fix(ui): Make incomplete booking form mobile-responsive #26413
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@eeshm is attempting to deploy a commit to the cal Team on Vercel. A member of the Team first needs to authorize it. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
dhairyashiil
approved these changes
Jan 3, 2026
Member
dhairyashiil
left a comment
dhairyashiil
left a comment
There was a problem hiding this comment.
LGTM. Thank you for the contribution
Contributor
Author
|
thank you! |
Anshumancanrock
pushed a commit
to Anshumancanrock/cal.com
that referenced
this pull request
Jan 12, 2026
hariombalhara
added a commit
that referenced
this pull request
Jan 14, 2026
* matched colour of icons across website (#26394) * fix(auth): resolve session user by token subject ID (#26399) * fix(auth): align session user resolution with token subject * test(auth): add unit tests for getServerSession user resolution * chore: release v6.0.7 * fix: Custom time input for availability (#26373) * add custom time input * add unit test * add validation logic * feat(companion): Add DropdownMenu and Alert Dialog for Android (#26385) * feat(companion): add DropdownMenu for Android event types list Replace Alert.alert with react-native-reusables DropdownMenu component for Android event type list items, providing a native-feeling menu experience that matches iOS functionality. Changes: - Install react-native-reusables dropdown-menu component and dependencies (lucide-react-native, tailwindcss-animate, class-variance-authority, clsx, tailwind-merge) - Create EventTypeListItem.android.tsx with DropdownMenu implementation - Single ellipsis button triggers dropdown menu - Menu includes: Preview, Copy link, Edit, Duplicate, Delete - Delete action marked as destructive variant - Proper safe area insets handling - Add PortalHost to app/_layout.tsx for portal rendering support - Create lib/utils.ts with cn() helper for className merging - Update global.css with theme CSS variables (popover, border, accent, destructive, etc.) for dropdown menu styling - Update tailwind.config.js with theme colors and tailwindcss-animate plugin - Update metro.config.js with inlineRem: 16 for proper rem unit handling - Remove Android Alert.alert fallback from event types index.tsx - Fix lint issues in generated dropdown-menu.tsx (remove unnecessary fragments) The Android experience now matches iOS with a single menu button that opens a dropdown containing all event type actions, replacing the previous Alert.alert dialog and separate action buttons. Refs: https://reactnativereusables.com/docs/components/dropdown-menu * adjust with of menu * feat(companion): add DropdownMenu for Android booking and availability list items - Add BookingListItem.android.tsx with DropdownMenu for booking actions - Add BookingDetailScreen.android.tsx with DropdownMenu in header - Add AvailabilityListItem.android.tsx with DropdownMenu for schedule actions Actions include: Reschedule, Edit Location, Add Guests, View Recordings, Meeting Session Details, Mark as No-Show, Report Booking, Cancel Event for bookings; Set as Default, Duplicate, Delete for availability schedules. * fix lint issues * feat(android): replace native alerts with AlertDialog and Toast in event types - Install AlertDialog and Alert components from react-native-reusables - Create Android-specific event types screen (index.android.tsx) - Replace native Alert.alert() with AlertDialog for delete confirmation - Add inline validation errors (red border + error text) in create modal - Implement Toast snackbar for success/error notifications (no layout shift) - Auto-dismiss toast after 2.5 seconds - Fix React Compiler compatibility by removing animated refs This provides a more consistent and polished UI experience on Android, matching the design system used in other parts of the app. * feat(android): add AlertDialog for availability delete and booking cancel - Add index.android.tsx for availability with AlertDialog for delete confirmation - Add index.android.tsx for bookings with AlertDialog for cancel (with reason input) - Both screens include Toast snackbar for success/error notifications - Follows the same pattern as event types Android implementation * feat(companion): add DropdownMenu and AlertDialog for Android - Replace native Alert.alert context menus with DropdownMenu component for event types, bookings, and availability lists - Replace FullScreenModal with AlertDialog for create/delete/cancel flows - Add toast notifications for success/error feedback on Android - Set consistent 380px max-width for all AlertDialogs - Fix layout headers showing "index" text on event-types and availability - Create Android-specific More screen with AlertDialog logout confirmation Uses react-native-reusables components for polished Android UI * better code * fix cubics comments * refactor(android): revert delete confirmations to native Alert.alert() - Logout: reverted to native Alert.alert() (simple yes/no) - Event Types Delete: reverted to native Alert.alert() (simple yes/no) - Availability Delete: reverted to native Alert.alert() (simple yes/no) Keep AlertDialog only where user input is needed: - Event Types Create (has TextInput for title) - Availability Create (has TextInput for name) - Bookings Cancel (has TextInput for cancellation reason) * refactor(android): remove redundant index.android.tsx files The main index.tsx files already handle Android via Platform.OS checks. Android-specific behavior for actions is in the list item components: - EventTypeListItem.android.tsx - BookingListItem.android.tsx - AvailabilityListItem.android.tsx This consolidates the code and reduces duplication. * corrected the implementation both native and alert dialog * address cubics comments * fix lint issue and address cubic comments * chore: add logging in next-auth (#26404) * Add logging in next-auth * Add logging at other return * fix: Make incomplete booking form mobile-responsive (#26413) * fix: update bundle identifier (#26402) * fix: patch React 19 vulnerabilities by upgrading to 19.2.3 (#26411) * security: patch React 19 vulnerabilities by upgrading to 19.2.3 * chore: revert lingo.dev upgrade * refactor(companion): event type details screen improvements (#26415) * refactor(companion): move EventTypeDetail component to a new file and update routing * refactor(companion): format code for better readability in TabLayout and EventTypeDetail components * refactor(companion): improve code formatting and readability in EventTypeDetail component * refactor(companion): enhance code readability and formatting in EventTypeDetail component * refactor(companion): improve code formatting and readability in EventTypeDetail component * refactor(companion): enhance code formatting and readability in EventTypeDetail component * refactor(companion): improve code formatting and readability in TabLayout component * fix: add vertical spacing when hovered (#26419) * fix(seed): add missing Host entries for seeded round‑robin team events (#26426) * feat(companion): new availability detail and actions pages for ios (#26424) * version 1 * version 1.1 * better code * covered all edge cases * address cubics comments * address cubics comments * fix(auth): enhance SAML login handling by introducing userId field and updating JWT token structure (#26428) * fix(ci): delete old prod build caches on cache miss (#26437) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix(ci): add yarn prisma generate before cache key generation (#26439) This ensures consistent cache keys between the Build Web App job and E2E shards by running yarn prisma generate before generating the cache key. The issue was that packages/prisma/enums/index.ts is: 1. Generated by yarn prisma generate 2. In .gitignore (not committed to git) 3. Included in the SOURCE_HASH (matches packages/**/**.[jt]s) 4. NOT excluded from the hash E2E jobs already run yarn prisma generate before cache-build, but the Build Web App job did not, causing different cache keys in the same workflow run. Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix: show empty screen from event type availability tab (#26396) * fix * update * fix * Remove copying of App Store static files step Removed step to copy App Store static files from the workflow. * feat: queue or cancel payment reminder flow (#24889) Co-authored-by: Pallav <[email protected]> Co-authored-by: Ryukemeister <[email protected]> Co-authored-by: Rajiv Sahal <[email protected]> Co-authored-by: Peer Richelsen <[email protected]> * feat: integrate BookingHistory with Bookings V3 design (#26301) * Integrate BookingHistory with Bookings V3 design * Enhance booking features by integrating booking audit functionality - Updated the booking page to retrieve user feature statuses for "bookings-v3" and "booking-audit". - Modified BookingDetailsSheet and BookingListContainer components to accept and utilize the new bookingAuditEnabled prop. - Adjusted the BookingHistory display logic to conditionally render based on the bookingAuditEnabled state. - Refactored SegmentedControl to support generic types for better type safety. This change improves the user experience by allowing conditional access to booking audit features based on user permissions. * Refactor BookingDetailsSheet to manage active segment state with Zustand store - Removed local state management for active segment in BookingDetailsSheet and integrated Zustand store for better state synchronization. - Introduced useActiveSegmentFromUrl hook to sync active segment with URL query parameters. - Updated BookingDetailsSheet to handle derived active segment logic based on bookingAuditEnabled state. - Adjusted SegmentedControl to ensure it defaults to "info" when activeSegment is null. This refactor enhances the maintainability and responsiveness of the booking details component. * refactor: rename useBiDirectionalSyncBetweenZustandAndNuqs to useBiDirectionalSyncBetweenStoreAndUrl Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Udit Takkar <[email protected]> Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: create BookingHistoryViewerService to combine audit logs with routing form submissions (#26045) * feat: create BookingHistoryViewerService to combine audit logs with routing form submissions Co-Authored-By: [email protected] <[email protected]> * refactor(booking): rename audit log query and enhance type safety - Updated the booking logs view to use the new getBookingHistory query instead of getAuditLogs. - Introduced DisplayBookingAuditLog type for improved clarity in BookingAuditViewerService. - Refactored BookingHistoryViewerService to utilize the new DisplayBookingAuditLog type and added sorting functionality for history logs. - Adjusted related types and methods to ensure consistency across services. * refactor(routing-forms): streamline imports and enhance type definitions - Consolidated type exports and imports from the features library for better organization. - Removed redundant type definitions and functions in zod.ts, findFieldValueByIdentifier.ts, getFieldIdentifier.ts, and parseRoutingFormResponse.ts. - Introduced new utility functions for handling field responses and parsing routing form responses. - Improved type safety and clarity across routing form response handling. * fix: remove double prefix from uniqueId in form submission entry Co-Authored-By: [email protected] <[email protected]> * 1c97f9cc5d50416788c01876fe539bcc9750e9b2 (#26453) --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore: Ensure that uuid is available in server session[Booking Audit Prerequisite] (#25963) ## What does this PR do? Similar to #25721, adds uuid in session so that BookingAudit has it readily available Adds the user's UUID to the booking metadata by: 1. Extending the NextAuth `User` interface to include an optional `uuid` property from PrismaUser 2. Making `uuid` required on `Session.user` via intersection type (`User & { uuid: PrismaUser["uuid"] }`) 3. Adding `uuid` to the session user object in `getServerSession.ts` 4. Adding `uuid` to the `AdapterUser` transformation in `next-auth-custom-adapter.ts` 5. Passing `userUuid` from the session to the booking creation flow 6. Updating the API key verification flow to include `uuid` in the user data (repository, service, and type definitions) 7. Adding `req.userUuid` as a required field on the request object (like `req.userId`) 8. Adding `uuid` to mock session objects in web app routes and test context 9. Adding `uuid` to the `findByEmailAndIncludeProfilesAndPassword` query in UserRepository Also removes commented-out code that was placeholder for future work and fixes lint warnings for unused variables. ## Mandatory Tasks (DO NOT REMOVE) - [x] I have self-reviewed the code (A decent size PR without self-review might be rejected). - [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - no documentation changes needed. - [x] I confirm automated tests are in place that prove my fix is effective or that my feature works. ## How should this be tested? 1. Verify that the NextAuth session callback is already populating the `uuid` field on the user object 2. Create a booking and confirm `userUuid` is included in the booking metadata 3. Test API v1 endpoints (`/api/invites` POST and `/api/teams/[teamId]/publish`) to verify they receive the uuid from the authenticated user 4. Check that the booking flow works correctly with the new parameter 5. Test SAML login flow to verify session still works correctly (uuid is resolved from database after authentication) ## Human Review Checklist - [ ] Verify the NextAuth session callback populates `uuid` - if not, this change will pass `undefined` at runtime - [ ] Confirm `userUuid` is consumed downstream in the booking service - [ ] Verify that `PrismaApiKeyRepository.findByHashedKey()` correctly fetches the user's uuid from the database - [ ] Verify the discriminated union type in `ApiKeyService.ts` ensures `result.user` is always defined when `result.valid` is true - [ ] Confirm all API v1 endpoints using `req.userUuid` go through the `verifyApiKey` middleware - [ ] Verify `UserRepository.findByEmailAndIncludeProfilesAndPassword()` includes `uuid` in the select clause - [ ] Verify SAML login still works correctly - uuid is now optional on User interface so SAML providers don't need to supply it at profile stage ## Updates since last revision - **Made uuid optional on User, required on Session**: Changed the type strategy so `uuid` is optional on the NextAuth `User` interface but required on `Session.user` via intersection type. This allows SAML providers to not supply uuid at the profile stage while ensuring uuid is always present on the session after the user is resolved from the database. - **Removed uuid from SAML functions**: Since uuid is now optional on User, the SAML profile and authorize functions no longer need to include it. --- Link to Devin run: https://app.devin.ai/sessions/97e5603b719a420b9b35041252c9db26 Requested by: [email protected] (@hariombalhara) * fix: add @calcom/trpc#build dependency to @calcom/web#dev task (#26460) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix(auth): make identityProviderId lookup case-insensitive (#26405) SAML IdPs may send NameIDs with different casing than stored, causing login failures. Aligns with the existing case-insensitive email lookup pattern * fix: cancel running CI workflow before re-triggering and allow trusted GitHub Apps (#26461) * fix: cancel running CI workflow before re-triggering and allow trusted bots Co-Authored-By: [email protected] <[email protected]> * fix: remove hardcoded bot allowlist, keep only cancel-and-rerun improvement Co-Authored-By: [email protected] <[email protected]> * fix: add app_id verification for trusted GitHub Apps (Graphite) Co-Authored-By: [email protected] <[email protected]> * fix: simplify trusted bot check to use sender type, login, and installation context Co-Authored-By: [email protected] <[email protected]> * chore: remove unnecessary comments Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: update translations via @LingoDotDev (#26445) Co-authored-by: Lingo.dev <[email protected]> Co-authored-by: Keith Williams <[email protected]> * fix: remove installation requirement from trusted bot check (#26466) * fix: remove installation requirement from trusted bot check The installation object is not present in the webhook payload when GitHub Apps add labels via pull_request_target events. This caused graphite-app[bot] to fail the authorization check and fall through to the human permission check, which doesn't work for bots. The fix removes the installation requirement and relies on: - sender.type === 'Bot' - sender.login matching the trusted bot list This is secure because the sender fields come from GitHub's webhook payload and cannot be forged by contributors. Co-Authored-By: [email protected] <[email protected]> * chore: add extra logging about sender type Co-Authored-By: [email protected] <[email protected]> * chore: remove senderId from logging Co-Authored-By: [email protected] <[email protected]> * Update run-ci.yml --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * refactor: Move trpc-dependent components from features to web [2] (#26420) * fix * move event types components to web * update import paths * mv apps components * migrate form builder * fix * mv sso * fix * mv * update import paths * update import paths * mv * mv * mv * fix * update Booker * fix * fix * fix * fix * mv video * mv embed components to web * update import paths * mv calendar weekly view components * update import paths * fix * fixp * fix * fix * fix * fix: update FormBuilder imports to use @calcom/features/form-builder Co-Authored-By: [email protected] <[email protected]> * fix: update broken import paths after file migrations Co-Authored-By: [email protected] <[email protected]> * fix: correct import paths for platform atoms and moved components Co-Authored-By: [email protected] <[email protected]> * fix: apply CSS type fixes and add missing atoms exports Co-Authored-By: [email protected] <[email protected]> * fix: resolve type errors in test files after component migrations Co-Authored-By: [email protected] <[email protected]> * fix: resolve remaining type errors in test files Co-Authored-By: [email protected] <[email protected]> * fix * migrate * fix: resolve type errors in test and mock files - Add missing bookingForm, bookerFormErrorRef, instantConnectCooldownMs to Booker.test.tsx bookings prop - Add all required BookerEvent properties to event.mock.ts - Add vi import from vitest to all mock files - Fix date parameter types in packages/dayjs/__mocks__/index.ts - Add verificationCode and setVerificationCode to test-utils.tsx mock store - Remove children.type access in Section.tsx mock to fix type error - Fix lint issues: remove unused React imports, use import type where needed, add return types - Add biome-ignore comments for pre-existing lint warnings in test files Co-Authored-By: [email protected] <[email protected]> * migrate * migrate * migrate * update import paths * update import paths * update import paths * fix * migrate data table * migrate data table * fix * fix * fix * migrate insights components * migrate insights components * fix * mv * update import paths * fix * fix * fix * fix * fix * fix: resolve type errors in test mocks - Booker.test.tsx: Add all required UseFormReturn methods to bookingForm mock - event.mock.ts: Fix entity, subsetOfHosts, instantMeetingParameters, fieldTranslations, image types - dayjs/__mocks__/index.ts: Use Object.assign for proper typing of mock properties - Section.tsx: Change 'class' to 'className' in JSX with biome-ignore comment Co-Authored-By: [email protected] <[email protected]> * fix: add missing hasDataErrors and dataErrors to bookings.errors mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing loadingStates properties to bookings mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing slots properties (setTentativeSelectedTimeslots, tentativeSelectedTimeslots, slotReservationId) Co-Authored-By: [email protected] <[email protected]> * fix: update quickAvailabilityChecks to include utcEndIso and use valid status type Co-Authored-By: [email protected] <[email protected]> * fix: add missing bookerForm properties (formName, beforeVerifyEmail, formErrors) Co-Authored-By: [email protected] <[email protected]> * fix: add missing UseFormReturn properties to bookerForm.bookingForm mock Co-Authored-By: [email protected] <[email protected]> * fix: add hasFormErrors and formErrors to bookerForm.formErrors mock Co-Authored-By: [email protected] <[email protected]> * fix: add hasFormErrors and formErrors to bookerForm.errors mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing isError property to mockEvent Co-Authored-By: [email protected] <[email protected]> * fix: use complete BookerEvent mock in Booker.test.tsx Co-Authored-By: [email protected] <[email protected]> * fix: use branded bookingFields type in event mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing schedule mock properties (isError, isSuccess, isLoading, dataUpdatedAt) Co-Authored-By: [email protected] <[email protected]> * revert * fix * fix * fix * fix build * fix * fix * fix * fix: correct AddMembersWithSwitch test wrapper to use initial assignAllTeamMembers value - Fixed test wrapper to initialize useState with componentProps.assignAllTeamMembers instead of hardcoded false, allowing tests to properly test different states - Updated test expectations for ALL_TEAM_MEMBERS_ENABLED_AND_SEGMENT_NOT_APPLICABLE state to match actual component behavior (toggle should be present and checked) - Fixed 'should show Segment when toggled on' test to start with assignAllTeamMembers: false to properly test the flow of enabling it - Added explicit types to satisfy biome lint requirements Co-Authored-By: [email protected] <[email protected]> * fix: use JSX.Element instead of React.JSX.Element for type compatibility Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore(deps): update dependencies and add version constraints (#26390) - Update sanitize-html to 2.17.0 - Remove unused Storybook dependencies from @calcom/ui - Add resolutions for consistent dependency versions - Clean up packageExtensions * feat: add lightweight E2E session warmup page (#26451) * feat: add lightweight E2E session warmup endpoint - Add /api/__e2e__/session-warmup endpoint that triggers NextAuth session loading - Update apiLogin fixture to use the new endpoint instead of navigating to /settings/my-account/profile - The endpoint is gated by NEXT_PUBLIC_IS_E2E=1 (already set in playwright.config.ts) - This reduces overhead in E2E tests by avoiding loading a full UI page just to warm up the session Co-Authored-By: [email protected] <[email protected]> * refactor: move session warmup endpoint to App Router - Move /api/__e2e__/session-warmup from pages/api to app/api - Use App Router patterns (NextResponse, buildLegacyRequest) - Maintains same functionality for E2E session warming Co-Authored-By: [email protected] <[email protected]> * rename path * refactor: switch from API route to minimal SSR page (Option 2) - Replace /api/e2e/session-warmup API route with /e2e/session-warmup page - Use App Router page pattern with getServerSession for session warmup - Update apiLogin fixture to navigate to the page instead of API request Co-Authored-By: [email protected] <[email protected]> * revert users fixture but with a new url * render nothing on success * clean up * trying something * Revert "trying something" This reverts commit 2ae2f7dcb42612e54eb072a9f09857272020889a. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Keith Williams <[email protected]> * Disable noReactSpecificProps as we use react (#26479) * fix(auth): fix SAML tenant extraction and validation (#26482) - Extract tenant from userInfo in saml-idp (IdP-initiated) - Add profile.requested?.tenant fallback for OAuth (SP-initiated) - Block invalid tenant format in hosted (security) * fix: atoms build by updating import paths (#26489) * fix build * fix build * fix: "New" button sizing inconsistent between Workflows and Event Types pages (#26066) * fix: consistent button sizing between fab and button variants on desktop * fix: consistent button sizing between fab and button variants on desktop * fix(ui): align New button sizing across pages * fix: New button sizing inconsistent between Workflows and Event Types pages * Update Button.tsx * test: fix unit test flake (#25557) * fix: revalidate teams cache after accepting invite via token When a user accepts a team invite via token on the /teams page, the teams cache was not being invalidated. This caused the page to show stale data (empty list) while the sidebar correctly showed the teams. This fix adds a call to revalidateTeamsList() after processing an invite token, ensuring the cache is invalidated and fresh data is fetched immediately. Co-Authored-By: [email protected] <[email protected]> * fix: revalidate teams cache after creating team in onboarding flow Co-Authored-By: [email protected] <[email protected]> * Remove comments on teams cache revalidation Removed comments about revalidating teams cache after invite processing. * fix unit test flake * Remove unused import in useCreateTeam hook Removed unused import for revalidateTeamsList. * Remove unused import for revalidateTeamsList --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore: Add impersonation context support to booking audit (#26014) ## What does this PR do? Adds infrastructure to track impersonation context in booking audit records and displays it in the UI. When an admin impersonates another user and performs booking actions, the audit system now: - Records the **admin** as the actor (who actually performed the action) - Stores the **impersonated user's UUID** in a separate `context` field - Displays **"Impersonated By"** in the booking logs UI when viewing audit details This separation ensures audit trail integrity (the admin is accountable) while preserving full context about whose account was being used. ### Changes - Added `uuid` to `impersonatedBy` session object for actor identification - Added `uuid` to top-level `User` type in next-auth types for session enrichment - Added `context Json?` field to `BookingAudit` Prisma model - Added `BookingAuditContextSchema` for type-safe context handling with `actingAsUserUuid` field - Updated producer service interface and implementation to pass context through all queue methods - Updated consumer service to persist context to database - Updated repository to store and fetch context in BookingAudit records - Added `impersonatedBy` field to `EnrichedAuditLog` type in `BookingAuditViewerService` - Added `enrichImpersonationContext` method to resolve impersonated user details - Updated booking logs UI to display "Impersonated By" in expanded details - Added `impersonated_by` translation key Link to Devin run: https://app.devin.ai/sessions/3f1252527aef4ead9401bdf055c0817b Requested by: [email protected] (@hariombalhara) ## Mandatory Tasks (DO NOT REMOVE) - [x] I have self-reviewed the code (A decent size PR without self-review might be rejected). - [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - internal infrastructure change - [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works. ## How should this be tested? 1. Verify type checks pass: `yarn type-check:ci --force` 2. Verify existing audit tests still pass: `TZ=UTC yarn test` 3. To fully test impersonation context display: - Have an admin impersonate a user - Perform a booking action (create, cancel, reschedule) - Navigate to the booking's audit logs - Expand the details for the action - Verify "Impersonated By" row appears showing the impersonated user's name - Verify the BookingAudit record has: - `actorId` pointing to the admin's AuditActor - `context` containing `{ actingAsUserUuid: "<impersonated-user-uuid>" }` ## Human Review Checklist - [ ] Verify the `context` field schema design is appropriate for future extensibility - [ ] Confirm the `uuid` addition to User type in next-auth doesn't break existing auth flows - [ ] Check that the optional `context` parameter doesn't break existing queue method callers - [ ] Verify no migration file is needed (or if squashing is handled separately) - [ ] Verify the UI displays "Impersonated By" correctly when impersonation context is present - [ ] Confirm `enrichImpersonationContext` handles edge cases (null context, invalid context, deleted user) ## Checklist - [x] My code follows the style guidelines of this project - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have checked if my changes generate no new warnings * perf: improve cal video webhook (#26495) * perf: improve cal video webhook * save format * refactor: use errorMs * chore: change API codeowner to Foundation (#26504) * chore(auth): add error logging for saml-idp silent failures (#26484) * chore(auth): add error logging for saml-idp silent failures * chore(auth): add warn-level logging for saml-idp silent failures * chore(auth): change 'No user found' log to warn level * chore(auth): add warn-level logging for silent auth failures - saml-idp authorize: credentials, code, token, userInfo, user lookup - callbacks:signIn: account type, email, name, catch-all - callbacks:jwt: unknown account type (info → warn) - saml:profile: missing email from IdP - getServerSession: user not found for valid token * feat(api): add team event-types webhooks controller (#26449) * feat(api): add team event-types webhooks controller - Add TeamsEventTypesWebhooksController for managing webhooks on team event types - Add IsTeamEventTypeWebhookGuard for authorization - Add TeamEventTypeWebhooksService for business logic - Register new controller in TeamsEventTypesModule - Enable unsafeParameterDecoratorsEnabled in biome.json for NestJS support Co-Authored-By: [email protected] <[email protected]> * test(api): add e2e tests for team event-types webhooks controller Co-Authored-By: [email protected] <[email protected]> * fix(api): restrict team event-type webhooks to admins/owners only Co-Authored-By: [email protected] <[email protected]> * fix(api): use regular imports instead of type imports for DI and DTOs Co-Authored-By: [email protected] <[email protected]> * fix(api): use regular imports for DI in guard file Co-Authored-By: [email protected] <[email protected]> * fix: circular depndency in modules * delete teams in test * fix roles guard * fix biome * fix guard * resolve type import * resolve review feedback --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore: remove Mintlify AI chat from CMD+K widget (#26485) * chore: remove Mintlify AI chat from CMD+K widget - Remove MintlifyChat component and related state from Kbar.tsx - Delete packages/features/mintlify-chat directory (MintlifyChat.tsx, util.ts) - Delete apps/web/app/api/mintlify-chat API routes and tests - Delete packages/lib/server/mintlifyChatValidation.ts - Remove Mintlify-related env vars from .env.example and turbo.json - Refactor Kbar.tsx to fix lint issues (explicit types, exports at end) Co-Authored-By: [email protected] <[email protected]> * fix: use ReactNode import instead of JSX from react The JSX type is not exported from 'react' module. Use the global JSX.Element type (available in React projects) and import ReactNode for the children prop type. Co-Authored-By: [email protected] <[email protected]> * feat: add all event-types and upcoming bookings to KBar - Increase event types limit from 10 to 100 to show more event types - Add useUpcomingBookingsAction hook to fetch and display upcoming bookings - Bookings show title, date, and time in KBar search results - Navigate to booking details page when selecting a booking Co-Authored-By: [email protected] <[email protected]> * Revert "feat: add all event-types and upcoming bookings to KBar" This reverts commit 69d03397e3820e45e7207eb55b38117d269eae5e. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: update translations via @LingoDotDev (#26497) Co-authored-by: Lingo.dev <[email protected]> * feat: implement FeatureOptInService (#25805) * feat: implement FeatureOptInService WIP * clean up * feat: consolidate feature repositories and add updateFeatureForUser - Implement updateFeatureForUser in FeaturesRepository (similar to updateFeatureForTeam) - Move getUserFeatureState and getTeamFeatureState from PrismaFeatureOptInRepository to FeaturesRepository - Update FeatureOptInService to use only FeaturesRepository - Add setUserFeatureState and setTeamFeatureState methods to FeatureOptInService - Update _router.ts to remove PrismaFeatureOptInRepository usage - Remove PrismaFeatureOptInRepository.ts and FeatureOptInRepositoryInterface.ts - Update features.repository.interface.ts and features.repository.mock.ts - Add integration tests for updateFeatureForUser, getUserFeatureState, getTeamFeatureState - Update service.integration-test.ts to use FeaturesRepository Co-Authored-By: [email protected] <[email protected]> * refactor: rename updateFeatureForUser to setUserFeatureState Rename to match the convention used for setTeamFeatureState Co-Authored-By: [email protected] <[email protected]> * refactor: return FeatureState type from getUserFeatureState and getTeamFeatureState * fix integration tests * clean up logics * update services and router * refactor: change getUserFeatureState and getTeamFeatureState to accept featureIds array - Renamed getUserFeatureState to getUserFeatureStates - Renamed getTeamFeatureState to getTeamFeatureStates - Changed parameter from featureId: string to featureIds: string[] - Changed return type from FeatureState to Record<string, FeatureState> - Updated FeatureOptInService to use the new batch methods - Added tests for querying multiple features in a single call - Optimized listFeaturesForTeam to fetch all feature states in one query Co-Authored-By: [email protected] <[email protected]> * feat: add getFeatureStateForTeams for batch querying multiple teams - Added getFeatureStateForTeams method to query a single feature across multiple teams in one call - Updated FeatureOptInService.resolveFeatureStateAcrossTeams to use the new batch method - Replaces N+1 queries with a single database query for team states - Added comprehensive integration tests for the new method Co-Authored-By: [email protected] <[email protected]> * refactor: combine org and team state queries into single call - Include orgId in the teamIds array passed to getFeatureStateForTeams - Extract org state and team states from the combined result - Reduces database queries from 3 to 2 in resolveFeatureStateAcrossTeams Co-Authored-By: [email protected] <[email protected]> * refactor: use team.isOrganization and clarify computeEffectiveState comment Co-Authored-By: [email protected] <[email protected]> * refactor: use MembershipRepository.findAllByUserId with isOrganization Co-Authored-By: [email protected] <[email protected]> * feat: add featureId validation using isOptInFeature type guard Co-Authored-By: [email protected] <[email protected]> * less queries * add fallback value * fix type error * move files * add autoOptInFeatures column * use autoOptInFeatures flag within FeatureOptInService * add setUserAutoOptIn and setTeamAutoOptIn * fix computeEffectiveState logic * rewrite computeEffectiveState * clean up integration tests * clean up in afterEach * fix type error * refactor: use FeaturesRepository methods instead of direct Prisma calls Replace all manual userFeatures and teamFeatures Prisma operations with the new setUserFeatureState and setTeamFeatureState repository methods. Changes include: - Admin handlers (assignFeatureToTeam, unassignFeatureFromTeam) - Test fixtures and integration tests - Playwright fixtures - Development scripts This ensures consistent feature flag management through the repository pattern and supports the new tri-state semantics (enabled/disabled/inherit). Co-Authored-By: [email protected] <[email protected]> * clean up * fix the logic * extract some logic into applyAutoOptIn() * remove wrong code * refactor: convert setUserFeatureState and setTeamFeatureState to object params with discriminated union - Convert multiple positional parameters to single object parameter - Use discriminated union types: assignedBy required for enabled/disabled, omitted for inherit - Update all callers across repository, service, handlers, fixtures, and tests * fix type error * use Promise.all * fix --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: add organization banner to user profile page (#26514) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: Hubspot write to meeting object (#26039) * feat: Hubspot write to meeting object * fix: translate hardcoded strings and remove debug console.log Co-Authored-By: [email protected] <[email protected]> * refactor * fix: improve static value detection for placeholder replacement - Changed condition from startsWith/endsWith to includes('{') to properly detect embedded placeholders - Strings like 'Hello {name}!' are now correctly processed for placeholder replacement - Pure placeholder tokens that can't be resolved return null - Partially resolved values are returned as-is Co-Authored-By: [email protected] <[email protected]> * refactor: split WriteToObjectSettings into types and utils files - Extract interfaces, enums, and type definitions to WriteToObjectSettings.types.ts - Extract constants and utility functions to WriteToObjectSettings.utils.ts - Update main component to use the new utility functions - Improves code organization and maintainability Co-Authored-By: [email protected] <[email protected]> * revert: restore original static value detection logic Per user request - the startsWith/endsWith check was intentional Co-Authored-By: [email protected] <[email protected]> * test: add unit tests for HubSpot CRM service Tests cover: - ensureFieldsExistOnMeeting: field validation against HubSpot properties - getTextValueFromBookingTracking: UTM parameter extraction - getTextValueFromBookingResponse: placeholder replacement - getDateFieldValue: date field resolution for different date types - getFieldValue: main field value resolution for all field types - generateWriteToMeetingBody: write-to-meeting body generation - getContacts: contact search functionality Co-Authored-By: [email protected] <[email protected]> * fix: correct type errors in HubSpot CRM service tests - Import WhenToWrite enum from crm-enums - Replace string literals with WhenToWrite.EVERY_BOOKING enum values - Add missing whenToWrite property to field config objects Co-Authored-By: [email protected] <[email protected]> * fix: use type casting for intentional type errors in tests - Cast numeric fieldValue to string for testing non-string handling - Cast invalid field type string to CrmFieldType for testing unsupported types Co-Authored-By: [email protected] <[email protected]> * fix: prevent unhandled promise rejections in HubSpot CRM tests - Re-apply mockGetAppKeysFromSlug implementation in beforeEach to ensure mock is always set correctly after clearAllMocks - Change vi.resetAllMocks() to vi.clearAllMocks() to preserve mock implementations between tests - Add explicit types to satisfy biome lint rules - This fixes the 'Cannot read properties of undefined (reading client_id)' errors that were causing CI to fail with exit code 1 Co-Authored-By: [email protected] <[email protected]> * refactor: convert HubSpot tests to black-box testing through public methods Co-Authored-By: [email protected] <[email protected]> * fix: properly type mock CalendarEvent in HubSpot tests Co-Authored-By: [email protected] <[email protected]> * fix: properly type TFunction in mock CalendarEvent Co-Authored-By: [email protected] <[email protected]> * chore: graceful owner fail test * refactor * fix: type check * fix: remove null fields * Update packages/app-store/hubspot/lib/CrmService.ts Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * docs: add DTO location and naming conventions to knowledge base (#26478) * docs: add DTO location and naming conventions to knowledge base Co-Authored-By: [email protected] <[email protected]> * docs: clarify DTO location rules for new features vs refactored code Co-Authored-By: [email protected] <[email protected]> * docs: simplify DTO location - all DTOs go in packages/lib/dto/ Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * refactor: convert PrismaAttributeToUserRepository to accept Prisma as dependency (#26515) * refactor: convert PrismaAttributeToUserRepository to accept Prisma as dependency Co-Authored-By: [email protected] <[email protected]> * fix: use Prisma types from generated client instead of custom types Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix: handle existing users on invite token flow (#26217) * fix(auth): validate user before signup with invite token Validate if user already exists before creating account when signing up with team or organization invite tokens. Existing users are redirected to login to accept the invitation. - Add user existence check in signup handlers - Return 409 for existing users with redirect to login - Extract signup fetch logic to dedicated module - Add e2e test coverage * fix(auth): address code review feedback - Fix fetchSignup tests to use vi.spyOn for proper mock restoration - Add content-type validation before parsing JSON response - Guard against undefined error in Stripe callback - Use t() for localized error message - Fix race condition in handlers by catching P2002 on create * fix(auth): address additional code review feedback - Add INVALID_SERVER_RESPONSE constant to follow established pattern - Check error.meta.target includes email before returning USER_ALREADY_EXISTS to avoid false positives from other unique constraint violations - Add select: { id: true } to user.create calls since downstream functions only need the user id * test: add unit tests for P2002 handling in signup handlers - Add shared test suite covering all P2002 edge cases - Ensure 409 only for email constraint violations - Fix non-token paths to use atomic create + catch pattern * fix: update error message copy per review feedback * fix(auth): address code review feedback and prevent orphan Stripe customers - Add user existence check before Stripe customer creation (token flow) - Add select clause to user.create for consistency - Fix showToast argument order (pre-existing bug) - Use toHaveURL instead of waitForURL in E2E tests * fix(auth): resolve 500 errors by fixing Prisma error detection across module boundaries The instanceof check for PrismaClientKnownRequestError fails when different Prisma client instances are loaded. Added fallback check by constructor name * fix(auth): validate invitedTo before upsert on team invite signup * test(auth): update P2002 tests for new invite flow P2002 tests now use non-token flow since token flow uses upsert Added tests for invitedTo validation on invite signup * fix(auth): add guards and P2002 handling per review feedback - Guard existingUser check with if (foundToken?.teamId) - Guard username check with if (username) for premium flow - Add `select` clause to findFirst/findUnique queries - Add try-catch on upsert for race condition P2002 errors * fix(auth): narrow P2002 handling to email/username targets * chore: release v6.0.8 * fix: Support 10-digit phone numbers for Ivory Coast (+225) (#26465) * fix: update ivory coast mask to 10 digits * update formating for Benin numbers --------- Co-authored-by: Dhairyashil Shinde <[email protected]> Co-authored-by: Dhairyashil <[email protected]> * fix(ci): use env vars for input interpolation in workflow run steps (#26520) Co-authored-by: Alex van Andel <[email protected]> * refactor: use structured logger in video adapters (#26285) - Remove debug console.log/console.error statements - Add logger.debug for observability (meeting lifecycle events) - Add logger.error with safe error pattern (message + name only) - Fix error messages to avoid exposing response details - Remove redundant try/catch blocks (errors propagate naturally) * fix: validate owner email on platform org creation (#26286) Remove isPlatform bypass from owner verification to ensure users can only create organizations where they are the designated owner. Add test coverage for create and intentToCreateOrg handlers: - Regression tests for isPlatform bypass fix - Happy path for admin creating org for another user * perf: batch booking queries in output service (#25900) Replace N sequential queries with single batch queries in: - getOutputRecurringBookings - getOutputRecurringSeatedBookings Uses existing batch repository methods. Reduces database roundtrips from O(n) to O(1) for recurring booking lookups Co-authored-by: Morgan <[email protected]> * Make booking-audit integration test utils reusable (#26526) * fix: generate compliant passwords using meeting_password_requirement (#26148) * fix(zoomvideo): generate compliant passwords using meeting_password_requirement - Add meetingPasswordRequirementSchema to parse Zoom's password policy settings - Implement validatePasswordAgainstRequirements() to check if a password meets the policy - Implement generateCompliantPassword() to create passwords that comply with the policy - Update translateEvent() to use getCompliantPassword() which validates the default password or generates a new compliant one based on meeting_password_requirement - Add meeting_password_requirement to the settings API filter - Improve error handling for non-JSON responses in OAuthManager (XML validation errors) This fixes the frequent 'Error in JSON parsing Zoom API response' errors caused by Zoom returning XML validation errors when the password doesn't comply with the account's password policy (e.g., numeric-only requirement). Co-Authored-By: [email protected] <[email protected]> * refactor: use cleaner single-pass consecutive character check - Replace nested-loop O(n*k) implementation with single-pass O(n) helper - Add proper guard for consecutiveLength < 4 (Zoom allows 0, 4-8) - Move consecutive check before only_allow_numeric to apply it for all cases - Fix edge-case bug where consecutiveLength 1-3 could incorrectly reject passwords Co-Authored-By: [email protected] <[email protected]> * Optimize OAuth response handling Refactor OAuth response validation to read body only once. * Improve error handling in Zoom API response parsing Refactor error handling for Zoom API response parsing to improve logging and clarity. * Improve compliant password generation logic Enhance password generation to avoid consecutive characters when numeric only is required. * Remove password requirement handling from VideoApiAdapter Removed meeting password requirement schema and related functions for password validation and generation. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * refactor: Clean up the /tests in the root (#26525) * refactor: Delete mockTRPCContext and mockData, and relocate mockStripeSubscription to stripe mock. * chore: Delete unused Stripe, video client, and reminder scheduler mock files. * feat(companion): UI Enhancements for Android and Extension (#26434) * feat: companion-android-ui-upgrade version 1 * recurrings and unconfirmed booking filter and page implementation * add badge and links to event type list page * address cubics comments * feat(companion): unify dropdown menu for Android and extension (#26486) * feat(companion): unify dropdown menu for Android and extension - Merge Android-specific dropdown implementations into base component files - EventTypeListItem: Add DropdownMenu with Preview, Copy link, Edit, Duplicate, Delete actions - BookingListItem: Add DropdownMenu with booking actions (reschedule, edit location, add guests, etc.) - RecurringBookingListItem: Add DropdownMenu with recurring booking actions - AvailabilityListItem: Add DropdownMenu with Set as Default, Duplicate, Delete actions - BookingDetailScreen: Add DropdownMenu in header for Android with AlertDialog for cancel confirmation - Delete all .android.tsx files as implementations are now unified * fix(companion): fix typecheck errors after dropdown unification - Remove unused props from EventTypeListItem.ios.tsx (copiedEventTypeId, handleEventTypeLongPress) - Remove unused onActionsPress prop from BookingListItem.ios.tsx - Remove copiedEventTypeId and handleEventTypeLongPress props from index.ios.tsx and index.tsx - Remove onLongPress and onActionsPress props from BookingListScreen.tsx - Remove handleScheduleLongPress, setSelectedSchedule, setShowActionsModal props from AvailabilityListScreen.tsx - Fix BookingDetailScreen.tsx to use correct action property names (reschedule.visible instead of canReschedule, etc.) * fix(companion): remove unused code after dropdown unification - Remove unused handleEventTypeLongPress function and ActionSheetIOS import from index.ios.tsx - Remove unused copiedEventTypeId state, handleEventTypeLongPress function, and ActionSheetIOS import from index.tsx - Prefix unused setSelectedBooking with underscore in BookingListScreen.tsx - Remove unused handleScheduleLongPress function and ActionSheetIOS import from AvailabilityListScreen.tsx * feat(companion): unify booking filter UI for Android and extension - Remove SegmentedControl from web/extension booking list page - Use Header dropdown for booking status filter on both Android and web - Use unified event type filter dropdown for both platforms - Remove unused showFilterModal state and related code - Pass filterOptions, activeFilter, and onFilterChange to Header for all platforms * fix(companion): add header padding for web/extension to prevent button clipping - Add headerLeftContainerStyle and headerRightContainerStyle with 12px padding for web platform - Applied to root Stack and all nested tab Stack layouts - Fixes issue where header buttons were touching edges and getting chopped off on extension/web - Android remains unaffected as the fix is web-only * fix(companion): add HeaderButtonWrapper for web-only header padding - Create HeaderButtonWrapper component that adds 12px margin on web only - Wrap all header buttons with HeaderButtonWrapper to prevent clipping - Revert invalid screenOptions changes that caused typecheck errors - Apply fix to all screens with native header buttons: - reschedule.tsx, edit-location.tsx, add-guests.tsx - mark-no-show.tsx, view-recordings.tsx, meeting-session-details.tsx - event-type-detail.tsx, BookingDetailScreen.tsx, profile-sheet.tsx - edit-availability-day.tsx, edit-availability-name.tsx, edit-availability-override.tsx * update more ui-ux * address cubics comments * address cubics comments & open event type list page first for inttial render of app * chore: Integrate booking cancellation audit (#26458) ## What does this PR do? > **⚠️ Note: This PR does not enable booking audit in production.** The `BookingAuditTaskerProducerService` has an [`IS_PRODUCTION` guard](https://github.com/calcom/cal.com/blob/integrate-booking-creation-reschedule-audit/packages/features/booking-audit/lib/service/BookingAuditTaskerProducerService.ts#L106-L108) that skips audit task queueing in production environments. This allows the integration to be tested in development before enabling it in production. Integrates audit logging for booking cancellations, following the pattern established in PR #26046 for booking creation/rescheduling audit. - Related to #25125 (Booking Audit Infrastructure) ### Changes: - Add audit logging for single booking cancellation via `onBookingCancelled` - Add audit logging for bulk recurring booking cancellation via `onBulkBookingsCancelled` - Pass `userUuid` and `actionSource` from webapp cancel route (WEBAPP) - Pass `userUuid` and `actionSource` from API-v2 bookings service (API_V2) - Create `getAuditActor` helper to derive actor from userUuid or create synthetic guest actor - Add `getUniqueIdentifier` helper for generating unique actor identifiers - Add warning log when `actionSource` is "UNKNOWN" for observability - Add integration tests for booking cancellation audit ### Audit Data Captured: - `cancellationReason` (simple string value) - `cancelledBy` (simple string value) - `status` (old → new, e.g., "ACCEPTED" → "CANCELLED") ### Updates since last revision: - Simplified `CancelledAuditActionService` schema: `cancellationReason` and `cancelledBy` are now stored as simple nullable strings instead of change objects (old/new), since cancellation is a one-time event where tracking previous values doesn't apply - Added integration tests for cancelled booking audit in `booking-audit-cancelled.integration-test.ts` - Added `getUniqueIdentifier` helper function in actor.ts for generating unique identifiers with prefixes ## Mandatory Tasks (DO NOT REMOVE) - [x] I have self-reviewed the code (A decent size PR without self-review might be rejected). - [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - no documentation changes needed. - [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works. ## How should this be tested? 1. Cancel a single booking via the webapp - verify audit record is created with actor and actionSource="WEBAPP" 2. Cancel a single booking via API v2 - verify audit record is created with actionSource="API_V2" 3. Cancel all remaining bookings in a recurring series - verify bulk audit records are created with shared operationId 4. Cancel via unauthenticated cancel link - verify guest actor is created with synthetic email (prefixed with "param-" or "fallback-") 5. Run integration tests: `yarn test packages/features/booking-audit/lib/service/__tests__/booking-audit-cancelled.integration-test.ts` ## Human Review Checklist - [ ] Verify `onBookingCancelled` and `onBulkBookingsCancelled` methods exist in `BookingEventHandlerService` - [ ] Review the `getAuditActor` fallback logic - creates synthetic email with "fallback-" or "param-" prefix when no userUuid available - [ ] Confirm the simplified schema for `cancellationReason`/`cancelledBy` (no longer tracking old→new) is intentional - [ ] Note: Audit logging calls are awaited directly - if audit service fails, the cancellation will fail. Confirm this is the desired behavior. - [ ] Verify `CancelledAuditDisplayData` type no longer includes `previousReason` and `previousCancelledBy` fields --- Link to Devin run: https://app.devin.ai/sessions/42404e76a66946fe9e46fa07fb12e779 Requested by: @hariombalhara ([email protected]) * feat: OAuth2 controller api v2 + refactor oAuth Trpc handlers (#25989) * feat(api-v2): add OAuth2 controller skeleton for auth module - Add new OAuth2 module under /auth with controller, service, repository, and DTOs - Implement skeleton endpoints: - GET /v2/auth/oauth2/clients/:clientId - Get OAuth client info - POST /v2/auth/oauth2/clients/:clientId/authorize - Generate authorization code - POST /v2/auth/oauth2/clients/:clientId/exchange - Exchange code for tokens - POST /v2/auth/oauth2/clients/:clientId/refresh - Refresh access token - Create input DTOs for authorize, exchange, and refresh operations - Create output DTOs for client info, authorization code, and tokens - Register OAuth2Module in endpoints.module.ts Co-Authored-By: [email protected] <[email protected]> * chore: add missing functions to platform libraries * feat(api-v2): integrate OAuthService from platform-libraries into OAuth2 controller - Add OAuthService export to platform-libraries - Refactor OAuth2Service to use OAuthService.validateClient() and OAuthService.verifyPKCE() - Remove duplicate local implementations of validateClient and verifyPKCE methods Co-Authored-By: [email protected] <[email protected]> * feat(api-v2): use local validateClient and verifyPKCE implementations - Remove OAuthService export from platform-libraries (will be deprecated) - Reimplement validateClient and verifyPKCE methods locally in OAuth2Service - Use verifyCodeChallenge and generateSecret from platform-libraries directly Co-Authored-By: [email protected] <[email protected]> * refactor(api-v2): separate repositories for OAuth2, access codes, and teams - Create AccessCodeRepository for access code Prisma operations - Add findTeamBySlugWithAdminRole method to TeamsRepository - Move generateAuthorizationCode, createTokens, verifyRefreshToken to OAuth2Service - Update OAuth2Repository to only contain OAuth client operations - Update OAuth2Module to import TeamsModule and provide AccessCodeRepository Addresses PR review comments to properly separate concerns Co-Authored-By: [email protected] <[email protected]> * feat(api-v2): implement JWT token creation and verification for OAuth2 - Implement createTokens method using jsonwebtoken to sign access and refresh tokens - Implement verifyRefreshToken method to verify JWT refresh tokens - Add ConfigService injection for CALENDSO_ENCRYPTION_KEY access - Import ConfigModule in OAuth2Module for dependency injection Based on logic from apps/web/app/api/auth/oauth/token/route.ts and apps/web/app/api/auth/oauth/refreshToken/route.ts Co-Authored-By: [email protected] <[email protected]> * fix: refactor and dayjs import fix * feat(api-v2): add ApiAuthGuard to getClient endpoint and e2e tests for OAuth2 - Add @UseGuards(ApiAuthGuard) to getClient endpoint for authentication - Add comprehensive e2e tests for all OAuth2 endpoints: - GET /v2/auth/oauth2/clients/:clientId - POST /v2/auth/oauth2/clients/:clientId/authorize - POST /v2/auth/oauth2/clients/:clientId/exchange - POST /v2/auth/oauth2/clients/:clientId/refresh - Tests cover happy paths and error cases (invalid client, invalid code, etc.) Co-Authored-By: [email protected] <[email protected]> * chore(api-v2): hide OAuth2 endpoints from Swagger documentation Co-Authored-By: [email protected] <[email protected]> * hide endpoints from doc * fix(api-v2): address PR feedback for OAuth2 controller - Fix P0 critical bug: token_type field name mismatch in DecodedRefreshToken interface - Add @Equals('authorization_code') validation to exchange.input.ts grantType - Add @Equals('refresh_token') validation to refresh.input.ts grantType - Add @IsNotEmpty() validation to get-client.input.ts clientId - Add @Expose() decorators to all output DTOs for proper serialization - Add security test assertion to verify clientSecret is not returned in response Co-Authored-By: [email protected] <[email protected]> * feat(api-v2): implement redirect behavior for OAuth2 authorize endpoint - Update authorize endpoint to return HTTP 303 redirect with authorization code - Add exact match validation for redirect URI (security requirement) - Implement error handling with redirect to redirect URI and error query params - Add state parameter support for CSRF protection - Update e2e tests to verify redirect behavior (303 status, Location header, error redirects) Co-Authored-By: [email protected] <[email protected]> * refactor(api-v2): address PR feedback for OAuth2 authorize endpoint - Make redirectUri a required input parameter (remove optional fallback) - Move buildRedirectUrl and mapErrorToOAuthError to oauth2Service - Add return statements to res.redirect() calls - Simplify controller by delegating redirect URL building to service Co-Authored-By: [email protected] <[email protected]> * wip move code outside of api v2 * feat(oauth): wire up dependency injection for OAuthService and repositories Co-Authored-By: [email protected] <[email protected]> * refactor: oAuthService used in routes * fix imports * fix(api-v2): return 404 for invalid client ID instead of redirect in authorize endpoint Co-Authored-By: [email protected] <[email protected]> * fix(api-v2): fix E2E test URL paths and remove bootstrap() in authenticated section - Remove bootstrap() call in authenticated section to match working test pattern - Change URL paths from /api/v2/... to /v2/... in authenticated section - Keep bootstrap() and /api/v2/... paths in unauthenticated section Co-Authored-By: [email protected] <[email protected]> * fix(api-v2): mock getToken from next-auth/jwt for E2E tests - Add jest.mock for next-auth/jwt getToken function - Mock returns null for unauthenticated tests - Mock returns { email: userEmail } for authenticated tests - Remove withNextAuth helper since ApiAuthGuard uses ApiAuthStrategy which calls getToken directly, not NextAuthStrategy Co-Authored-By: [email protected] <[email protected]> * fix tests and code review * cleanup generate secrets * cleanup controller * chore: remove console.log from OAuthService.validateClient Co-Authored-By: [email protected] <[email protected]> * Update apps/web/app/api/auth/oauth/refreshToken/route.ts Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * fix(api-v2): add bootstrap() to authenticated E2E tests and update URL paths to /api/v2/ Co-Authored-By: [email protected] <[email protected]> * Merge remote-tracking branch 'origin/devin/oauth2-controller-skeleton-1765988792' and remove console.log from token route Co-Authored-By: [email protected] <[email protected]> * chore: remove dead code * refactor * refactor: generateAuthCode trpc handler and getClient trpc handler * remove pkce check for refreshToken endpoint * Update packages/trpc/server/routers/viewer/oAuth/getClient.handler.ts Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * refactor: error handling * refactor: error handling * refactor: error handling * remove console log * provide redirectUri in generateAuthCodeHandler * provide redirectUri in authorize view * refactor: replace HttpError with ErrorWithCode in OAuth files - Update OAuthService to use ErrorWithCode instead of HttpError - Update mapErrorToOAuthError to check ErrorCode instead of status codes - Update token/route.ts and refreshToken/route.ts to use ErrorWithCode - Add ErrorWithCode export to platform-libraries - Use getHttpStatusCode to map ErrorCode to HTTP status codes Co-Authored-By: [email protected] <[email protected]> * fix: update generateAuthCode handler to use ErrorWithCode instead of HttpError The handler was still checking for HttpError in its catch block, but OAuthService now throws ErrorWithCode. This caused the error messages to be lost and replaced with 'server_error' instead of the specific error messages. Co-Authored-By: [email protected] <[email protected]> * fix: update OAuth2 controller to use ErrorWithCode instead of HttpError The controller was still checking for HttpError in its catch blocks, but OAuthService now throws ErrorWithCode. This caused all errors to return 500 Internal Server Error instead of the correct HTTP status codes (400, 401, 404). Also added getHttpStatusCode export to platform-libraries. Co-Authored-By: [email protected] <[email protected]> * fix: add explicit unknown type annotation to catch blocks in OAuth2 controller Co-Authored-By: [email protected] <[email protected]> * fix: change NotFoundException to HttpException in authorize endpoint Co-Authored-By: [email protected] <[email protected]> * fix: handle err with ErrorWithCode in authorize endpoint catch block Co-Authored-By: [email protected] <[email protected]> * fix: move errorWithCode * fix: error code rfc * fix: no need to handle errors there is a middleware * refactor errors * refactor errors * refactor redirecturi and state from api * refactor: address PR comments for OAuth2 controller - Remove unused GetOAuth2ClientInput class - Change API tag from 'Auth / OAuth2' to 'OAuth2' - Move OAuthClientFixture to separate fixture file (oauth2-client.repository.fixture.ts) - Add 'type' property to OAuth2ClientDto for confidential/public client type - Rename 'clientId' to 'id' in OAuth2ClientDto (using @Expose mapping) - Clean up duplicate provider declaratio…
volnei
added a commit
that referenced
this pull request
Jan 14, 2026
…e them instead of Prisma in cancellation flow (#24159) * chore: Inject repositories instead of Prisma in canellation flow * simplify * simplify * fix formatting issue * chore: resolve merge conflicts for PR #24159 (#26820) * matched colour of icons across website (#26394) * fix(auth): resolve session user by token subject ID (#26399) * fix(auth): align session user resolution with token subject * test(auth): add unit tests for getServerSession user resolution * chore: release v6.0.7 * fix: Custom time input for availability (#26373) * add custom time input * add unit test * add validation logic * feat(companion): Add DropdownMenu and Alert Dialog for Android (#26385) * feat(companion): add DropdownMenu for Android event types list Replace Alert.alert with react-native-reusables DropdownMenu component for Android event type list items, providing a native-feeling menu experience that matches iOS functionality. Changes: - Install react-native-reusables dropdown-menu component and dependencies (lucide-react-native, tailwindcss-animate, class-variance-authority, clsx, tailwind-merge) - Create EventTypeListItem.android.tsx with DropdownMenu implementation - Single ellipsis button triggers dropdown menu - Menu includes: Preview, Copy link, Edit, Duplicate, Delete - Delete action marked as destructive variant - Proper safe area insets handling - Add PortalHost to app/_layout.tsx for portal rendering support - Create lib/utils.ts with cn() helper for className merging - Update global.css with theme CSS variables (popover, border, accent, destructive, etc.) for dropdown menu styling - Update tailwind.config.js with theme colors and tailwindcss-animate plugin - Update metro.config.js with inlineRem: 16 for proper rem unit handling - Remove Android Alert.alert fallback from event types index.tsx - Fix lint issues in generated dropdown-menu.tsx (remove unnecessary fragments) The Android experience now matches iOS with a single menu button that opens a dropdown containing all event type actions, replacing the previous Alert.alert dialog and separate action buttons. Refs: https://reactnativereusables.com/docs/components/dropdown-menu * adjust with of menu * feat(companion): add DropdownMenu for Android booking and availability list items - Add BookingListItem.android.tsx with DropdownMenu for booking actions - Add BookingDetailScreen.android.tsx with DropdownMenu in header - Add AvailabilityListItem.android.tsx with DropdownMenu for schedule actions Actions include: Reschedule, Edit Location, Add Guests, View Recordings, Meeting Session Details, Mark as No-Show, Report Booking, Cancel Event for bookings; Set as Default, Duplicate, Delete for availability schedules. * fix lint issues * feat(android): replace native alerts with AlertDialog and Toast in event types - Install AlertDialog and Alert components from react-native-reusables - Create Android-specific event types screen (index.android.tsx) - Replace native Alert.alert() with AlertDialog for delete confirmation - Add inline validation errors (red border + error text) in create modal - Implement Toast snackbar for success/error notifications (no layout shift) - Auto-dismiss toast after 2.5 seconds - Fix React Compiler compatibility by removing animated refs This provides a more consistent and polished UI experience on Android, matching the design system used in other parts of the app. * feat(android): add AlertDialog for availability delete and booking cancel - Add index.android.tsx for availability with AlertDialog for delete confirmation - Add index.android.tsx for bookings with AlertDialog for cancel (with reason input) - Both screens include Toast snackbar for success/error notifications - Follows the same pattern as event types Android implementation * feat(companion): add DropdownMenu and AlertDialog for Android - Replace native Alert.alert context menus with DropdownMenu component for event types, bookings, and availability lists - Replace FullScreenModal with AlertDialog for create/delete/cancel flows - Add toast notifications for success/error feedback on Android - Set consistent 380px max-width for all AlertDialogs - Fix layout headers showing "index" text on event-types and availability - Create Android-specific More screen with AlertDialog logout confirmation Uses react-native-reusables components for polished Android UI * better code * fix cubics comments * refactor(android): revert delete confirmations to native Alert.alert() - Logout: reverted to native Alert.alert() (simple yes/no) - Event Types Delete: reverted to native Alert.alert() (simple yes/no) - Availability Delete: reverted to native Alert.alert() (simple yes/no) Keep AlertDialog only where user input is needed: - Event Types Create (has TextInput for title) - Availability Create (has TextInput for name) - Bookings Cancel (has TextInput for cancellation reason) * refactor(android): remove redundant index.android.tsx files The main index.tsx files already handle Android via Platform.OS checks. Android-specific behavior for actions is in the list item components: - EventTypeListItem.android.tsx - BookingListItem.android.tsx - AvailabilityListItem.android.tsx This consolidates the code and reduces duplication. * corrected the implementation both native and alert dialog * address cubics comments * fix lint issue and address cubic comments * chore: add logging in next-auth (#26404) * Add logging in next-auth * Add logging at other return * fix: Make incomplete booking form mobile-responsive (#26413) * fix: update bundle identifier (#26402) * fix: patch React 19 vulnerabilities by upgrading to 19.2.3 (#26411) * security: patch React 19 vulnerabilities by upgrading to 19.2.3 * chore: revert lingo.dev upgrade * refactor(companion): event type details screen improvements (#26415) * refactor(companion): move EventTypeDetail component to a new file and update routing * refactor(companion): format code for better readability in TabLayout and EventTypeDetail components * refactor(companion): improve code formatting and readability in EventTypeDetail component * refactor(companion): enhance code readability and formatting in EventTypeDetail component * refactor(companion): improve code formatting and readability in EventTypeDetail component * refactor(companion): enhance code formatting and readability in EventTypeDetail component * refactor(companion): improve code formatting and readability in TabLayout component * fix: add vertical spacing when hovered (#26419) * fix(seed): add missing Host entries for seeded round‑robin team events (#26426) * feat(companion): new availability detail and actions pages for ios (#26424) * version 1 * version 1.1 * better code * covered all edge cases * address cubics comments * address cubics comments * fix(auth): enhance SAML login handling by introducing userId field and updating JWT token structure (#26428) * fix(ci): delete old prod build caches on cache miss (#26437) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix(ci): add yarn prisma generate before cache key generation (#26439) This ensures consistent cache keys between the Build Web App job and E2E shards by running yarn prisma generate before generating the cache key. The issue was that packages/prisma/enums/index.ts is: 1. Generated by yarn prisma generate 2. In .gitignore (not committed to git) 3. Included in the SOURCE_HASH (matches packages/**/**.[jt]s) 4. NOT excluded from the hash E2E jobs already run yarn prisma generate before cache-build, but the Build Web App job did not, causing different cache keys in the same workflow run. Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix: show empty screen from event type availability tab (#26396) * fix * update * fix * Remove copying of App Store static files step Removed step to copy App Store static files from the workflow. * feat: queue or cancel payment reminder flow (#24889) Co-authored-by: Pallav <[email protected]> Co-authored-by: Ryukemeister <[email protected]> Co-authored-by: Rajiv Sahal <[email protected]> Co-authored-by: Peer Richelsen <[email protected]> * feat: integrate BookingHistory with Bookings V3 design (#26301) * Integrate BookingHistory with Bookings V3 design * Enhance booking features by integrating booking audit functionality - Updated the booking page to retrieve user feature statuses for "bookings-v3" and "booking-audit". - Modified BookingDetailsSheet and BookingListContainer components to accept and utilize the new bookingAuditEnabled prop. - Adjusted the BookingHistory display logic to conditionally render based on the bookingAuditEnabled state. - Refactored SegmentedControl to support generic types for better type safety. This change improves the user experience by allowing conditional access to booking audit features based on user permissions. * Refactor BookingDetailsSheet to manage active segment state with Zustand store - Removed local state management for active segment in BookingDetailsSheet and integrated Zustand store for better state synchronization. - Introduced useActiveSegmentFromUrl hook to sync active segment with URL query parameters. - Updated BookingDetailsSheet to handle derived active segment logic based on bookingAuditEnabled state. - Adjusted SegmentedControl to ensure it defaults to "info" when activeSegment is null. This refactor enhances the maintainability and responsiveness of the booking details component. * refactor: rename useBiDirectionalSyncBetweenZustandAndNuqs to useBiDirectionalSyncBetweenStoreAndUrl Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Udit Takkar <[email protected]> Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: create BookingHistoryViewerService to combine audit logs with routing form submissions (#26045) * feat: create BookingHistoryViewerService to combine audit logs with routing form submissions Co-Authored-By: [email protected] <[email protected]> * refactor(booking): rename audit log query and enhance type safety - Updated the booking logs view to use the new getBookingHistory query instead of getAuditLogs. - Introduced DisplayBookingAuditLog type for improved clarity in BookingAuditViewerService. - Refactored BookingHistoryViewerService to utilize the new DisplayBookingAuditLog type and added sorting functionality for history logs. - Adjusted related types and methods to ensure consistency across services. * refactor(routing-forms): streamline imports and enhance type definitions - Consolidated type exports and imports from the features library for better organization. - Removed redundant type definitions and functions in zod.ts, findFieldValueByIdentifier.ts, getFieldIdentifier.ts, and parseRoutingFormResponse.ts. - Introduced new utility functions for handling field responses and parsing routing form responses. - Improved type safety and clarity across routing form response handling. * fix: remove double prefix from uniqueId in form submission entry Co-Authored-By: [email protected] <[email protected]> * 1c97f9cc5d50416788c01876fe539bcc9750e9b2 (#26453) --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore: Ensure that uuid is available in server session[Booking Audit Prerequisite] (#25963) ## What does this PR do? Similar to #25721, adds uuid in session so that BookingAudit has it readily available Adds the user's UUID to the booking metadata by: 1. Extending the NextAuth `User` interface to include an optional `uuid` property from PrismaUser 2. Making `uuid` required on `Session.user` via intersection type (`User & { uuid: PrismaUser["uuid"] }`) 3. Adding `uuid` to the session user object in `getServerSession.ts` 4. Adding `uuid` to the `AdapterUser` transformation in `next-auth-custom-adapter.ts` 5. Passing `userUuid` from the session to the booking creation flow 6. Updating the API key verification flow to include `uuid` in the user data (repository, service, and type definitions) 7. Adding `req.userUuid` as a required field on the request object (like `req.userId`) 8. Adding `uuid` to mock session objects in web app routes and test context 9. Adding `uuid` to the `findByEmailAndIncludeProfilesAndPassword` query in UserRepository Also removes commented-out code that was placeholder for future work and fixes lint warnings for unused variables. ## Mandatory Tasks (DO NOT REMOVE) - [x] I have self-reviewed the code (A decent size PR without self-review might be rejected). - [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - no documentation changes needed. - [x] I confirm automated tests are in place that prove my fix is effective or that my feature works. ## How should this be tested? 1. Verify that the NextAuth session callback is already populating the `uuid` field on the user object 2. Create a booking and confirm `userUuid` is included in the booking metadata 3. Test API v1 endpoints (`/api/invites` POST and `/api/teams/[teamId]/publish`) to verify they receive the uuid from the authenticated user 4. Check that the booking flow works correctly with the new parameter 5. Test SAML login flow to verify session still works correctly (uuid is resolved from database after authentication) ## Human Review Checklist - [ ] Verify the NextAuth session callback populates `uuid` - if not, this change will pass `undefined` at runtime - [ ] Confirm `userUuid` is consumed downstream in the booking service - [ ] Verify that `PrismaApiKeyRepository.findByHashedKey()` correctly fetches the user's uuid from the database - [ ] Verify the discriminated union type in `ApiKeyService.ts` ensures `result.user` is always defined when `result.valid` is true - [ ] Confirm all API v1 endpoints using `req.userUuid` go through the `verifyApiKey` middleware - [ ] Verify `UserRepository.findByEmailAndIncludeProfilesAndPassword()` includes `uuid` in the select clause - [ ] Verify SAML login still works correctly - uuid is now optional on User interface so SAML providers don't need to supply it at profile stage ## Updates since last revision - **Made uuid optional on User, required on Session**: Changed the type strategy so `uuid` is optional on the NextAuth `User` interface but required on `Session.user` via intersection type. This allows SAML providers to not supply uuid at the profile stage while ensuring uuid is always present on the session after the user is resolved from the database. - **Removed uuid from SAML functions**: Since uuid is now optional on User, the SAML profile and authorize functions no longer need to include it. --- Link to Devin run: https://app.devin.ai/sessions/97e5603b719a420b9b35041252c9db26 Requested by: [email protected] (@hariombalhara) * fix: add @calcom/trpc#build dependency to @calcom/web#dev task (#26460) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix(auth): make identityProviderId lookup case-insensitive (#26405) SAML IdPs may send NameIDs with different casing than stored, causing login failures. Aligns with the existing case-insensitive email lookup pattern * fix: cancel running CI workflow before re-triggering and allow trusted GitHub Apps (#26461) * fix: cancel running CI workflow before re-triggering and allow trusted bots Co-Authored-By: [email protected] <[email protected]> * fix: remove hardcoded bot allowlist, keep only cancel-and-rerun improvement Co-Authored-By: [email protected] <[email protected]> * fix: add app_id verification for trusted GitHub Apps (Graphite) Co-Authored-By: [email protected] <[email protected]> * fix: simplify trusted bot check to use sender type, login, and installation context Co-Authored-By: [email protected] <[email protected]> * chore: remove unnecessary comments Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: update translations via @LingoDotDev (#26445) Co-authored-by: Lingo.dev <[email protected]> Co-authored-by: Keith Williams <[email protected]> * fix: remove installation requirement from trusted bot check (#26466) * fix: remove installation requirement from trusted bot check The installation object is not present in the webhook payload when GitHub Apps add labels via pull_request_target events. This caused graphite-app[bot] to fail the authorization check and fall through to the human permission check, which doesn't work for bots. The fix removes the installation requirement and relies on: - sender.type === 'Bot' - sender.login matching the trusted bot list This is secure because the sender fields come from GitHub's webhook payload and cannot be forged by contributors. Co-Authored-By: [email protected] <[email protected]> * chore: add extra logging about sender type Co-Authored-By: [email protected] <[email protected]> * chore: remove senderId from logging Co-Authored-By: [email protected] <[email protected]> * Update run-ci.yml --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * refactor: Move trpc-dependent components from features to web [2] (#26420) * fix * move event types components to web * update import paths * mv apps components * migrate form builder * fix * mv sso * fix * mv * update import paths * update import paths * mv * mv * mv * fix * update Booker * fix * fix * fix * fix * mv video * mv embed components to web * update import paths * mv calendar weekly view components * update import paths * fix * fixp * fix * fix * fix * fix: update FormBuilder imports to use @calcom/features/form-builder Co-Authored-By: [email protected] <[email protected]> * fix: update broken import paths after file migrations Co-Authored-By: [email protected] <[email protected]> * fix: correct import paths for platform atoms and moved components Co-Authored-By: [email protected] <[email protected]> * fix: apply CSS type fixes and add missing atoms exports Co-Authored-By: [email protected] <[email protected]> * fix: resolve type errors in test files after component migrations Co-Authored-By: [email protected] <[email protected]> * fix: resolve remaining type errors in test files Co-Authored-By: [email protected] <[email protected]> * fix * migrate * fix: resolve type errors in test and mock files - Add missing bookingForm, bookerFormErrorRef, instantConnectCooldownMs to Booker.test.tsx bookings prop - Add all required BookerEvent properties to event.mock.ts - Add vi import from vitest to all mock files - Fix date parameter types in packages/dayjs/__mocks__/index.ts - Add verificationCode and setVerificationCode to test-utils.tsx mock store - Remove children.type access in Section.tsx mock to fix type error - Fix lint issues: remove unused React imports, use import type where needed, add return types - Add biome-ignore comments for pre-existing lint warnings in test files Co-Authored-By: [email protected] <[email protected]> * migrate * migrate * migrate * update import paths * update import paths * update import paths * fix * migrate data table * migrate data table * fix * fix * fix * migrate insights components * migrate insights components * fix * mv * update import paths * fix * fix * fix * fix * fix * fix: resolve type errors in test mocks - Booker.test.tsx: Add all required UseFormReturn methods to bookingForm mock - event.mock.ts: Fix entity, subsetOfHosts, instantMeetingParameters, fieldTranslations, image types - dayjs/__mocks__/index.ts: Use Object.assign for proper typing of mock properties - Section.tsx: Change 'class' to 'className' in JSX with biome-ignore comment Co-Authored-By: [email protected] <[email protected]> * fix: add missing hasDataErrors and dataErrors to bookings.errors mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing loadingStates properties to bookings mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing slots properties (setTentativeSelectedTimeslots, tentativeSelectedTimeslots, slotReservationId) Co-Authored-By: [email protected] <[email protected]> * fix: update quickAvailabilityChecks to include utcEndIso and use valid status type Co-Authored-By: [email protected] <[email protected]> * fix: add missing bookerForm properties (formName, beforeVerifyEmail, formErrors) Co-Authored-By: [email protected] <[email protected]> * fix: add missing UseFormReturn properties to bookerForm.bookingForm mock Co-Authored-By: [email protected] <[email protected]> * fix: add hasFormErrors and formErrors to bookerForm.formErrors mock Co-Authored-By: [email protected] <[email protected]> * fix: add hasFormErrors and formErrors to bookerForm.errors mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing isError property to mockEvent Co-Authored-By: [email protected] <[email protected]> * fix: use complete BookerEvent mock in Booker.test.tsx Co-Authored-By: [email protected] <[email protected]> * fix: use branded bookingFields type in event mock Co-Authored-By: [email protected] <[email protected]> * fix: add missing schedule mock properties (isError, isSuccess, isLoading, dataUpdatedAt) Co-Authored-By: [email protected] <[email protected]> * revert * fix * fix * fix * fix build * fix * fix * fix * fix: correct AddMembersWithSwitch test wrapper to use initial assignAllTeamMembers value - Fixed test wrapper to initialize useState with componentProps.assignAllTeamMembers instead of hardcoded false, allowing tests to properly test different states - Updated test expectations for ALL_TEAM_MEMBERS_ENABLED_AND_SEGMENT_NOT_APPLICABLE state to match actual component behavior (toggle should be present and checked) - Fixed 'should show Segment when toggled on' test to start with assignAllTeamMembers: false to properly test the flow of enabling it - Added explicit types to satisfy biome lint requirements Co-Authored-By: [email protected] <[email protected]> * fix: use JSX.Element instead of React.JSX.Element for type compatibility Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore(deps): update dependencies and add version constraints (#26390) - Update sanitize-html to 2.17.0 - Remove unused Storybook dependencies from @calcom/ui - Add resolutions for consistent dependency versions - Clean up packageExtensions * feat: add lightweight E2E session warmup page (#26451) * feat: add lightweight E2E session warmup endpoint - Add /api/__e2e__/session-warmup endpoint that triggers NextAuth session loading - Update apiLogin fixture to use the new endpoint instead of navigating to /settings/my-account/profile - The endpoint is gated by NEXT_PUBLIC_IS_E2E=1 (already set in playwright.config.ts) - This reduces overhead in E2E tests by avoiding loading a full UI page just to warm up the session Co-Authored-By: [email protected] <[email protected]> * refactor: move session warmup endpoint to App Router - Move /api/__e2e__/session-warmup from pages/api to app/api - Use App Router patterns (NextResponse, buildLegacyRequest) - Maintains same functionality for E2E session warming Co-Authored-By: [email protected] <[email protected]> * rename path * refactor: switch from API route to minimal SSR page (Option 2) - Replace /api/e2e/session-warmup API route with /e2e/session-warmup page - Use App Router page pattern with getServerSession for session warmup - Update apiLogin fixture to navigate to the page instead of API request Co-Authored-By: [email protected] <[email protected]> * revert users fixture but with a new url * render nothing on success * clean up * trying something * Revert "trying something" This reverts commit 2ae2f7dcb42612e54eb072a9f09857272020889a. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Keith Williams <[email protected]> * Disable noReactSpecificProps as we use react (#26479) * fix(auth): fix SAML tenant extraction and validation (#26482) - Extract tenant from userInfo in saml-idp (IdP-initiated) - Add profile.requested?.tenant fallback for OAuth (SP-initiated) - Block invalid tenant format in hosted (security) * fix: atoms build by updating import paths (#26489) * fix build * fix build * fix: "New" button sizing inconsistent between Workflows and Event Types pages (#26066) * fix: consistent button sizing between fab and button variants on desktop * fix: consistent button sizing between fab and button variants on desktop * fix(ui): align New button sizing across pages * fix: New button sizing inconsistent between Workflows and Event Types pages * Update Button.tsx * test: fix unit test flake (#25557) * fix: revalidate teams cache after accepting invite via token When a user accepts a team invite via token on the /teams page, the teams cache was not being invalidated. This caused the page to show stale data (empty list) while the sidebar correctly showed the teams. This fix adds a call to revalidateTeamsList() after processing an invite token, ensuring the cache is invalidated and fresh data is fetched immediately. Co-Authored-By: [email protected] <[email protected]> * fix: revalidate teams cache after creating team in onboarding flow Co-Authored-By: [email protected] <[email protected]> * Remove comments on teams cache revalidation Removed comments about revalidating teams cache after invite processing. * fix unit test flake * Remove unused import in useCreateTeam hook Removed unused import for revalidateTeamsList. * Remove unused import for revalidateTeamsList --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore: Add impersonation context support to booking audit (#26014) ## What does this PR do? Adds infrastructure to track impersonation context in booking audit records and displays it in the UI. When an admin impersonates another user and performs booking actions, the audit system now: - Records the **admin** as the actor (who actually performed the action) - Stores the **impersonated user's UUID** in a separate `context` field - Displays **"Impersonated By"** in the booking logs UI when viewing audit details This separation ensures audit trail integrity (the admin is accountable) while preserving full context about whose account was being used. ### Changes - Added `uuid` to `impersonatedBy` session object for actor identification - Added `uuid` to top-level `User` type in next-auth types for session enrichment - Added `context Json?` field to `BookingAudit` Prisma model - Added `BookingAuditContextSchema` for type-safe context handling with `actingAsUserUuid` field - Updated producer service interface and implementation to pass context through all queue methods - Updated consumer service to persist context to database - Updated repository to store and fetch context in BookingAudit records - Added `impersonatedBy` field to `EnrichedAuditLog` type in `BookingAuditViewerService` - Added `enrichImpersonationContext` method to resolve impersonated user details - Updated booking logs UI to display "Impersonated By" in expanded details - Added `impersonated_by` translation key Link to Devin run: https://app.devin.ai/sessions/3f1252527aef4ead9401bdf055c0817b Requested by: [email protected] (@hariombalhara) ## Mandatory Tasks (DO NOT REMOVE) - [x] I have self-reviewed the code (A decent size PR without self-review might be rejected). - [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - internal infrastructure change - [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works. ## How should this be tested? 1. Verify type checks pass: `yarn type-check:ci --force` 2. Verify existing audit tests still pass: `TZ=UTC yarn test` 3. To fully test impersonation context display: - Have an admin impersonate a user - Perform a booking action (create, cancel, reschedule) - Navigate to the booking's audit logs - Expand the details for the action - Verify "Impersonated By" row appears showing the impersonated user's name - Verify the BookingAudit record has: - `actorId` pointing to the admin's AuditActor - `context` containing `{ actingAsUserUuid: "<impersonated-user-uuid>" }` ## Human Review Checklist - [ ] Verify the `context` field schema design is appropriate for future extensibility - [ ] Confirm the `uuid` addition to User type in next-auth doesn't break existing auth flows - [ ] Check that the optional `context` parameter doesn't break existing queue method callers - [ ] Verify no migration file is needed (or if squashing is handled separately) - [ ] Verify the UI displays "Impersonated By" correctly when impersonation context is present - [ ] Confirm `enrichImpersonationContext` handles edge cases (null context, invalid context, deleted user) ## Checklist - [x] My code follows the style guidelines of this project - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have checked if my changes generate no new warnings * perf: improve cal video webhook (#26495) * perf: improve cal video webhook * save format * refactor: use errorMs * chore: change API codeowner to Foundation (#26504) * chore(auth): add error logging for saml-idp silent failures (#26484) * chore(auth): add error logging for saml-idp silent failures * chore(auth): add warn-level logging for saml-idp silent failures * chore(auth): change 'No user found' log to warn level * chore(auth): add warn-level logging for silent auth failures - saml-idp authorize: credentials, code, token, userInfo, user lookup - callbacks:signIn: account type, email, name, catch-all - callbacks:jwt: unknown account type (info → warn) - saml:profile: missing email from IdP - getServerSession: user not found for valid token * feat(api): add team event-types webhooks controller (#26449) * feat(api): add team event-types webhooks controller - Add TeamsEventTypesWebhooksController for managing webhooks on team event types - Add IsTeamEventTypeWebhookGuard for authorization - Add TeamEventTypeWebhooksService for business logic - Register new controller in TeamsEventTypesModule - Enable unsafeParameterDecoratorsEnabled in biome.json for NestJS support Co-Authored-By: [email protected] <[email protected]> * test(api): add e2e tests for team event-types webhooks controller Co-Authored-By: [email protected] <[email protected]> * fix(api): restrict team event-type webhooks to admins/owners only Co-Authored-By: [email protected] <[email protected]> * fix(api): use regular imports instead of type imports for DI and DTOs Co-Authored-By: [email protected] <[email protected]> * fix(api): use regular imports for DI in guard file Co-Authored-By: [email protected] <[email protected]> * fix: circular depndency in modules * delete teams in test * fix roles guard * fix biome * fix guard * resolve type import * resolve review feedback --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * chore: remove Mintlify AI chat from CMD+K widget (#26485) * chore: remove Mintlify AI chat from CMD+K widget - Remove MintlifyChat component and related state from Kbar.tsx - Delete packages/features/mintlify-chat directory (MintlifyChat.tsx, util.ts) - Delete apps/web/app/api/mintlify-chat API routes and tests - Delete packages/lib/server/mintlifyChatValidation.ts - Remove Mintlify-related env vars from .env.example and turbo.json - Refactor Kbar.tsx to fix lint issues (explicit types, exports at end) Co-Authored-By: [email protected] <[email protected]> * fix: use ReactNode import instead of JSX from react The JSX type is not exported from 'react' module. Use the global JSX.Element type (available in React projects) and import ReactNode for the children prop type. Co-Authored-By: [email protected] <[email protected]> * feat: add all event-types and upcoming bookings to KBar - Increase event types limit from 10 to 100 to show more event types - Add useUpcomingBookingsAction hook to fetch and display upcoming bookings - Bookings show title, date, and time in KBar search results - Navigate to booking details page when selecting a booking Co-Authored-By: [email protected] <[email protected]> * Revert "feat: add all event-types and upcoming bookings to KBar" This reverts commit 69d03397e3820e45e7207eb55b38117d269eae5e. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: update translations via @LingoDotDev (#26497) Co-authored-by: Lingo.dev <[email protected]> * feat: implement FeatureOptInService (#25805) * feat: implement FeatureOptInService WIP * clean up * feat: consolidate feature repositories and add updateFeatureForUser - Implement updateFeatureForUser in FeaturesRepository (similar to updateFeatureForTeam) - Move getUserFeatureState and getTeamFeatureState from PrismaFeatureOptInRepository to FeaturesRepository - Update FeatureOptInService to use only FeaturesRepository - Add setUserFeatureState and setTeamFeatureState methods to FeatureOptInService - Update _router.ts to remove PrismaFeatureOptInRepository usage - Remove PrismaFeatureOptInRepository.ts and FeatureOptInRepositoryInterface.ts - Update features.repository.interface.ts and features.repository.mock.ts - Add integration tests for updateFeatureForUser, getUserFeatureState, getTeamFeatureState - Update service.integration-test.ts to use FeaturesRepository Co-Authored-By: [email protected] <[email protected]> * refactor: rename updateFeatureForUser to setUserFeatureState Rename to match the convention used for setTeamFeatureState Co-Authored-By: [email protected] <[email protected]> * refactor: return FeatureState type from getUserFeatureState and getTeamFeatureState * fix integration tests * clean up logics * update services and router * refactor: change getUserFeatureState and getTeamFeatureState to accept featureIds array - Renamed getUserFeatureState to getUserFeatureStates - Renamed getTeamFeatureState to getTeamFeatureStates - Changed parameter from featureId: string to featureIds: string[] - Changed return type from FeatureState to Record<string, FeatureState> - Updated FeatureOptInService to use the new batch methods - Added tests for querying multiple features in a single call - Optimized listFeaturesForTeam to fetch all feature states in one query Co-Authored-By: [email protected] <[email protected]> * feat: add getFeatureStateForTeams for batch querying multiple teams - Added getFeatureStateForTeams method to query a single feature across multiple teams in one call - Updated FeatureOptInService.resolveFeatureStateAcrossTeams to use the new batch method - Replaces N+1 queries with a single database query for team states - Added comprehensive integration tests for the new method Co-Authored-By: [email protected] <[email protected]> * refactor: combine org and team state queries into single call - Include orgId in the teamIds array passed to getFeatureStateForTeams - Extract org state and team states from the combined result - Reduces database queries from 3 to 2 in resolveFeatureStateAcrossTeams Co-Authored-By: [email protected] <[email protected]> * refactor: use team.isOrganization and clarify computeEffectiveState comment Co-Authored-By: [email protected] <[email protected]> * refactor: use MembershipRepository.findAllByUserId with isOrganization Co-Authored-By: [email protected] <[email protected]> * feat: add featureId validation using isOptInFeature type guard Co-Authored-By: [email protected] <[email protected]> * less queries * add fallback value * fix type error * move files * add autoOptInFeatures column * use autoOptInFeatures flag within FeatureOptInService * add setUserAutoOptIn and setTeamAutoOptIn * fix computeEffectiveState logic * rewrite computeEffectiveState * clean up integration tests * clean up in afterEach * fix type error * refactor: use FeaturesRepository methods instead of direct Prisma calls Replace all manual userFeatures and teamFeatures Prisma operations with the new setUserFeatureState and setTeamFeatureState repository methods. Changes include: - Admin handlers (assignFeatureToTeam, unassignFeatureFromTeam) - Test fixtures and integration tests - Playwright fixtures - Development scripts This ensures consistent feature flag management through the repository pattern and supports the new tri-state semantics (enabled/disabled/inherit). Co-Authored-By: [email protected] <[email protected]> * clean up * fix the logic * extract some logic into applyAutoOptIn() * remove wrong code * refactor: convert setUserFeatureState and setTeamFeatureState to object params with discriminated union - Convert multiple positional parameters to single object parameter - Use discriminated union types: assignedBy required for enabled/disabled, omitted for inherit - Update all callers across repository, service, handlers, fixtures, and tests * fix type error * use Promise.all * fix --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: add organization banner to user profile page (#26514) Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * feat: Hubspot write to meeting object (#26039) * feat: Hubspot write to meeting object * fix: translate hardcoded strings and remove debug console.log Co-Authored-By: [email protected] <[email protected]> * refactor * fix: improve static value detection for placeholder replacement - Changed condition from startsWith/endsWith to includes('{') to properly detect embedded placeholders - Strings like 'Hello {name}!' are now correctly processed for placeholder replacement - Pure placeholder tokens that can't be resolved return null - Partially resolved values are returned as-is Co-Authored-By: [email protected] <[email protected]> * refactor: split WriteToObjectSettings into types and utils files - Extract interfaces, enums, and type definitions to WriteToObjectSettings.types.ts - Extract constants and utility functions to WriteToObjectSettings.utils.ts - Update main component to use the new utility functions - Improves code organization and maintainability Co-Authored-By: [email protected] <[email protected]> * revert: restore original static value detection logic Per user request - the startsWith/endsWith check was intentional Co-Authored-By: [email protected] <[email protected]> * test: add unit tests for HubSpot CRM service Tests cover: - ensureFieldsExistOnMeeting: field validation against HubSpot properties - getTextValueFromBookingTracking: UTM parameter extraction - getTextValueFromBookingResponse: placeholder replacement - getDateFieldValue: date field resolution for different date types - getFieldValue: main field value resolution for all field types - generateWriteToMeetingBody: write-to-meeting body generation - getContacts: contact search functionality Co-Authored-By: [email protected] <[email protected]> * fix: correct type errors in HubSpot CRM service tests - Import WhenToWrite enum from crm-enums - Replace string literals with WhenToWrite.EVERY_BOOKING enum values - Add missing whenToWrite property to field config objects Co-Authored-By: [email protected] <[email protected]> * fix: use type casting for intentional type errors in tests - Cast numeric fieldValue to string for testing non-string handling - Cast invalid field type string to CrmFieldType for testing unsupported types Co-Authored-By: [email protected] <[email protected]> * fix: prevent unhandled promise rejections in HubSpot CRM tests - Re-apply mockGetAppKeysFromSlug implementation in beforeEach to ensure mock is always set correctly after clearAllMocks - Change vi.resetAllMocks() to vi.clearAllMocks() to preserve mock implementations between tests - Add explicit types to satisfy biome lint rules - This fixes the 'Cannot read properties of undefined (reading client_id)' errors that were causing CI to fail with exit code 1 Co-Authored-By: [email protected] <[email protected]> * refactor: convert HubSpot tests to black-box testing through public methods Co-Authored-By: [email protected] <[email protected]> * fix: properly type mock CalendarEvent in HubSpot tests Co-Authored-By: [email protected] <[email protected]> * fix: properly type TFunction in mock CalendarEvent Co-Authored-By: [email protected] <[email protected]> * chore: graceful owner fail test * refactor * fix: type check * fix: remove null fields * Update packages/app-store/hubspot/lib/CrmService.ts Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * docs: add DTO location and naming conventions to knowledge base (#26478) * docs: add DTO location and naming conventions to knowledge base Co-Authored-By: [email protected] <[email protected]> * docs: clarify DTO location rules for new features vs refactored code Co-Authored-By: [email protected] <[email protected]> * docs: simplify DTO location - all DTOs go in packages/lib/dto/ Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * refactor: convert PrismaAttributeToUserRepository to accept Prisma as dependency (#26515) * refactor: convert PrismaAttributeToUserRepository to accept Prisma as dependency Co-Authored-By: [email protected] <[email protected]> * fix: use Prisma types from generated client instead of custom types Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * fix: handle existing users on invite token flow (#26217) * fix(auth): validate user before signup with invite token Validate if user already exists before creating account when signing up with team or organization invite tokens. Existing users are redirected to login to accept the invitation. - Add user existence check in signup handlers - Return 409 for existing users with redirect to login - Extract signup fetch logic to dedicated module - Add e2e test coverage * fix(auth): address code review feedback - Fix fetchSignup tests to use vi.spyOn for proper mock restoration - Add content-type validation before parsing JSON response - Guard against undefined error in Stripe callback - Use t() for localized error message - Fix race condition in handlers by catching P2002 on create * fix(auth): address additional code review feedback - Add INVALID_SERVER_RESPONSE constant to follow established pattern - Check error.meta.target includes email before returning USER_ALREADY_EXISTS to avoid false positives from other unique constraint violations - Add select: { id: true } to user.create calls since downstream functions only need the user id * test: add unit tests for P2002 handling in signup handlers - Add shared test suite covering all P2002 edge cases - Ensure 409 only for email constraint violations - Fix non-token paths to use atomic create + catch pattern * fix: update error message copy per review feedback * fix(auth): address code review feedback and prevent orphan Stripe customers - Add user existence check before Stripe customer creation (token flow) - Add select clause to user.create for consistency - Fix showToast argument order (pre-existing bug) - Use toHaveURL instead of waitForURL in E2E tests * fix(auth): resolve 500 errors by fixing Prisma error detection across module boundaries The instanceof check for PrismaClientKnownRequestError fails when different Prisma client instances are loaded. Added fallback check by constructor name * fix(auth): validate invitedTo before upsert on team invite signup * test(auth): update P2002 tests for new invite flow P2002 tests now use non-token flow since token flow uses upsert Added tests for invitedTo validation on invite signup * fix(auth): add guards and P2002 handling per review feedback - Guard existingUser check with if (foundToken?.teamId) - Guard username check with if (username) for premium flow - Add `select` clause to findFirst/findUnique queries - Add try-catch on upsert for race condition P2002 errors * fix(auth): narrow P2002 handling to email/username targets * chore: release v6.0.8 * fix: Support 10-digit phone numbers for Ivory Coast (+225) (#26465) * fix: update ivory coast mask to 10 digits * update formating for Benin numbers --------- Co-authored-by: Dhairyashil Shinde <[email protected]> Co-authored-by: Dhairyashil <[email protected]> * fix(ci): use env vars for input interpolation in workflow run steps (#26520) Co-authored-by: Alex van Andel <[email protected]> * refactor: use structured logger in video adapters (#26285) - Remove debug console.log/console.error statements - Add logger.debug for observability (meeting lifecycle events) - Add logger.error with safe error pattern (message + name only) - Fix error messages to avoid exposing response details - Remove redundant try/catch blocks (errors propagate naturally) * fix: validate owner email on platform org creation (#26286) Remove isPlatform bypass from owner verification to ensure users can only create organizations where they are the designated owner. Add test coverage for create and intentToCreateOrg handlers: - Regression tests for isPlatform bypass fix - Happy path for admin creating org for another user * perf: batch booking queries in output service (#25900) Replace N sequential queries with single batch queries in: - getOutputRecurringBookings - getOutputRecurringSeatedBookings Uses existing batch repository methods. Reduces database roundtrips from O(n) to O(1) for recurring booking lookups Co-authored-by: Morgan <[email protected]> * Make booking-audit integration test utils reusable (#26526) * fix: generate compliant passwords using meeting_password_requirement (#26148) * fix(zoomvideo): generate compliant passwords using meeting_password_requirement - Add meetingPasswordRequirementSchema to parse Zoom's password policy settings - Implement validatePasswordAgainstRequirements() to check if a password meets the policy - Implement generateCompliantPassword() to create passwords that comply with the policy - Update translateEvent() to use getCompliantPassword() which validates the default password or generates a new compliant one based on meeting_password_requirement - Add meeting_password_requirement to the settings API filter - Improve error handling for non-JSON responses in OAuthManager (XML validation errors) This fixes the frequent 'Error in JSON parsing Zoom API response' errors caused by Zoom returning XML validation errors when the password doesn't comply with the account's password policy (e.g., numeric-only requirement). Co-Authored-By: [email protected] <[email protected]> * refactor: use cleaner single-pass consecutive character check - Replace nested-loop O(n*k) implementation with single-pass O(n) helper - Add proper guard for consecutiveLength < 4 (Zoom allows 0, 4-8) - Move consecutive check before only_allow_numeric to apply it for all cases - Fix edge-case bug where consecutiveLength 1-3 could incorrectly reject passwords Co-Authored-By: [email protected] <[email protected]> * Optimize OAuth response handling Refactor OAuth response validation to read body only once. * Improve error handling in Zoom API response parsing Refactor error handling for Zoom API response parsing to improve logging and clarity. * Improve compliant password generation logic Enhance password generation to avoid consecutive characters when numeric only is required. * Remove password requirement handling from VideoApiAdapter Removed meeting password requirement schema and related functions for password validation and generation. --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> * refactor: Clean up the /tests in the root (#26525) * refactor: Delete mockTRPCContext and mockData, and relocate mockStripeSubscription to stripe mock. * chore: Delete unused Stripe, video client, and reminder scheduler mock files. * feat(companion): UI Enhancements for Android and Extension (#26434) * feat: companion-android-ui-upgrade version 1 * recurrings and unconfirmed booking filter and page implementation * add badge and links to event type list page * address cubics comments * feat(companion): unify dropdown menu for Android and extension (#26486) * feat(companion): unify dropdown menu for Android and extension - Merge Android-specific dropdown implementations into base component files - EventTypeListItem: Add DropdownMenu with Preview, Copy link, Edit, Duplicate, Delete actions - BookingListItem: Add DropdownMenu with booking actions (reschedule, edit location, add guests, etc.) - RecurringBookingListItem: Add DropdownMenu with recurring booking actions - AvailabilityListItem: Add DropdownMenu with Set as Default, Duplicate, Delete actions - BookingDetailScreen: Add DropdownMenu in header for Android with AlertDialog for cancel confirmation - Delete all .android.tsx files as implementations are now unified * fix(companion): fix typecheck errors after dropdown unification - Remove unused props from EventTypeListItem.ios.tsx (copiedEventTypeId, handleEventTypeLongPress) - Remove unused onActionsPress prop from BookingListItem.ios.tsx - Remove copiedEventTypeId and handleEventTypeLongPress props from index.ios.tsx and index.tsx - Remove onLongPress and onActionsPress props from BookingListScreen.tsx - Remove handleScheduleLongPress, setSelectedSchedule, setShowActionsModal props from AvailabilityListScreen.tsx - Fix BookingDetailScreen.tsx to use correct action property names (reschedule.visible instead of canReschedule, etc.) * fix(companion): remove unused code after dropdown unification - Remove unused handleEventTypeLongPress function and ActionSheetIOS import from index.ios.tsx - Remove unused copiedEventTypeId state, handleEventTypeLongPress function, and ActionSheetIOS import from index.tsx - Prefix unused setSelectedBooking with underscore in BookingListScreen.tsx - Remove unused handleScheduleLongPress function and ActionSheetIOS import from AvailabilityListScreen.tsx * feat(companion): unify booking filter UI for Android and extension - Remove SegmentedControl from web/extension booking list page - Use Header dropdown for booking status filter on both Android and web - Use unified event type filter dropdown for both platforms - Remove unused showFilterModal state and related code - Pass filterOptions, activeFilter, and onFilterChange to Header for all platforms * fix(companion): add header padding for web/extension to prevent button clipping - Add headerLeftContainerStyle and headerRightContainerStyle with 12px padding for web platform - Applied to root Stack and all nested tab Stack layouts - Fixes issue where header buttons were touching edges and getting chopped off on extension/web - Android remains unaffected as the fix is web-only * fix(companion): add HeaderButtonWrapper for web-only header padding - Create HeaderButtonWrapper component that adds 12px margin on web only - Wrap all header buttons with HeaderButtonWrapper to prevent clipping - Revert invalid screenOptions changes that caused typecheck errors - Apply fix to all screens with native header buttons: - reschedule.tsx, edit-location.tsx, add-guests.tsx - mark-no-show.tsx, view-recordings.tsx, meeting-session-details.tsx - event-type-detail.tsx, BookingDetailScreen.tsx, profile-sheet.tsx - edit-availability-day.tsx, edit-availability-name.tsx, edit-availability-override.tsx * update more ui-ux * address cubics comments * address cubics comments & open event type list page first for inttial render of app * chore: Integrate booking cancellation audit (#26458) ## What does this PR do? > **⚠️ Note: This PR does not enable booking audit in production.** The `BookingAuditTaskerProducerService` has an [`IS_PRODUCTION` guard](https://github.com/calcom/cal.com/blob/integrate-booking-creation-reschedule-audit/packages/features/booking-audit/lib/service/BookingAuditTaskerProducerService.ts#L106-L108) that skips audit task queueing in production environments. This allows the integration to be tested in development before enabling it in production. Integrates audit logging for booking cancellations, following the pattern established in PR #26046 for booking creation/rescheduling audit. - Related to #25125 (Booking Audit Infrastructure) ### Changes: - Add audit logging for single booking cancellation via `onBookingCancelled` - Add audit logging for bulk recurring booking cancellation via `onBulkBookingsCancelled` - Pass `userUuid` and `actionSource` from webapp cancel route (WEBAPP) - Pass `userUuid` and `actionSource` from API-v2 bookings service (API_V2) - Create `getAuditActor` helper to derive actor from userUuid or create synthetic guest actor - Add `getUniqueIdentifier` helper for generating unique actor identifiers - Add warning log when `actionSource` is "UNKNOWN" for observability - Add integration tests for booking cancellation audit ### Audit Data Captured: - `cancellationReason` (simple string value) - `cancelledBy` (simple string value) - `status` (old → new, e.g., "ACCEPTED" → "CANCELLED") ### Updates since last revision: - Simplified `CancelledAuditActionService` schema: `cancellationReason` and `cancelledBy` are now stored as simple nullable strings instead of change objects (old/new), since cancellation is a one-time event where tracking previous values doesn't apply - Added integration tests for cancelled booking audit in `booking-audit-cancelled.integration-test.ts` - Added `getUniqueIdentifier` helper function in actor.ts for generating unique identifiers with prefixes ## Mandatory Tasks (DO NOT REMOVE) - [x] I have self-reviewed the code (A decent size PR without self-review might be rejected). - [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). N/A - no documentation changes needed. - [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works. ## How should this be tested? 1. Cancel a single booking via the webapp - verify audit record is created with actor and actionSource="WEBAPP" 2. Cancel a single booking via API v2 - verify audit record is created with actionSource="API_V2" 3. Cancel all remaining bookings in a recurring series - verify bulk audit records are created with shared operationId 4. Cancel via unauthenticated cancel link - verify guest actor is created with synthetic email (prefixed with "param-" or "fallback-") 5. Run integration tests: `yarn test packages/features/booking-audit/lib/service/__tests__/booking-audit-cancelled.integration-test.ts` ## Human Review Checklist - [ ] Verify `onBookingCancelled` and `onBulkBookingsCancelled` methods exist in `BookingEventHandlerService` - [ ] Review the `getAuditActor` fallback logic - creates synthetic email with "fallback-" or "param-" prefix when no userUuid available - [ ] Confirm the simplified schema for `cancellationReason`/`cancelledBy` (no longer tracking old→new) is intentional - [ ] Note: Audit logging calls are awaited directly - if audit service fails, the cancellation will fail. Confirm this is the desired behavior. - [ ] Verify `CancelledAuditDisplayData` type no longer includes `previousReason` and `previousCancelledBy` fields --- Link to Devin run: https://app.devin.ai/sessions/42404e76a66946fe9e46fa07fb12e779 Requested by: @hariombalhara ([email protected]) * feat: OAuth2 controller api v2 + refactor oAuth Trpc handlers (#25989) * feat(api-v2): add OAuth2 controller skeleton for auth module - Add new OAuth2 module under /auth with controller, service, repository, and DTOs - Implement skeleton endpoints: - GET /v2/auth/oauth2/clients/:clientId - Get OAuth client info - POST /v2/auth/oauth2/clients/:clientId/authorize - Generate authorization code - POST /v2/auth/oauth2/clients/:clientId/exchange - Exchange code for tokens - POST /v2/auth/oauth2/clients/:clientId/refresh - Refresh access token - Create input DTOs for authorize, exchange, and refresh operations - Create output DTOs for client info, authorization code, and tokens - Register OAuth2Module in endpoints.module.ts Co-Authored-By: [email protected] <[email protected]> * chore: add missing functions to platform libraries * feat(api-v2): integrate OAuthService from platform-libraries into OAuth2 controller - Add OAuthService export to platform-libraries - Refactor OAuth2Service to use OAuthService.validateClient() and OAuthService.verifyPKCE() - Remove duplicate local implementations of validateClient and verifyPKCE methods Co-Authored-By: [email protected] <[email protected]> * feat(api-v2): use local validateClient and verifyPKCE implementations - Remove OAuthService export from platform-libraries (will be deprecated) - Reimplement validateClient and verifyPKCE methods locally in OAuth2Service - Use verifyCodeChallenge and generateSecret from platform-libraries directly Co-Authored-By: [email protected] <[email protected]> * refactor(api-v2): separate repositories for OAuth2, access codes, and teams - Create AccessCodeRepository for access code Prisma operations - Add findTeamBySlugWithAdminRole method to TeamsRepository - Move generateAuthorizationCode, createTokens, verifyRefreshToken to OAuth2Service - Update OAuth2Repository to only contain OAuth client operations - Update OAuth2Module to import TeamsModule and provide AccessCodeRepository Addresses PR review comments to properly separate concerns Co-Authored-By: [email protected] <[email protected]> * feat(api-v2): implement JWT token creation and verification for OAuth2 - Implement createTokens method using jsonwebtoken to sign access and refresh tokens - Implement verifyRefreshToken method to verify JWT refresh tokens - Add ConfigService injection for CALENDSO_ENCRYPTION_KEY access - Import ConfigModule in OAuth2Module for dependency injection Based on logic from apps/web/app/api/auth/oauth/token/route.ts and apps/web/app/api/auth/oauth/refreshToken/route.ts Co-Authored-By: [email protected] <[email protected]> * fix: refactor and dayjs import fix * feat(api-v2): add ApiAuthGuard to getClient endpoint and e2e tests for OAuth2 - Add @UseGuards(ApiAuthGuard) to getClient endpoint for authentication - Add comprehensive e2e tests for all OAuth2 endpoints: - GET /v2/auth/oauth2/clients/:clientId - POST /v2/auth/oauth2/clients/:clientId/authorize - POST /v2/auth/oauth2/clients/:clientId/exchange - POST /v2/auth/oauth2/clients/:clientId/refresh - Tests cover happy paths and error cases (invalid client, invalid code, etc.) Co-Authored-By: [email protected] <[email protected]> * chore(api-v2): hide OAuth2 endpoints from Swagger documentation Co-Authored-By: [email protected] <[email protected]> * hide endpoints from doc * fix(api-v2): address PR feedback for OAuth2 controller - Fix P0 critical bug: token_type field name mismatch in DecodedRefreshToken interface - Add @Equals('authorization_code') validation to exchange.input.ts grantType - Add @Equals('refresh_token') validation to refresh.input.ts grantType - Add @IsNotEmpty() validation to get-client.input.ts clientId - Add @Expose() decorators to all output DTOs for proper serialization - Add security test assertion to verify clientSecret is not returned in response Co-Authored-By: [email protected] <[email protected]> * feat(api-v2): implement redirect behavior for OAuth2 authorize endpoint - Update authorize endpoint to return HTTP 303 redirect with authorization code - Add exact match validation for redirect URI (security requirement) - Implement error handling with redirect to redirect URI and error query params - Add state parameter support for CSRF protection - Update e2e tests to verify redirect behavior (303 status, Location header, error redirects) Co-Authored-By: [email protected] <[email protected]> * refactor(api-v2): address PR feedback for OAuth2 authorize endpoint - Make redirectUri a required input parameter (remove optional fallback) - Move buildRedirectUrl and mapErrorToOAuthError to oauth2Service - Add return statements to res.redirect() calls - Simplify controller by delegating redirect URL building to service Co-Authored-By: [email protected] <[email protected]> * wip move code outside of api v2 * feat(oauth): wire up dependency injection for OAuthService and repositories Co-Authored-By: [email protected] <[email protected]> * refactor: oAuthService used in routes * fix imports * fix(api-v2): return 404 for invalid client ID instead of redirect in authorize endpoint Co-Authored-By: [email protected] <[email protected]> * fix(api-v2): fix E2E test URL paths and remove bootstrap() in authenticated section - Remove bootstrap() call in authenticated section to match working test pattern - Change URL paths from /api/v2/... to /v2/... in authenticated section - Keep bootstrap() and /api/v2/... paths in unauthenticated section Co-Authored-By: [email protected] <[email protected]> * fix(api-v2): mock getToken from next-auth/jwt for E2E tests - Add jest.mock for next-auth/jwt getToken function - Mock returns null for unauthenticated tests - Mock returns { email: userEmail } for authenticated tests - Remove withNextAuth helper since ApiAuthGuard uses ApiAuthStrategy which calls getToken directly, not NextAuthStrategy Co-Authored-By: [email protected] <[email protected]> * fix tests and code review * cleanup generate secrets * cleanup controller * chore: remove console.log from OAuthService.validateClient Co-Authored-By: [email protected] <[email protected]> * Update apps/web/app/api/auth/oauth/refreshToken/route.ts Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * fix(api-v2): add bootstrap() to authenticated E2E tests and update URL paths to /api/v2/ Co-Authored-By: [email protected] <[email protected]> * Merge remote-tracking branch 'origin/devin/oauth2-controller-skeleton-1765988792' and remove console.log from token route Co-Authored-By: [email protected] <[email protected]> * chore: remove dead code * refactor * refactor: generateAuthCode trpc handler and getClient trpc handler * remove pkce check for refreshToken endpoint * Update packages/trpc/server/routers/viewer/oAuth/getClient.handler.ts Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * refactor: error handling * refactor: error handling * refactor: error handling * remove console log * provide redirectUri in generateAuthCodeHandler * provide redirectUri in authorize view * refactor: replace HttpError with ErrorWithCode in OAuth files - Update OAuthService to use ErrorWithCode instead of HttpError - Update mapErrorToOAuthError to check ErrorCode instead of status codes - Update token/route.ts and refreshToken/route.ts to use ErrorWithCode - Add ErrorWithCode export to platform-libraries - Use getHttpStatusCode to map ErrorCode to HTTP status codes Co-Authored-By: [email protected] <[email protected]> * fix: update generateAuthCode handler to use ErrorWithCode instead of HttpError The handler was still checking for HttpError in its catch block, but OAuthService now throws ErrorWithCode. This caused the error messages to be lost and replaced with 'server_error' instead of the specific error messages. Co-Authored-By: [email protected] <[email protected]> * fix: update OAuth2 controller to use ErrorWithCode instead of HttpError The controller was still checking for HttpError in its catch blocks, but OAuthService now throws ErrorWithCode. This caused all errors to return 500 Internal Server Error instead of the correct HTTP status codes (400, 401, 404). Also added getHttpStatusCode export to platform-libraries. Co-Authored-By: [email protected] <[email protected]> * fix: add explicit unknown type annotation to catch blocks in OAuth2 controller Co-Authored-By: [email protected] <[email protected]> * fix: change NotFoundException to HttpException in authorize endpoint Co-Authored-By: [email protected] <[email protected]> * fix: handle err with ErrorWithCode in authorize endpoint catch block Co-Authored-By: [email protected] <[email protected]> * fix: move errorWithCode * fix: error code rfc * fix: no need to handle errors there is a middleware * refactor errors * refactor errors * refactor redirecturi and state from api * refactor: address PR comments for OAuth2 controller - Remove unused GetOAuth2ClientInput class - Change API tag from 'Auth / OAuth2' to 'OAuth2' - Move OAuthClientFixture to separ…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Optimized the Incomplete Booking Salesforce integration form for mobile devices.
Changes
Visual Demo
Image Demo (if applicable):
Mandatory Tasks (DO NOT REMOVE)
How should this be tested?