fix: allow whitelisted paths like onboarding as team/user slugs on org domains (calcom#24984)

* fix: allow whitelisted paths like onboarding as team/user slugs on org domains

- Add whitelistedPaths array to pagesAndRewritePaths.js with 'onboarding'
- Update getRegExpMatchingAllReservedRoutes to accept exclusions parameter
- Modify org route patterns to exclude whitelisted paths from reserved routes
- Add tests to verify onboarding can be used as a slug on org domains
- Fixes issue where acme.cal.com/onboarding would 404

This allows teams/users on org domains to use 'onboarding' as their slug
while still preserving the /onboarding app route on non-org domains.

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* Remove accidental change by AI

* Add special character handling test

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: hariombalhara

apps/web/pagesAndRewritePaths.js

@@ -1,8 +1,26 @@
+/* eslint-env node */
+/* eslint-disable @typescript-eslint/no-require-imports, no-undef */
 const glob = require("glob");
 const { nextJsOrgRewriteConfig } = require("./getNextjsOrgRewriteConfig");
-/** Needed to rewrite public booking page, gets all static pages but [user] */
-// Pages found here are excluded from redirects in beforeFiles in next.config.js
-let pages = (exports.pages = glob
+
+// Top-level route names that are explicitly allowed for org rewrite (whitelist)
+
+const topLevelRouteNamesWhitelistedForRewrite = exports.topLevelRouteNamesWhitelistedForRewrite = [
+  // We don't allow all dashboard route names to be used as slug because people are probably accustomed to access links like acme.cal.com/workflows, acme.cal.com/event-types etc.
+  // So, we carefully allow, what is absolutely needed.
+  // Allowed to be a team/user slug in organization because onboarding is a common team name
+  'onboarding',
+]
+
+/**
+ * Extracts top-level route names from all pages/app files and excludes them from org rewrite.
+ * For example: /abc/def/ghi -> 'abc'
+ * 
+ * These top-level route names are excluded from rewrites in beforeFiles in next.config.js
+ * to prevent conflicts with organization slug rewrites.
+ */
+/* eslint-disable no-undef */
+let topLevelRoutesExcludedFromOrgRewrite = exports.topLevelRoutesExcludedFromOrgRewrite = glob
   .sync(
     "{pages,app,app/(booking-page-wrapper),app/(use-page-wrapper),app/(use-page-wrapper)/(main-nav)}/**/[^_]*.{tsx,js,ts}",
     {
@@ -11,11 +29,14 @@ let pages = (exports.pages = glob
   )
   .map((filename) =>
     filename
+      // Remove the directory prefix (pages/, app/ and route group folders.)
       .replace(
         /^(app\/\(use-page-wrapper\)\/\(main-nav\)|app\/\(use-page-wrapper\)|app\/\(booking-page-wrapper\)|pages|app)\//,
         ""
       )
+      // Remove file extensions
       .replace(/(\.tsx|\.js|\.ts)/, "")
+      // Extract only the top-level route name (e.g., /abc/def -> abc)
       .replace(/\/.*/, "")
   )
   .filter(
@@ -34,40 +55,47 @@ let pages = (exports.pages = glob
         "ShellMainAppDir",
         "ShellMainAppDirBackButton",
       ].some((prefix) => v.startsWith(prefix))
-  ));
+  )
+  .filter((page) => {
+    return !topLevelRouteNamesWhitelistedForRewrite.includes(page);
+  });
 
 // .* matches / as well(Note: *(i.e wildcard) doesn't match / but .*(i.e. RegExp) does)
 // It would match /free/30min but not /bookings/upcoming because 'bookings' is an item in pages
 // It would also not match /free/30min/embed because we are ensuring just two slashes
 // ?!book ensures it doesn't match /free/book page which doesn't have a corresponding new-booker page.
 // [^/]+ makes the RegExp match the full path, it seems like a partial match doesn't work.
 // book$ ensures that only /book is excluded from rewrite(which is at the end always) and not /booked
-
+/* eslint-disable no-undef */
 exports.nextJsOrgRewriteConfig = nextJsOrgRewriteConfig;
 
 /**
  * Returns a regex that matches all existing routes, virtual routes (like /forms, /router, /success etc) and nextjs special paths (_next, public)
+ * @param {string} suffix - The suffix to append to each route in the regex
  */
 function getRegExpMatchingAllReservedRoutes(suffix) {
   // Following routes don't exist but they work by doing rewrite. Thus they need to be excluded from matching the orgRewrite patterns
   // Make sure to keep it upto date as more nonExistingRouteRewrites are added.
   const otherNonExistingRoutePrefixes = ["forms", "router", "success", "cancel"];
+
   // Most files/dirs in public dir must not be rewritten to org pages. Ideally it should be all the content of public dir, but that can be done later
   // It is important to exclude the embed pages separately here because with SINGLE_ORG_SLUG enabled, the entire domain is eligible for rewrite vs just the org subdomain otherwise
   const staticAssets = ["embed"];
+
   // FIXME: I am not sure why public is needed here, an asset 'test' in public isn't accessible through "/public/test" but only through "/test"
   // We should infact scan through all files in public and exclude them instead.
   const nextJsSpecialPaths = ["_next", "public"];
 
-  let beforeRewriteExcludePages = pages
+  let allTopLevelRoutesExcludedFromOrgRewrite = topLevelRoutesExcludedFromOrgRewrite
     .concat(otherNonExistingRoutePrefixes)
     .concat(nextJsSpecialPaths)
     .concat(staticAssets);
-  return beforeRewriteExcludePages.join(`${suffix}|`) + suffix;
+  return allTopLevelRoutesExcludedFromOrgRewrite.join(`${suffix}|`) + suffix;
 }
 
 // To handle /something
 exports.orgUserRoutePath = `/:user((?!${getRegExpMatchingAllReservedRoutes("/?$")})[a-zA-Z0-9\-_]+)`;
+
 // To handle /something/somethingelse
 exports.orgUserTypeRoutePath = `/:user((?!${getRegExpMatchingAllReservedRoutes(
   "/"

apps/web/test/lib/next-config.test.ts

@@ -2,7 +2,7 @@ import { it, expect, describe, beforeAll } from "vitest";
 
 import { getRegExpThatMatchesAllOrgDomains } from "../../getNextjsOrgRewriteConfig";
 
-// eslint-disable-next-line @typescript-eslint/no-var-requires
+/* eslint-disable @typescript-eslint/no-require-imports */
 const { match, pathToRegexp } = require("next/dist/compiled/path-to-regexp");
 type MatcherRes = (path: string) => { params: Record<string, string> };
 let orgUserTypeRouteMatch: MatcherRes;
@@ -15,7 +15,6 @@ beforeAll(async () => {
   const {
     orgUserRoutePath,
     orgUserTypeRoutePath,
-    // eslint-disable-next-line @typescript-eslint/no-var-requires
   } = require("../../pagesAndRewritePaths");
 
   orgUserTypeRouteMatch = match(orgUserTypeRoutePath);
@@ -162,5 +161,80 @@ describe("next.config.js - Org Rewrite", () => {
       expect(orgUserRouteMatch("/forms/xdsdf-sd")).toEqual(false);
       expect(orgUserRouteMatch("/router?form=")).toEqual(false);
     });
+
+    it("Whitelisted routes should match on org domains", () => {
+      expect(orgUserRouteMatch("/onboarding")?.params).toEqual({
+        user: "onboarding",
+      });
+      expect(orgUserTypeRouteMatch("/onboarding/30min")?.params).toEqual({
+        user: "onboarding",
+        type: "30min",
+      });
+    });
+
+    describe("Character validation in org slugs", () => {
+      it("should allow valid characters: alphanumeric, hyphens, and underscores", () => {
+        // Valid usernames with allowed characters
+        expect(orgUserRouteMatch("/john-doe")?.params).toEqual({
+          user: "john-doe",
+        });
+        expect(orgUserRouteMatch("/john_doe")?.params).toEqual({
+          user: "john_doe",
+        });
+        expect(orgUserRouteMatch("/user123")?.params).toEqual({
+          user: "user123",
+        });
+        expect(orgUserRouteMatch("/ABC-123_xyz")?.params).toEqual({
+          user: "ABC-123_xyz",
+        });
+      });
+
+      it("should reject invalid punctuation characters in org slugs", () => {
+        // These should NOT match because they contain invalid characters
+        // The character class [a-zA-Z0-9-_] when hyphen is unescaped between 9 and _
+        // creates a range from - (ASCII 45) to _ (ASCII 95), which includes : ; < = > ? @ [ \ ] ^
+
+        // Colon (:) - ASCII 58
+        expect(orgUserRouteMatch("/user:name")).toEqual(false);
+
+        // Semicolon (;) - ASCII 59
+        expect(orgUserRouteMatch("/user;name")).toEqual(false);
+
+        // Less than (<) - ASCII 60
+        expect(orgUserRouteMatch("/user<name")).toEqual(false);
+
+        // Equals (=) - ASCII 61
+        expect(orgUserRouteMatch("/user=name")).toEqual(false);
+
+        // Greater than (>) - ASCII 62
+        expect(orgUserRouteMatch("/user>name")).toEqual(false);
+
+        // Question mark (?) - ASCII 63
+        expect(orgUserRouteMatch("/user?name")).toEqual(false);
+
+        // At symbol (@) - ASCII 64
+        expect(orgUserRouteMatch("/user@name")).toEqual(false);
+
+        // Square brackets ([, ]) - ASCII 91, 93
+        expect(orgUserRouteMatch("/user[name")).toEqual(false);
+        expect(orgUserRouteMatch("/user]name")).toEqual(false);
+
+        // Backslash (\) - ASCII 92
+        expect(orgUserRouteMatch("/user\\name")).toEqual(false);
+
+        // Caret (^) - ASCII 94
+        expect(orgUserRouteMatch("/user^name")).toEqual(false);
+
+        // Other common punctuation that should also be rejected
+        expect(orgUserRouteMatch("/user.name")).toEqual(false);
+        expect(orgUserRouteMatch("/user!name")).toEqual(false);
+        expect(orgUserRouteMatch("/user#name")).toEqual(false);
+        expect(orgUserRouteMatch("/user$name")).toEqual(false);
+        expect(orgUserRouteMatch("/user%name")).toEqual(false);
+        expect(orgUserRouteMatch("/user&name")).toEqual(false);
+        expect(orgUserRouteMatch("/user*name")).toEqual(false);
+        expect(orgUserRouteMatch("/user+name")).toEqual(false);
+      });
+    });
   });
 });

apps/web/test/lib/pagesAndRewritePaths.test.ts

@@ -1,10 +1,10 @@
 import { it, expect, describe } from "vitest";
 
-import { pages } from "../../pagesAndRewritePaths.js";
+import { topLevelRoutesExcludedFromOrgRewrite, topLevelRouteNamesWhitelistedForRewrite } from "../../pagesAndRewritePaths.js";
 
 describe("pagesAndRewritePaths", () => {
-  describe("beforeFiles must exclude routes in pages/app router", () => {
-    const BEFORE_REWRITE_EXCLUDE_PAGES = [
+  describe("beforeFiles must exclude top-level routes in pages/app router", () => {
+    const ROUTES_EXCLUDED_FROM_ORG_REWRITE = [
       "apps",
       "availability",
       "booking",
@@ -30,12 +30,18 @@ describe("pagesAndRewritePaths", () => {
       "routing-forms",
       "signup",
       "team",
-      "d",
+      "d"
     ];
 
-    it("should include all required routes", () => {
-      BEFORE_REWRITE_EXCLUDE_PAGES.forEach((route) => {
-        expect(pages).toContain(route);
+    it("should include all required top-level route names", () => {
+      ROUTES_EXCLUDED_FROM_ORG_REWRITE.forEach((route) => {
+        expect(topLevelRoutesExcludedFromOrgRewrite).toContain(route);
+      });
+    });
+
+    it("should NOT include whitelisted routes", () => {
+      topLevelRouteNamesWhitelistedForRewrite.forEach((route) => {
+        expect(topLevelRoutesExcludedFromOrgRewrite).not.toContain(route);
       });
     });
   });

packages/prisma/schema.prisma

@@ -1,4 +1,4 @@
-// This is your Prisma Schema file
+// This is your Prisma Schema file 
 // learn more about it in the docs: https://pris.ly/d/prisma-schema
 
 datasource db {