345 Commits

Author SHA1 Message Date
Zachariah K. Sharma 8a941061a4 docs: plan vynte scheduler replacement 2026-06-14 11:05:33 -06:00
Zachariah K. Sharma 4982d80306 docs: design vynte scheduler replacement 2026-06-14 10:57:31 -06:00
Zachariah K. Sharma f9ef20ce74 Plan self-hosted team scheduling implementation 2026-06-07 01:38:28 -06:00
Zachariah K. Sharma 084c0d6ee0 Document self-hosted team scheduling design 2026-06-07 01:33:21 -06:00
Benny Joo ab21c7f805 refactor: Cal.diy (#28903)
* feat: Cal.diy — community-driven MIT-licensed fork of Cal.com

This squashed commit contains all Cal.diy changes applied on top of calcom/cal.com main:

- Rebrand Cal.com to Cal.diy across the entire codebase
- Remove Enterprise Edition (EE) features, license checks, and AGPL restrictions
- Switch license from AGPL-3.0 to MIT
- Remove docs/ directory (migrated to Nextra at cal.diy)
- Remove dead code: org tests, EE tips, platform nav, premium username, SAML/SSO, etc.
- Clean up .env.example for self-hosted Cal.diy
- Update Docker image references to calcom/cal.diy
- Update README, CONTRIBUTING.md, and issue templates for Cal.diy community fork
- Add PR welcome bot for Cal.diy contributors
- Fix API v2 breaking changes oasdiff ignore entries
- Replace Blacksmith CI runners with default GitHub Actions

3893 files changed, 20789 insertions(+), 411020 deletions(-)

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* refactor: remove org-specific /organizations/:orgId endpoints from API v2 atoms controllers (#1701)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* fix: revert Cal.diy Inc to Cal.com, Inc. in license files, copyright notices, and package metadata (#1702)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

* rip out org related comments in api v2

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-04-15 09:52:36 -03:00
Akash Santra d08f4a0215 docs: fix grammar, formatting and clarity issues in docs (#28832) 2026-04-11 05:38:16 +00:00
Romit facc0745d3 fix(docs): correct self-hosting troubleshooting guide based on codebase verification (#28756)
* docs: add self-hosting troubleshooting guide

Add a dedicated troubleshooting page (docs/self-hosting/troubleshooting.mdx)
covering the most common self-hosting issues:

- 500 error during onboarding caused by missing STRIPE_PRIVATE_KEY (#25993)
- Redirect to localhost after deployment (NEXTAUTH_URL / NEXT_PUBLIC_WEBAPP_URL) (#21921)
- API v2 service not starting in Docker (missing REDIS_URL, JWT_SECRET, WEB_APP_URL)
- CLIENT_FETCH_ERROR in Docker logs
- SSL issues behind a reverse proxy
- Prisma user creation failure on first setup

Also adds the new page to the "Getting Started" navigation group in docs/docs.json.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(docs): provide safer SSL troubleshooting alternatives

Replace the blanket NODE_TLS_REJECT_UNAUTHORIZED=0 recommendation
with three options in order of preference:
1. Use HTTP internally with proper header forwarding
2. Add internal CA to NODE_EXTRA_CA_CERTS
3. Disable TLS verification (last resort with security warning)

The previous guidance could expose users to MITM attacks on all
external API calls (Stripe, Google, etc.).

* fix(docs): correct NEXTAUTH_URL guidance to prevent OAuth breakage

The previous guidance recommended setting NEXTAUTH_URL to localhost
for SSL/DNS issues, which breaks OAuth callbacks since external
providers would redirect to localhost instead of the public domain.

- Replace localhost workaround with extra_hosts in docker-compose
- Add nginx proxy header configuration example
- Add warnings explaining why localhost breaks OAuth

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(docs): correct troubleshooting guide based on codebase verification

- Stripe section: Rewrite to accurately reflect current behavior (app
  gracefully handles missing keys by marking Stripe as 'not installed'
  rather than crashing). Clarify that NEXT_PUBLIC_STRIPE_PUBLIC_KEY
  belongs in .env.appStore.
- API v2 section: Add missing required vars (STRIPE_API_KEY,
  STRIPE_WEBHOOK_SECRET, NEXTAUTH_SECRET) that crash the service if
  absent. Move WEB_APP_URL to optional (it has a fallback default).
- CLIENT_FETCH_ERROR section: Add caveat about HTTPS URLs failing
  with the extra_hosts approach when app listens on port 3000.
- Vercel note: Clarify that NEXTAUTH_URL is auto-inferred via
  VERCEL_URL, not just 'left empty'.
- Database section: Replace unverifiable metadata/id advice with
  actionable migration and setup guidance matching actual code in
  apps/web/app/api/auth/setup/route.ts.

Co-Authored-By: romitgabani1 <romitgabani1.work@gmail.com>

* docs: fix inaccuracies in self-hosting troubleshooting guide

- Add missing CALENDSO_ENCRYPTION_KEY to API v2 required variables
- Fix setup endpoint path from /api/auth/setup to /auth/setup
- Add note about NEXTAUTH_URL auto-derivation from NEXT_PUBLIC_WEBAPP_URL

* fix(docs): correct NEXTAUTH_URL derivation mechanism description

NextAuth infers the base URL from the request's Host header when
NEXTAUTH_URL is not set, not from NEXT_PUBLIC_WEBAPP_URL directly.

Co-Authored-By: romitgabani1 <romitgabani1.work@gmail.com>

---------

Co-authored-by: shockzM1 <shockz@dsn.so>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-04-06 18:08:46 +05:30
Sahitya Chandra 72acf09ff2 feat(unified-cal): connection-based unified calendar API with CRUD, freebusy, and list connections (#28387)
* feat(unified-cal): connection-based unified calendar API with CRUD, freebusy, and list connections

- New GET /v2/calendars/connections endpoint returning all calendar connections with connectionId
- Connection-scoped CRUD: GET/POST/PATCH/DELETE /v2/calendars/connections/{connectionId}/events/*
- Connection-scoped free/busy: GET /v2/calendars/connections/{connectionId}/freebusy
- Legacy calendar-type endpoints: GET/POST/DELETE /v2/calendars/{calendar}/events, GET /{calendar}/freebusy
- Backward compat: dual @Patch decorators for singular /event/ (deprecated) and plural /events/
- ConnectedCalendarEntry interface to eliminate inline type annotations
- DRY service layer with shared private helpers (listEventsWithClient, createEventWithClient, etc.)
- Input validation: @IsDefined() on start/end, @IsTimeZone() on timezone fields, cross-field to >= from validation
- All-day event support: Google Calendar date-only events converted to midnight UTC
- New findCredentialByIdAndUserId method in CredentialsRepository for connection-scoped lookups

* style: apply biome formatting to unified calendar API files

* fix: use @IsTimeZone() validator for timeZone field in CreateEventDateTimeWithZone

* fix: add delegation auth support, extract freebusy service layer

- Comment 3: getCalendarClientForUser and getCalendarClientByCredentialId now
  use getAuthorizedCalendarInstance with delegated-auth fallback instead of
  requiring credential.key directly. Added findCredentialWithDelegationByTypeAndUserId
  and expanded findCredentialByIdAndUserId to include delegationCredentialId.

- Comment 5: Extracted freebusy and connections logic from controller into
  UnifiedCalendarsFreebusyService, keeping the controller thin (HTTP-only).
  Moved ConnectedCalendarEntry type and INTEGRATION_TYPE_TO_API mapping into
  the service layer.

- Biome auto-formatting applied to touched files.

* test: add unit and integration tests for unified calendar API

- GoogleCalendarService: 30 tests covering delegation auth, client creation, CRUD
- UnifiedCalendarsFreebusyService: 21 tests covering connections, busy times, filtering
- CalUnifiedCalendarsController: 31 tests covering all endpoints (connection-scoped + legacy)
- Pipe specs: 37 existing tests continue to pass

Total: 98 tests across 5 suites

* fix: address Devin Review feedback - fix JSDoc and validator pattern

- Fix incorrect JSDoc on listEventsForUser (all-day events ARE included, not skipped)
- Fix IsAfterFrom validator to return false instead of throwing BadRequestException
  (preserves standard ValidationPipe error format)

* fix: revert IsAfterFrom to throw BadRequestException per team convention

Cubic AI (confidence 9/10, team feedback): validators should throw
BadRequestException to preserve the API's standard bad-request response
structure, per team convention.

* fix: add calendarId query param to createConnectionEvent for API consistency

All other connection-scoped endpoints accept calendarId; this was the
only one hardcoding 'primary'. Added @ApiQuery decorator and @Query
parameter with ?? 'primary' fallback, plus a test for custom calendarId.

* Update apps/api/v2/src/modules/cal-unified-calendars/controllers/cal-unified-calendars.controller.ts

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

* Revert "Update apps/api/v2/src/modules/cal-unified-calendars/controllers/cal-unified-calendars.controller.ts"

This reverts commit e18e4621eff46d8ec49e4d03230783ce50b0c0e4.

* feat: enhance calendar service with connection-specific methods and improve API documentation

* test: complete delegation auth tests, document virtual mocks, fix key leak tests

- Item 3: Add 7 comprehensive delegation auth integration tests covering
  JWT creation params, email cleaning, fallback scenarios, and error handling
- Item 7: Document why virtual mocks are necessary in all test files
  (workspace packages with DB dependencies cannot resolve in Jest)
- Cubic #1: Document getCalendarsForConnection caching and upstream limitation
- Cubic #2+#3: Make credential key leak tests non-vacuous by including
  actual key fields in mocks and verifying they don't leak
- Remove unused BadRequestException import from freebusy service

* fix: add defense-in-depth key stripping in listConnections controller

Controller now destructures only { connectionId, type, email } from each
connection before returning, so credential.key can never leak even if the
service layer has a future regression. Test updated to verify stripping.

* feat: add unified calendar API endpoints for connections and events management

* fix: add try/catch error handling to CRUD helper methods

Wrap Google Calendar API calls in listEventsWithClient, createEventWithClient,
getEventWithClient, updateEventWithClient, and deleteEventWithClient with
try/catch blocks matching the legacy getEventDetails/updateEventDetails pattern.
This ensures proper NestJS exceptions (NotFoundException, BadRequestException)
are returned instead of raw 500 errors when the Google API throws.

* fix: map Google API errors to correct HTTP status codes

Replace blanket NotFoundException/BadRequestException in CRUD catch blocks
with mapGoogleApiError() that inspects the GaxiosError status code and
returns the appropriate NestJS exception (404→NotFoundException,
401/403→UnauthorizedException, 400→BadRequestException, else→500).

* fix: preserve upstream Google API status codes in error mapping

Separate 403 (ForbiddenException) from 401 (UnauthorizedException) and
add 429 rate-limit handling. This ensures permission-denied and throttling
errors are not misreported to API clients.

* fix: distinguish Google quota/rate-limit 403 from permission 403

Check GaxiosError reason field for rateLimitExceeded, userRateLimitExceeded,
and dailyLimitExceeded before mapping 403 to ForbiddenException. Quota
errors are now correctly mapped to 429 (retriable) instead.

* fix: keep dailyLimitExceeded as 403 (non-retriable quota exhaustion)

dailyLimitExceeded is a daily quota cap, not transient throttling.
Only rateLimitExceeded and userRateLimitExceeded are remapped to 429.

* fix: add missing @ApiQuery decorators for calendarId on get/update/delete endpoints

getConnectionEvent, updateConnectionEvent, and deleteConnectionEvent were
missing @ApiQuery({ name: 'calendarId', required: false }) which caused
OpenAPI spec to incorrectly mark calendarId as required.

* ci: retry flaky vitest worker test

* fix: update calendarId query parameter to be optional in OpenAPI specification

* fix: swap dual decorator order so plural /events/ path appears in OpenAPI spec

NestJS Swagger only picks up the first HTTP method decorator. Swapping
the order ensures the preferred plural path (/events/:eventUid) is
generated in the OpenAPI spec, while the deprecated singular path
(/event/:eventUid) still works at runtime.

* fix: split dual decorators into separate methods so both paths appear in OpenAPI spec

NestJS Swagger only picks up the first HTTP method decorator per handler.
Split getCalendarEventDetails and updateCalendarEvent into separate
methods for the singular /event/ (deprecated) and plural /events/ paths,
each delegating to a shared private helper. Both routes now appear in
the generated OpenAPI spec.

* fix: update openapi.json with split dual-decorator paths for GET/PATCH event endpoints

* fix: mapGoogleApiError - coerce string code to number and read errors from response.data

* fix: mapGoogleApiError - guard against NaN from non-numeric error codes

* fix: use read replica for findCredentialWithDelegationByTypeAndUserId query

* refactor: address review comments - UnifiedCalendarService, ParseConnectionIdPipe, thin controller

- Comment 70 (Ryukemeister): Remove 'what' JSDoc from calendars.service.ts
- Comment 71 (Ryukemeister): Use array syntax for dual paths instead of separate methods
- Comments 73-78 (ThyMinimalDev): Create ParseConnectionIdPipe for connectionId validation
- Comments 79-84 (ThyMinimalDev): Create UnifiedCalendarService with strategy pattern
- Comment 85 (ThyMinimalDev): Move getConnections from freebusy to UnifiedCalendarService
- Controller now only handles HTTP concerns, delegates all logic to UnifiedCalendarService
- Updated all test specs to match refactored architecture

* chore: regenerate openapi.json after controller refactor to array syntax paths

---------

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
2026-03-18 15:15:53 +05:30
Rajiv Sahal 089a39f59f feat: add integration options for API v2 update booking location endpoint (#26363)
* init: improvements for update location endpoint

* chore: init function to update calendar event

* fix: bad imports

* chore: update calendar event when updating location

* chore: update platform libraries

* fix: update calendar event

* chore: update platform libraries

* chore: cleanup

* feat: add logic for video conferecing integrations

* chore: update platform libraries

* feat: add sms and email notifications

* chore: update e2e tests

* chore: update openapi spec

* chore: implement cubic feedback

* chore: update openapi spec

* fix: add Jest mock for Daily.co video adapter in e2e test

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* fix: mock createMeeting directly to bypass database check in e2e test

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* chore: implement PR feedback

* chore: implement feedback

* fix: mock throttler guard to prevent rate limiting in e2e tests

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* fix: merge conflicts

* chore: update platform libraries

* chore: implement feedback part 1

* chore: implement feedback part 2

* chore: remove unnecessary type casting

* chore: implement cubic feedback

* chore: implement devin feedback

* chore: implement PR feedback

* fix: type error

* chore: update openapi spec

* test: add mocks and tests for Google Meet and Microsoft Teams integration location updates

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* refactor: simplify service code - extract shared helpers, remove duplication

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* feat: implement fixtures for bookings references

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-03-17 15:15:17 +05:30
swalihkolakkadan c8f9085988 fix(docs): correct ListSchedules prop name from getRedirectUrl to getScheduleUrl (#28419)
The documentation referenced `getRedirectUrl` but the actual component
prop is `getScheduleUrl`, causing the callback to silently not fire.
2026-03-14 08:31:59 +00:00
Romit f3f5523f31 fix: add missing OpenAPI ApiParam decorators to API v2 controllers (#28305)
* fix: add missing apiparam decorators

* chore: move api param to class level

* revert oasdiff

* chore

* fix: update oasdiff-err-ignore.txt

* chore
2026-03-10 14:34:21 +05:30
Romit e75614164b fix: corrects routing form response type (#28336)
* fix(docs): corrects routing form response type

* fix: update oasdiff-err-ignore
2026-03-10 14:26:17 +05:30
Romit c8e1b4e66d fix: correct @ApiProperty types in verified resources outputs (#28340)
* fix(docs): corrects output response type for verified resources endpoints

* fix: udpate oasdiff-err-ignore.txt
2026-03-09 22:09:09 -03:00
Romit d6741a1e2b fix: rename OOO controller file to match NestJS Swagger plugin convention (#28342)
* fix: rename OOO controller file to match NestJS Swagger plugin convention for type generation

* fix: update organization module import

* feat: generate openapi docs
2026-03-09 22:07:58 -03:00
Rajiv Sahal 5a7e783a0a feat: api v2 GET booking attendees endpoint (#27664)
* feat: add booking attendees endpoint to API v2

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* feat: add rate limiting to booking attendees endpoint

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* refactor: simplify attendees output to id, bookingId, name, email, timeZone

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* test: add E2E tests for booking attendees endpoint

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* chore: update bookings repository

* fixup: add pbac guards and update service logic

* chore: update openapi spec

* test: add rate limiting E2E test for booking attendees endpoint

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* fix: tests

* fix: return 404 instead of 403 for non-existent booking in BookingPbacGuard

The BookingPbacGuard was returning 403 (Forbidden) for non-existent bookings
because doesUserIdHaveAccessToBooking returns false when a booking doesn't
exist, which the guard treated as an access denial.

Added an explicit booking existence check in the guard before the access
check, so non-existent bookings now correctly return 404 (Not Found) as
documented in the PR description.

Updated the E2E test to expect 404 for non-existent booking UIDs.

Issue identified by cubic.

Co-Authored-By: unknown <>

* fixup

* fix: return 404 instead of 403 for non-existent booking in attendees endpoint

BookingPbacGuard now checks booking existence before the access check,
returning 404 (Not Found) instead of 403 (Forbidden) for non-existent
booking UIDs. Updated the E2E test assertion and description to match.

Issue identified by cubic (confidence 9/10).

Co-Authored-By: unknown <>

* chore: implement PR feedback

* chore: update tests

* fixup

* chore: update endpoint decsription

* feat: endpoint to retrieve specific attendee

* chore: update e2e tests

* chore: implement cubic feedback

* fix: update test to expect 403 for non-existent booking UID (BookingPbacGuard behavior)

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* fix: merge conflicts

* feat: endpoint to get attendees

* chore: update findByUidIncludeEventTypeAttendeesAndUser method

* chore: implement PR feedback

* fix: e2e tests

* chore: update e2e tests

* fixup fixup

* fix: remove phoneNumber assertion since it's optional and not provided in test

* chore: implement PR feedback

* fix: keep the same output shape for get attendees and get attendee endpoint

* chore: update openapi spec

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: bot_apk <apk@cognition.ai>
2026-03-06 09:50:29 +02:00
Romit 658e65be4d fix: correct webhook triggers OpenAPI type from string to array (#28288)
* fix(api): correct webhook triggers OpenAPI type from string to array

* chore: update .github/oasdiff-err-ignore.txt to allow schema change
2026-03-05 19:34:03 +05:30
Rajiv Sahal db76980644 fix: API v2 @GetWebhook() decorator doesn't generate OpenAPI path (#27612)
* fix: openapi spec for GetWebhook decorator

* fix: openapi spec
2026-02-10 11:56:55 -03:00
Rajiv Sahal 321b07ab8b chore: troubleshooter atom docs (#27717) 2026-02-06 19:39:28 +00:00
Lauris Skraucis bd25cba89c refactor: OAuth 2.0 endpoints (#27442)
* refactor: combine exchange and refresh into token endpoint

* refactor: controller error handling

* refactor: use snake_case

* refactor: use snake_case

* refactor: use snake case

* refactor: token endpoint accepts application/x-www-form-urlencoded

* refactor: token endpoint accepts application/x-www-form-urlencoded

* refactor: flat token response data

* refactor: error structure

* refactor: client_id in the body

* fix: address Cubic AI review feedback on OAuth2 endpoints

- Fix getClient endpoint to use proper REST API error format instead of OAuth token error format (confidence 9/10)
- Add missing space after comma in error format string in token.input.pipe.ts (confidence 9/10)
- Support both camelCase and snake_case inputs in authorize endpoint for backward compatibility (confidence 10/10)
- Restore legacy /exchange and /refresh endpoints alongside new /token endpoint for backward compatibility (confidence 10/10)
- Add OAuth2TokensResponseDto for legacy endpoint wrapped responses
- Add OAuth2LegacyExchangeInput and OAuth2LegacyRefreshInput for legacy endpoints

Co-Authored-By: unknown <>

* fix: address additional Cubic AI feedback on OAuth2 endpoints

- Log errors when status code >= 500 in handleClientError (confidence 9/10)
- Add Cache-Control: no-store and Pragma: no-cache headers to legacy /exchange and /refresh endpoints (confidence 9/10)

Co-Authored-By: unknown <>

* docs

* Revert "fix: address additional Cubic AI feedback on OAuth2 endpoints"

This reverts commit 39cc4aa3ebb9e59a171541d7010398425995ed89.

* Revert "fix: address Cubic AI review feedback on OAuth2 endpoints"

This reverts commit 97bf593186db04c0859f9ca30950c9e3e524019d.

* docs

* fix: address Cubic AI review feedback on OAuth2 endpoints

- Fix getClient to use handleClientError instead of handleTokenError (confidence 10)
- Restore legacy /exchange and /refresh endpoints for backward compatibility (confidence 9)
- Fix RFC 6749 error format: use human-readable messages in error_description (confidence 9)
- Fix errorDescription in OAuthService to use OAUTH_ERROR_REASONS mapping (confidence 9)

Co-Authored-By: unknown <>

* fix: address additional Cubic AI feedback on OAuth2 endpoints

- Fix security issue: Replace 'CALENDSO_ENCRYPTION_KEY is not set' with generic 'Internal server configuration error' message (confidence 10/10)
- Fix backward compatibility: Create OAuth2LegacyTokensDto with camelCase properties for legacy /exchange and /refresh endpoints (confidence 9/10)
- Skipped: RFC 6749 error field issue (confidence 8/10, below threshold)

Co-Authored-By: unknown <>

* e2e

* Revert "fix: address additional Cubic AI feedback on OAuth2 endpoints"

This reverts commit a080e93f07aaf5a7dcf81fe605012cb7ebcdc192.

* Revert "fix: address Cubic AI review feedback on OAuth2 endpoints"

This reverts commit 04986a16c981521ca97069152457bf521a9ee45f.

* fix: re-apply Cubic AI review feedback on OAuth2 endpoints

- Restore OAuth2LegacyExchangeInput and OAuth2LegacyRefreshInput classes
- Restore legacy /exchange and /refresh endpoints in OAuth2Controller
- Restore OAuth2LegacyTokensDto and OAuth2TokensResponseDto classes
- Restore OAUTH_ERROR_DESCRIPTIONS mapping in oauth2-error.service.ts
- Restore OAUTH_ERROR_REASONS lookup in OAuthService.ts mapErrorToOAuthError
- Fix encryption_key_missing error to not expose internal env var name

Addresses Cubic AI feedback with confidence >= 9/10:
- Comment 32 (9/10): Legacy endpoints and input classes
- Comment 34 (9/10): Error description mapping in OAuthService
- Comment 35 (10/10): OAUTH_ERROR_DESCRIPTIONS in error service

Skipped (confidence < 9/10):
- Comment 33 (8/10): getClient handleTokenError vs handleClientError

Co-Authored-By: unknown <>

* Revert "fix: re-apply Cubic AI review feedback on OAuth2 endpoints"

This reverts commit 416bef9c931d9a7ed78c65a70a3425550d61b151.

* delete unused file

* fix: e2e tests

* address cubic review

* fix: address Cubic AI review feedback on OAuth2 exception filter

- Fix header case sensitivity: use lowercase 'x-request-id' instead of 'X-Request-Id' since Express lowercases all request headers
- Redact request body in error logs to prevent exposing sensitive OAuth2 credentials like client_secret, password, and refresh_token

Co-Authored-By: unknown <>

* docs: api v2 oauth controller docs

* chore: remove authorize endpoint

* refactor: remove scope from docs

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-02-05 10:16:15 +02:00
Lauris Skraucis fc602d3b03 feat: OAuth 2.0 support for atoms (#27158)
* fix: useOAuthClient support OAuth 2.0

* fix: cannot read properties of undefined (reading NEXT_PUBLIC_IS_E2E)

* fix: allow OAuth 2.0 token to connect gcal or ms calendar

* fix: allow OAuth 2.0 token to save gcal or ms calendar credentials

* refactor: dont set oauth id header for OAuth 2.0

* fix: calendar events not showing and emails not sent

* feat: CalOAuth2Provider

* chore: make OAuth 2.0 work in examples app

* chore: refresh OAuth 2.0 tokens

* docs: running examples app with oauth 2.0

* fix: remove sensitive console.log statements that leak secrets

Remove logging of:
- OAuth authorization codes (oauth2-user.ts)
- Token-bearing exchange responses (oauth2-user.ts)
- /me response data containing PII (oauth2-user.ts)
- OAuth2 refresh response with tokens (refresh.ts)
- Response payload with access tokens (_app.tsx)

Addresses Cubic AI review feedback for issues with confidence >= 9/10

Co-Authored-By: unknown <>

* docs: update readme

* fix: implemente cubic feedback

* fix: seed script import

* fix: seed script pkce

* fix: correct typos and SQLite capitalization in OAuth2 README (#27176)

Co-authored-by: cubic-dev-ai[bot] <1082092+cubic-dev-ai[bot]@users.noreply.github.com>

* refactor: dont return name in public oauth endpoint

* docs: CalOAuthProvider

* chore: add NEXT_PUBLIC_IS_E2E constant to test

* docs: fix duplicated 'or' in Cal OAuth Provider documentation (#27177)

Co-authored-by: cubic-dev-ai[bot] <1082092+cubic-dev-ai[bot]@users.noreply.github.com>

* revert: is e2e constant

* fix: typecheck

* refactor: example app users select

* update readme

* chore: update oauth atoms readme

* refactor: enable booking managed event types with user.username instead of profile.username

* fix: EventTypeSettings when viewing round robin

* test: add e2e tests for atoms-oauth2 controller

Co-Authored-By: lauris@cal.com <lauris.skraucis@gmail.com>

* fix: correct error message path in atoms-oauth2 e2e test

Co-Authored-By: lauris@cal.com <lauris.skraucis@gmail.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: cubic-dev-ai[bot] <1082092+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: Rajiv Sahal <sahalrajiv-extc@atharvacoe.ac.in>
2026-02-04 12:54:15 +01:00
Morgan af230f919b fix: ensure default calendars api v2 (#27603)
* fix: ensure default calendars

* test: add E2E tests for delegation credential controller and update tasker config

- Add E2E tests to verify ensureDefaultCalendars is called when enabling delegation credentials
- Update calendars tasker config to use medium-1x machine for retry on OOM
- Set minimum retry backoff to 60 seconds (1 minute between retries)

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: update tasker config to use small-2x machine with outOfMemory retry on medium-1x

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: update E2E tests to properly spy on service instance and use valid workspace platform slug

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* ci: add CALCOM_SERVICE_ACCOUNT_ENCRYPTION_KEY to E2E API v2 workflow

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: add encryption key to E2E test file for delegation credentials

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* revert: remove CALCOM_SERVICE_ACCOUNT_ENCRYPTION_KEY from workflow (moved to test file)

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: move encryption key to setEnvVars.ts for E2E tests

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: use valid format for service account encryption key

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: encrypt service account key in E2E test for delegation credentials

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: mock updateDelegationCredentialEnabled to bypass Google API call in E2E tests

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: get service from app.get() after initialization for proper spy setup in E2E tests

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: use jest.mock() to mock toggleDelegationCredentialEnabled and bypass Google API calls in E2E tests

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: use Service.prototype pattern for spying on ensureDefaultCalendars in E2E tests

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fix: move spy setup to beforeAll before app.init() for proper NestJS interception

Co-Authored-By: morgan@cal.com <morgan@cal.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-02-04 13:08:28 +02:00
Shivangi Sharma 2ccff0aead fix(docs): correct env copy command in local-development.mdx (#27274) 2026-02-03 21:49:33 +05:30
mintlify[bot] 7062887632 chore: Remove developing/introduction page and make Local Development the landing page (#27492)
* Update docs/mint.json

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Delete docs/developing/introduction.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Add redirects for developing introduction

Added redirects for the developing introduction page.

* Delete docs/mint.json

* Add redirects for developing introduction page

* Remove introduction page from Getting Started group

---------

Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
Co-authored-by: Syed Ali Shahbaz <52925846+alishaz-polymath@users.noreply.github.com>
2026-02-02 18:11:15 +00:00
Syed Ali Shahbaz 1a0f70ea65 chore: Update Mintlify to V2 (#27523)
* update mintlify

* remove mint.json
2026-02-02 14:13:42 -03:00
Morgan d29c8a4fa2 fix: add guest limits and rate limiting to booking-guests endpoint (#27494)
* fix: add guest limits and rate limiting to booking-guests endpoint

- Add ArrayMaxSize(10) validation to limit guests per request to 10
- Add aggressive rate limiting (5 requests/minute) via @Throttle decorator
- Add total guest limit check (max 30 guests per booking) to prevent abuse
- Update API documentation to reflect new limits

This prevents scammers from using the endpoint to send spam emails
to hundreds of guests through our system.

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* docs: update openapi.json with guest limits and rate limiting info

Co-Authored-By: morgan@cal.com <morgan@cal.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-02-02 11:49:25 +02:00
Morgan 6216b58460 fix: add type property to @ApiQuery decorators in slots controller (#27175)
* fix: add type property to @ApiQuery decorators in slots controller

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* chore: update openapi.json

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-23 11:28:09 +02:00
Peer Richelsen 6f7c8bdd73 feat: add wrong assignment report dialog and webhook for routing form bookings (#25839)
Co-authored-by: peer@cal.com <peer@cal.com>
Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-22 16:44:29 +00:00
Morgan 51976b1eab feat: add rrHostSubsetIds to reschedule booking endpoint (#27135)
* feat: add rrHostSubsetIds to reschedule booking endpoint

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* test: add e2e test for reschedule with rrHostSubsetIds

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* chore: update openapi.json

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-22 17:44:26 +02:00
Lauris Skraucis 3b8b2299af docs: OAuth self serve (#27090) 2026-01-22 12:36:57 +04:00
Morgan f00f80ed26 chore: ensure default calendars with trigger.dev apiv2 (#27058)
* chore: ensure default calendars with trigger.dev apiv2

* test: add unit and e2e tests for CalendarsTasker integration

- Add unit tests for CalendarsTasker.dispatch when enableAsyncTasker is true
- Add e2e test to verify ensureDefaultCalendarsForUser is called when creating membership
- Mock CalendarsTasker and ConfigService in unit tests
- Test both async (Trigger.dev) and sync (Bull queue) paths
- Fix missing return types on helper functions in e2e tests
- Add *.spec.ts to biome test file exceptions for noExcessiveLinesPerFunction rule

Co-Authored-By: morgan@cal.com <morgan@cal.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-21 16:03:30 +02:00
Hemanth Rachapalli d137787330 feat: API endpoint to fetch bookings for standalone teams (#26818)
* inputs valid

* modules

* similar route to get bookings

* removed plan

* test case spec

* fix: e2e tests for teams booking controller

* chore: update openapi spec

* added filter

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

* filter cases

* test(teams-bookings): fix eventTypeIds filter test to use correct query parameter

* fix: e2e tests

* fix: e2e tests

* fixup

---------

Co-authored-by: Rajiv Sahal <sahalrajiv-extc@atharvacoe.ac.in>
Co-authored-by: Ryukemeister <sahalrajiv6900@gmail.com>
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
2026-01-19 09:32:27 +00:00
Rajiv Sahal adc4272545 fix: atoms issues (#26983)
* fix: missiing imports

* chore: add popover components for atoms

* chore: keep openapi spec up to date
2026-01-19 08:09:57 +00:00
Rajiv Sahal 1f28504db1 fix(api): add @ApiExtraModels for location types in OpenAPI spec (#26951)
The UpdateInputAddressLocation_2024_08_13 and related location types were
referenced via getSchemaPath() but not registered with @ApiExtraModels,
causing them to be missing from the generated OpenAPI spec.

This fix adds @ApiExtraModels decorator to the BookingLocationController
to register all location types used in the UpdateBookingLocationInput.

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-17 00:22:19 +02:00
Morgan f5085af396 docs: improve beforeEventBuffer and afterEventBuffer descriptions in API v2 (#26899)
* docs: improve beforeEventBuffer and afterEventBuffer descriptions in API v2

Co-Authored-By: morgan@cal.com <morgan@cal.com>

* fixup! docs: improve beforeEventBuffer and afterEventBuffer descriptions in API v2

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-01-15 15:27:13 -03:00
mintlify[bot] 0578c89766 docs: Minor clean up (#26892)
* Documentation edits made through Mintlify web editor

* Documentation edits made through Mintlify web editor

---------

Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
2026-01-15 16:28:10 +00:00
Keith Williams a2c769251a docs: Fix Cal.com brand casing inconsistencies (#26887)
* Update docs/api-reference/v2/oauth.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/api-reference/v2/oauth.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/api-reference/v2/oauth.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

* Update docs/self-hosting/deployments/gcp.mdx

Co-Authored-By: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>

---------

Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
2026-01-15 15:27:20 +00:00
mintlify[bot] c5213be60d docs: Clean up (#26879)
* clean-up nav

* Documentation edits made through Mintlify web editor

* Documentation edits made through Mintlify web editor

* further clean up

* add oauth in sidebar

* --

* land in v2

* land in v2

* Documentation edits made through Mintlify web editor

* Documentation edits made through Mintlify web editor

* cleanup

* Documentation edits made through Mintlify web editor

* deprecated v1

---------

Co-authored-by: Syed Ali Shahbaz <alishahbaz7@gmail.com>
Co-authored-by: mintlify[bot] <109931778+mintlify[bot]@users.noreply.github.com>
2026-01-15 15:18:23 +00:00
Morgan eee31d6e9e chore: tag deprecated platform oauth endpoints in api v2 (#26873)
* chore: tag deprecated platform oauth endpoints in api v2

* fixup! chore: tag deprecated platform oauth endpoints in api v2

* fixup! fixup! chore: tag deprecated platform oauth endpoints in api v2

* chore: fix docs.json mintlify

* chore: fix docs.json mintlify
2026-01-15 12:39:55 +00:00
Peer Richelsen 42531db484 Documentation edits made through Mintlify web editor 2026-01-15 13:05:11 +01:00
Peer Richelsen 9a449608b5 Documentation edits made through Mintlify web editor 2026-01-15 13:01:23 +01:00
Peer Richelsen 58a947b32e Documentation edits made through Mintlify web editor 2026-01-15 12:59:06 +01:00
Peer Richelsen c9502b5518 Documentation edits made through Mintlify web editor 2026-01-15 12:57:51 +01:00
Peer Richelsen 40c9d629f1 Documentation edits made through Mintlify web editor 2026-01-15 12:57:30 +01:00
Peer Richelsen 52784482d3 Documentation edits made through Mintlify web editor 2026-01-15 12:56:46 +01:00
Peer Richelsen 0ff8b02247 Documentation edits made through Mintlify web editor 2026-01-15 12:56:24 +01:00
Peer Richelsen 52f79fedb7 Documentation edits made through Mintlify web editor 2026-01-15 12:54:33 +01:00
Peer Richelsen 89ef150c1a Documentation edits made through Mintlify web editor 2026-01-15 12:53:23 +01:00
Peer Richelsen 6ea1b8964d Documentation edits made through Mintlify web editor 2026-01-15 12:52:15 +01:00
Peer Richelsen db76f7c4d1 Documentation edits made through Mintlify web editor 2026-01-15 12:49:05 +01:00
Dhairyashil Shinde 821dce6a04 fix(api): skip platform org subdomain in bookingUrl for API v2 (#26812)
Platform organizations don't have public-facing subdomains, so non-managed
users in platform orgs should get cal.com URLs instead of the platform
org subdomain.

- Updated EventTypeUser type to include isPlatform field
- Modified buildBookingUrl to check isPlatform before using org slug
- Added unit test for platform org users

Co-authored-by: Morgan <33722304+ThyMinimalDev@users.noreply.github.com>
2026-01-14 09:04:45 +00:00