Zoom allows 0, 4-8)
- Move consecutive check before only_allow_numeric to apply it for all cases
- Fix edge-case bug where consecutiveLength 1-3 could incorrectly reject passwords
Co-Authored-By: anik@cal.com <adhabal2002@gmail.com>
* Optimize OAuth response handling
Refactor OAuth response validation to read body only once.
* Improve error handling in Zoom API response parsing
Refactor error handling for Zoom API response parsing to improve logging and clarity.
* Improve compliant password generation logic
Enhance password generation to avoid consecutive characters when numeric only is required.
* Remove password requirement handling from VideoApiAdapter
Removed meeting password requirement schema and related functions for password validation and generation.
---------
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* refactor: Clean up the /tests in the root (#26525)
* refactor: Delete mockTRPCContext and mockData, and relocate mockStripeSubscription to stripe mock.
* chore: Delete unused Stripe, video client, and reminder scheduler mock files.
* feat(companion): UI Enhancements for Android and Extension (#26434)
* feat: companion-android-ui-upgrade version 1
* recurrings and unconfirmed booking filter and page implementation
* add badge and links to event type list page
* address cubics comments
* feat(companion): unify dropdown menu for Android and extension (#26486)
* feat(companion): unify dropdown menu for Android and extension
- Merge Android-specific dropdown implementations into base component files
- EventTypeListItem: Add DropdownMenu with Preview, Copy link, Edit, Duplicate, Delete actions
- BookingListItem: Add DropdownMenu with booking actions (reschedule, edit location, add guests, etc.)
- RecurringBookingListItem: Add DropdownMenu with recurring booking actions
- AvailabilityListItem: Add DropdownMenu with Set as Default, Duplicate, Delete actions
- BookingDetailScreen: Add DropdownMenu in header for Android with AlertDialog for cancel confirmation
- Delete all .android.tsx files as implementations are now unified
* fix(companion): fix typecheck errors after dropdown unification
- Remove unused props from EventTypeListItem.ios.tsx (copiedEventTypeId, handleEventTypeLongPress)
- Remove unused onActionsPress prop from BookingListItem.ios.tsx
- Remove copiedEventTypeId and handleEventTypeLongPress props from index.ios.tsx and index.tsx
- Remove onLongPress and onActionsPress props from BookingListScreen.tsx
- Remove handleScheduleLongPress, setSelectedSchedule, setShowActionsModal props from AvailabilityListScreen.tsx
- Fix BookingDetailScreen.tsx to use correct action property names (reschedule.visible instead of canReschedule, etc.)
* fix(companion): remove unused code after dropdown unification
- Remove unused handleEventTypeLongPress function and ActionSheetIOS import from index.ios.tsx
- Remove unused copiedEventTypeId state, handleEventTypeLongPress function, and ActionSheetIOS import from index.tsx
- Prefix unused setSelectedBooking with underscore in BookingListScreen.tsx
- Remove unused handleScheduleLongPress function and ActionSheetIOS import from AvailabilityListScreen.tsx
* feat(companion): unify booking filter UI for Android and extension
- Remove SegmentedControl from web/extension booking list page
- Use Header dropdown for booking status filter on both Android and web
- Use unified event type filter dropdown for both platforms
- Remove unused showFilterModal state and related code
- Pass filterOptions, activeFilter, and onFilterChange to Header for all platforms
* fix(companion): add header padding for web/extension to prevent button clipping
- Add headerLeftContainerStyle and headerRightContainerStyle with 12px padding for web platform
- Applied to root Stack and all nested tab Stack layouts
- Fixes issue where header buttons were touching edges and getting chopped off on extension/web
- Android remains unaffected as the fix is web-only
* fix(companion): add HeaderButtonWrapper for web-only header padding
- Create HeaderButtonWrapper component that adds 12px margin on web only
- Wrap all header buttons with HeaderButtonWrapper to prevent clipping
- Revert invalid screenOptions changes that caused typecheck errors
- Apply fix to all screens with native header buttons:
- reschedule.tsx, edit-location.tsx, add-guests.tsx
- mark-no-show.tsx, view-recordings.tsx, meeting-session-details.tsx
- event-type-detail.tsx, BookingDetailScreen.tsx, profile-sheet.tsx
- edit-availability-day.tsx, edit-availability-name.tsx, edit-availability-override.tsx
* update more ui-ux
* address cubics comments
* address cubics comments & open event type list page first for inttial render of app
* chore: Integrate booking cancellation audit (#26458)
## What does this PR do?
> **⚠️ Note: This PR does not enable booking audit in production.** The `BookingAuditTaskerProducerService` has an [`IS_PRODUCTION` guard](https://github.com/calcom/cal.com/blob/integrate-booking-creation-reschedule-audit/packages/features/booking-audit/lib/service/BookingAuditTaskerProducerService.ts#L106-L108) that skips audit task queueing in production environments. This allows the integration to be tested in development before enabling it in production.
Integrates audit logging for booking cancellations, following the pattern established in PR #26046 for booking creation/rescheduling audit.
- Related to #25125 (Booking Audit Infrastructure)
### Changes:
- Add audit logging for single booking cancellation via `onBookingCancelled`
- Add audit logging for bulk recurring booking cancellation via `onBulkBookingsCancelled`
- Pass `userUuid` and `actionSource` from webapp cancel route (WEBAPP)
- Pass `userUuid` and `actionSource` from API-v2 bookings service (API_V2)
- Create `getAuditActor` helper to derive actor from userUuid or create synthetic guest actor
- Add `getUniqueIdentifier` helper for generating unique actor identifiers
- Add warning log when `actionSource` is "UNKNOWN" for observability
- Add integration tests for booking cancellation audit
### Audit Data Captured:
- `cancellationReason` (simple string value)
- `cancelledBy` (simple string value)
- `status` (old → new, e.g., "ACCEPTED" → "CANCELLED")
### Updates since last revision:
- Simplified `CancelledAuditActionService` schema: `cancellationReason` and `cancelledBy` are now stored as simple nullable strings instead of change objects (old/new), since cancellation is a one-time event where tracking previous values doesn't apply
- Added integration tests for cancelled booking audit in `booking-audit-cancelled.integration-test.ts`
- Added `getUniqueIdentifier` helper function in actor.ts for generating unique identifiers with prefixes
## Mandatory Tasks (DO NOT REMOVE)
- [x] I have self-reviewed the code (A decent size PR without self-review might be rejected).
- [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - no documentation changes needed.
- [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works.
## How should this be tested?
1. Cancel a single booking via the webapp - verify audit record is created with actor and actionSource="WEBAPP"
2. Cancel a single booking via API v2 - verify audit record is created with actionSource="API_V2"
3. Cancel all remaining bookings in a recurring series - verify bulk audit records are created with shared operationId
4. Cancel via unauthenticated cancel link - verify guest actor is created with synthetic email (prefixed with "param-" or "fallback-")
5. Run integration tests: `yarn test packages/features/booking-audit/lib/service/__tests__/booking-audit-cancelled.integration-test.ts`
## Human Review Checklist
- [ ] Verify `onBookingCancelled` and `onBulkBookingsCancelled` methods exist in `BookingEventHandlerService`
- [ ] Review the `getAuditActor` fallback logic - creates synthetic email with "fallback-" or "param-" prefix when no userUuid available
- [ ] Confirm the simplified schema for `cancellationReason`/`cancelledBy` (no longer tracking old→new) is intentional
- [ ] Note: Audit logging calls are awaited directly - if audit service fails, the cancellation will fail. Confirm this is the desired behavior.
- [ ] Verify `CancelledAuditDisplayData` type no longer includes `previousReason` and `previousCancelledBy` fields
---
Link to Devin run: https://app.devin.ai/sessions/42404e76a66946fe9e46fa07fb12e779
Requested by: @hariombalhara (hariom@cal.com)
* feat: OAuth2 controller api v2 + refactor oAuth Trpc handlers (#25989)
* feat(api-v2): add OAuth2 controller skeleton for auth module
- Add new OAuth2 module under /auth with controller, service, repository, and DTOs
- Implement skeleton endpoints:
- GET /v2/auth/oauth2/clients/:clientId - Get OAuth client info
- POST /v2/auth/oauth2/clients/:clientId/authorize - Generate authorization code
- POST /v2/auth/oauth2/clients/:clientId/exchange - Exchange code for tokens
- POST /v2/auth/oauth2/clients/:clientId/refresh - Refresh access token
- Create input DTOs for authorize, exchange, and refresh operations
- Create output DTOs for client info, authorization code, and tokens
- Register OAuth2Module in endpoints.module.ts
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* chore: add missing functions to platform libraries
* feat(api-v2): integrate OAuthService from platform-libraries into OAuth2 controller
- Add OAuthService export to platform-libraries
- Refactor OAuth2Service to use OAuthService.validateClient() and OAuthService.verifyPKCE()
- Remove duplicate local implementations of validateClient and verifyPKCE methods
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* feat(api-v2): use local validateClient and verifyPKCE implementations
- Remove OAuthService export from platform-libraries (will be deprecated)
- Reimplement validateClient and verifyPKCE methods locally in OAuth2Service
- Use verifyCodeChallenge and generateSecret from platform-libraries directly
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* refactor(api-v2): separate repositories for OAuth2, access codes, and teams
- Create AccessCodeRepository for access code Prisma operations
- Add findTeamBySlugWithAdminRole method to TeamsRepository
- Move generateAuthorizationCode, createTokens, verifyRefreshToken to OAuth2Service
- Update OAuth2Repository to only contain OAuth client operations
- Update OAuth2Module to import TeamsModule and provide AccessCodeRepository
Addresses PR review comments to properly separate concerns
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* feat(api-v2): implement JWT token creation and verification for OAuth2
- Implement createTokens method using jsonwebtoken to sign access and refresh tokens
- Implement verifyRefreshToken method to verify JWT refresh tokens
- Add ConfigService injection for CALENDSO_ENCRYPTION_KEY access
- Import ConfigModule in OAuth2Module for dependency injection
Based on logic from apps/web/app/api/auth/oauth/token/route.ts and
apps/web/app/api/auth/oauth/refreshToken/route.ts
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: refactor and dayjs import fix
* feat(api-v2): add ApiAuthGuard to getClient endpoint and e2e tests for OAuth2
- Add @UseGuards(ApiAuthGuard) to getClient endpoint for authentication
- Add comprehensive e2e tests for all OAuth2 endpoints:
- GET /v2/auth/oauth2/clients/:clientId
- POST /v2/auth/oauth2/clients/:clientId/authorize
- POST /v2/auth/oauth2/clients/:clientId/exchange
- POST /v2/auth/oauth2/clients/:clientId/refresh
- Tests cover happy paths and error cases (invalid client, invalid code, etc.)
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* chore(api-v2): hide OAuth2 endpoints from Swagger documentation
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* hide endpoints from doc
* fix(api-v2): address PR feedback for OAuth2 controller
- Fix P0 critical bug: token_type field name mismatch in DecodedRefreshToken interface
- Add @Equals('authorization_code') validation to exchange.input.ts grantType
- Add @Equals('refresh_token') validation to refresh.input.ts grantType
- Add @IsNotEmpty() validation to get-client.input.ts clientId
- Add @Expose() decorators to all output DTOs for proper serialization
- Add security test assertion to verify clientSecret is not returned in response
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* feat(api-v2): implement redirect behavior for OAuth2 authorize endpoint
- Update authorize endpoint to return HTTP 303 redirect with authorization code
- Add exact match validation for redirect URI (security requirement)
- Implement error handling with redirect to redirect URI and error query params
- Add state parameter support for CSRF protection
- Update e2e tests to verify redirect behavior (303 status, Location header, error redirects)
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* refactor(api-v2): address PR feedback for OAuth2 authorize endpoint
- Make redirectUri a required input parameter (remove optional fallback)
- Move buildRedirectUrl and mapErrorToOAuthError to oauth2Service
- Add return statements to res.redirect() calls
- Simplify controller by delegating redirect URL building to service
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* wip move code outside of api v2
* feat(oauth): wire up dependency injection for OAuthService and repositories
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* refactor: oAuthService used in routes
* fix imports
* fix(api-v2): return 404 for invalid client ID instead of redirect in authorize endpoint
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix(api-v2): fix E2E test URL paths and remove bootstrap() in authenticated section
- Remove bootstrap() call in authenticated section to match working test pattern
- Change URL paths from /api/v2/... to /v2/... in authenticated section
- Keep bootstrap() and /api/v2/... paths in unauthenticated section
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix(api-v2): mock getToken from next-auth/jwt for E2E tests
- Add jest.mock for next-auth/jwt getToken function
- Mock returns null for unauthenticated tests
- Mock returns { email: userEmail } for authenticated tests
- Remove withNextAuth helper since ApiAuthGuard uses ApiAuthStrategy
which calls getToken directly, not NextAuthStrategy
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix tests and code review
* cleanup generate secrets
* cleanup controller
* chore: remove console.log from OAuthService.validateClient
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* Update apps/web/app/api/auth/oauth/refreshToken/route.ts
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* fix(api-v2): add bootstrap() to authenticated E2E tests and update URL paths to /api/v2/
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* Merge remote-tracking branch 'origin/devin/oauth2-controller-skeleton-1765988792' and remove console.log from token route
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* chore: remove dead code
* refactor
* refactor: generateAuthCode trpc handler and getClient trpc handler
* remove pkce check for refreshToken endpoint
* Update packages/trpc/server/routers/viewer/oAuth/getClient.handler.ts
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
* refactor: error handling
* refactor: error handling
* refactor: error handling
* remove console log
* provide redirectUri in generateAuthCodeHandler
* provide redirectUri in authorize view
* refactor: replace HttpError with ErrorWithCode in OAuth files
- Update OAuthService to use ErrorWithCode instead of HttpError
- Update mapErrorToOAuthError to check ErrorCode instead of status codes
- Update token/route.ts and refreshToken/route.ts to use ErrorWithCode
- Add ErrorWithCode export to platform-libraries
- Use getHttpStatusCode to map ErrorCode to HTTP status codes
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: update generateAuthCode handler to use ErrorWithCode instead of HttpError
The handler was still checking for HttpError in its catch block, but OAuthService
now throws ErrorWithCode. This caused the error messages to be lost and replaced
with 'server_error' instead of the specific error messages.
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: update OAuth2 controller to use ErrorWithCode instead of HttpError
The controller was still checking for HttpError in its catch blocks, but OAuthService
now throws ErrorWithCode. This caused all errors to return 500 Internal Server Error
instead of the correct HTTP status codes (400, 401, 404).
Also added getHttpStatusCode export to platform-libraries.
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: add explicit unknown type annotation to catch blocks in OAuth2 controller
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: change NotFoundException to HttpException in authorize endpoint
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: handle err with ErrorWithCode in authorize endpoint catch block
Co-Authored-By: morgan@cal.com <morgan@cal.com>
* fix: move errorWithCode
* fix: error code rfc
* fix: no need to handle errors there is a middleware
* refactor errors
* refactor errors
* refactor redirecturi and state from api
* refactor: address PR comments for OAuth2 controller
- Remove unused GetOAuth2ClientInput class
- Change API tag from 'Auth / OAuth2' to 'OAuth2'
- Move OAuthClientFixture to separate fixture file (oauth2-client.repository.fixture.ts)
- Add 'type' property to OAuth2ClientDto for confidential/public client type
- Rename 'clientId' to 'id' in OAuth2ClientDto (using @Expose mapping)
- Clean up duplicate provider declaratio…
Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
Udit-takkar
previously approved these changes
Jan 14, 2026
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
Udit-takkar
approved these changes
Jan 14, 2026
volnei
approved these changes
Jan 14, 2026
volnei
deleted the
09-30-chore_inject_repositories_instead_of_prisma_in_canellation_flow
branch
This was referenced Jan 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR refactors the booking cancellation flow (
handleCancelBooking.ts) to use the repository pattern with dependency injection instead of direct Prisma client usage. This is part of a broader architectural improvement to make the codebase more modular and testable.Key Changes:
Repositories Added/Modified:
PrismaBookingAttendeeRepository- handles attendee deletion operationsBookingReferenceRepository- handles booking reference cleanupProfileRepository- handles profile lookupsBookingRepository- extended with cancellation-specific methodsUpdates since last revision
onBookingCancelledcall - Removed an accidental duplicate call tobookingEventHandlerService.onBookingCancelled()that was introduced during merge conflict resolution. The audit event is now correctly triggered only once per booking cancellation.How should this be tested?
Environment Setup:
Test Scenarios:
Expected Behavior:
Critical Review Areas
Repository method implementations - Verify that each new repository method exactly replicates the original Prisma behavior, including:
Transaction behavior - Ensure the repository abstraction doesn't break any implicit transaction boundaries from the original code
Conditional logic simplification - The PR changes from
uid ? { uid } : { id }to always usingbookingToDelete.uid- verify this is safe for all booking typesDependency injection setup - Review the module bindings and ensure all dependencies are correctly wired
Fallback path consistency - The code maintains dual paths (repository vs direct Prisma) - ensure they remain in sync
Mandatory Tasks (DO NOT REMOVE)
Link to Devin run: https://app.devin.ai/sessions/469183c6bfa54d5d8f4b69873c2e8b6a
Requested by: @hariombalhara