fix: correct API key prefix config key inconsistency

[ascender1729]

Summary

Fixes #23683 - Resolves 401 Unauthorized errors when using API keys with the /v2/bookings endpoint.

This PR fixes a critical configuration key inconsistency that was causing API key authentication failures, particularly affecting the Elevenlabs integration and all other API users.

Root Cause

The configuration file (apps/api/v2/src/config/app.ts) defines the API key prefix as api.keyPrefix, but multiple authentication files were incorrectly referencing api.apiKeyPrefix (a non-existent config key).

When config.get("api.apiKeyPrefix") was called, it returned undefined, causing the code to fall back to the hardcoded default "cal_". While this works for the default case, it creates a critical inconsistency:

1. API key detection uses config.get("api.apiKeyPrefix") → returns undefined → falls back to "cal_"
2. API key stripping uses config.get("api.keyPrefix") → returns the actual configured value (e.g., custom prefix from API_KEY_PREFIX env var)
3. This mismatch causes incorrect hash computation
4. Database lookup fails
5. Authentication returns 401 Unauthorized

Changes

Updated all occurrences from api.apiKeyPrefix to api.keyPrefix in:

• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (2 occurrences)
• apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (1 occurrence)
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (1 occurrence)
• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts (1 occurrence)
• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.spec.ts (1 test occurrence)

Total: 5 files changed, 6 insertions(+), 6 deletions(-)

Test Plan

• Verified all instances of api.apiKeyPrefix have been replaced with api.keyPrefix
• Confirmed the correct config key matches apps/api/v2/src/config/app.ts line 18
• Ran yarn install to resolve workspace dependencies
• All authentication code paths now use consistent config key

Impact

• Severity: High (critical authentication failure)
• Affected Users: All API users using API keys, especially Elevenlabs integration
• Category: Bug fix - Authentication
• API Version: v2

Evidence

From issue #23683:

• User confirmed /v2/slots endpoint worked with their API key
• Same API key failed on /v2/bookings with 401 error
• This PR fixes the root cause by ensuring config key consistency

---

Related: #23683

[vercel]

@ascender1729 is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

This change replaces the configuration key used to read the API key prefix from api.apiKeyPrefix to api.keyPrefix across API-key authentication paths. Updates occur in bookings.controller.ts (owner ID resolution), input.service.ts (API key stripping/hashing and OAuth fallback), permissions.guard.ts and its spec (config lookup), and api-auth.strategy.ts (bearer token classification). The logic for detecting API keys via isApiKey, stripping the prefix, and proceeding with existing control flow remains unchanged. In permissions.guard.ts, the prefix defaults to "cal_".

Possibly related PRs

• chore: hash rate limit trackers api v2 #22767: Adjusts API-key handling in the same codepaths by changing the hashing function, complementing this PR’s change to the config key for the API key prefix.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title succinctly describes the main change, namely correcting the API key prefix config key inconsistency, and directly relates to the code modifications without extraneous information.
Linked Issues Check	✅ Passed	The pull request replaces all incorrect references to api.apiKeyPrefix with the correct api.keyPrefix in the authentication and bookings code, directly addressing the root cause and restoring API key authentication for booking endpoints as described in issue #23683.
Out of Scope Changes Check	✅ Passed	All changes exclusively update config key references in authentication and booking code paths consistent with the linked issue objectives, and no unrelated or extraneous code modifications are present.
Description Check	✅ Passed	The description thoroughly explains the root cause, the specific configuration mismatch, the files and occurrences updated, and provides a clear test plan with evidence, demonstrating it directly relates to the changeset.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c702da0 and 5477483.

📒 Files selected for processing (5)

• apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (1 hunks)
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (1 hunks)
• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.spec.ts (1 hunks)
• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts (1 hunks)
• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.spec.ts
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts
• apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts
• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts
• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.spec.ts
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts
• apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts
• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts
• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts

**/*.{ts,tsx,js,jsx}

⚙️ CodeRabbit configuration file

Flag default exports and encourage named exports. Named exports provide better tree-shaking, easier refactoring, and clearer imports. Exempt main components like pages, layouts, and components that serve as the primary export of a module.

Files:

• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.spec.ts
• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts
• apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts
• apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts
• apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts

**/*.{service,repository}.ts

📄 CodeRabbit inference engine (.cursor/rules/review.mdc)

Avoid dot-suffixes like .service.ts or .repository.ts for new files; reserve .test.ts, .spec.ts, .types.ts for their specific purposes

Files:

• apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts

🧬 Code graph analysis (4)

apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• isApiKey (5-6)

apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• isApiKey (5-6)

apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• isApiKey (5-6)

apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (1)

apps/api/v2/src/lib/api-key/index.ts (1)

• isApiKey (5-6)

⏰ Context from checks skipped due to timeout of 180000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Tests / Unit
• GitHub Check: Type check / check-types
• GitHub Check: Linters / lint

🔇 Additional comments (6)

apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts (1)

91-91: LGTM! Config key corrected for API key detection.

The changes correctly replace api.apiKeyPrefix with api.keyPrefix, fixing the authentication failure. Both isApiKey invocations now use the correct config key that matches the actual configuration definition.

Also applies to: 219-219

apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.spec.ts (1)

27-27: LGTM! Test mock updated to match production code.

The mock configuration correctly updated to use api.keyPrefix, ensuring test alignment with the actual implementation in permissions.guard.ts.

apps/api/v2/src/ee/bookings/2024-04-15/controllers/bookings.controller.ts (1)

387-391: LGTM! Critical fix for API key authentication.

This change corrects the config key mismatch that was causing the 401 errors. Previously, isApiKey on line 387 used the wrong key (fell back to "cal_"), while stripApiKey on line 388 used the correct key. This mismatch caused incorrect hash computation and DB lookup failures.

apps/api/v2/src/modules/auth/guards/permissions/permissions.guard.ts (1)

39-39: LGTM! Config key corrected in permissions guard.

The change ensures consistent API key detection with the correct config key, aligning with the authentication strategy and other components.

apps/api/v2/src/ee/bookings/2024-08-13/services/input.service.ts (2)

683-687: LGTM! Critical fix for API key authentication.

This resolves the same config key mismatch that was causing 401 errors. The isApiKey check now uses the correct config key, ensuring consistency with the stripApiKey operation on line 684.

---

683-687: No remaining references to the old config key. All instances of api.apiKeyPrefix have been replaced with api.keyPrefix.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[anikdhabal]

@ascender1729 add a before and after result

[dhairyashiil]

@ascender1729 add a before and after result

Until then marking it as draft

[github-actions]

This PR is being marked as stale due to inactivity.

[github-actions]

This PR has been closed due to inactivity. Please feel free to reopen it if you'd like to continue the work.