feat: api v2 GET booking attendees endpoint (calcom#27664)

* feat: add booking attendees endpoint to API v2

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* feat: add rate limiting to booking attendees endpoint

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* refactor: simplify attendees output to id, bookingId, name, email, timeZone

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* test: add E2E tests for booking attendees endpoint

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* chore: update bookings repository

* fixup: add pbac guards and update service logic

* chore: update openapi spec

* test: add rate limiting E2E test for booking attendees endpoint

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* fix: tests

* fix: return 404 instead of 403 for non-existent booking in BookingPbacGuard

The BookingPbacGuard was returning 403 (Forbidden) for non-existent bookings
because doesUserIdHaveAccessToBooking returns false when a booking doesn't
exist, which the guard treated as an access denial.

Added an explicit booking existence check in the guard before the access
check, so non-existent bookings now correctly return 404 (Not Found) as
documented in the PR description.

Updated the E2E test to expect 404 for non-existent booking UIDs.

Issue identified by cubic.

Co-Authored-By: unknown <>

* fixup

* fix: return 404 instead of 403 for non-existent booking in attendees endpoint

BookingPbacGuard now checks booking existence before the access check,
returning 404 (Not Found) instead of 403 (Forbidden) for non-existent
booking UIDs. Updated the E2E test assertion and description to match.

Issue identified by cubic (confidence 9/10).

Co-Authored-By: unknown <>

* chore: implement PR feedback

* chore: update tests

* fixup

* chore: update endpoint decsription

* feat: endpoint to retrieve specific attendee

* chore: update e2e tests

* chore: implement cubic feedback

* fix: update test to expect 403 for non-existent booking UID (BookingPbacGuard behavior)

Co-Authored-By: rajiv@cal.com <sahalrajiv6900@gmail.com>

* fix: merge conflicts

* feat: endpoint to get attendees

* chore: update findByUidIncludeEventTypeAttendeesAndUser method

* chore: implement PR feedback

* fix: e2e tests

* chore: update e2e tests

* fixup fixup

* fix: remove phoneNumber assertion since it's optional and not provided in test

* chore: implement PR feedback

* fix: keep the same output shape for get attendees and get attendee endpoint

* chore: update openapi spec

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: bot_apk <apk@cognition.ai>

Author: 3 people

apps/api/v2/src/ee/bookings/2024-08-13/controllers/booking-attendees.controller.ts

@@ -1,12 +1,33 @@
-import { BOOKING_WRITE, SUCCESS_STATUS } from "@calcom/platform-constants";
+import {
+  BOOKING_WRITE,
+  BOOKING_READ,
+  SUCCESS_STATUS,
+} from "@calcom/platform-constants";
 import { AddAttendeeInput_2024_08_13 } from "@calcom/platform-types";
-import { Body, Controller, HttpCode, HttpStatus, Param, Post, UseGuards } from "@nestjs/common";
+import {
+  Body,
+  Controller,
+  HttpCode,
+  HttpStatus,
+  Param,
+  Post,
+  UseGuards,
+  Get,
+  ParseIntPipe,
+} from "@nestjs/common";
 import { ApiHeader, ApiOperation, ApiTags as DocsTags } from "@nestjs/swagger";
 import { BookingPbacGuard } from "@/ee/bookings/2024-08-13/guards/booking-pbac.guard";
 import { BookingUidGuard } from "@/ee/bookings/2024-08-13/guards/booking-uid.guard";
 import { AddAttendeeOutput_2024_08_13 } from "@/ee/bookings/2024-08-13/outputs/add-attendee.output";
+import {
+  GetBookingAttendeesOutput_2024_08_13,
+  GetBookingAttendeeOutput_2024_08_13,
+} from "@/ee/bookings/2024-08-13/outputs/get-booking-attendees.output";
 import { BookingAttendeesService_2024_08_13 } from "@/ee/bookings/2024-08-13/services/booking-attendees.service";
-import { VERSION_2024_08_13, VERSION_2024_08_13_VALUE } from "@/lib/api-versions";
+import {
+  VERSION_2024_08_13,
+  VERSION_2024_08_13_VALUE,
+} from "@/lib/api-versions";
 import { API_KEY_OR_ACCESS_TOKEN_HEADER } from "@/lib/docs/headers";
 import { Throttle } from "@/lib/endpoint-throttler-decorator";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
@@ -28,7 +49,60 @@ import { ApiAuthGuardUser } from "@/modules/auth/strategies/api-auth/api-auth.st
   required: true,
 })
 export class BookingAttendeesController_2024_08_13 {
-  constructor(private readonly bookingAttendeesService: BookingAttendeesService_2024_08_13) {}
+  constructor(
+    private readonly bookingAttendeesService: BookingAttendeesService_2024_08_13
+  ) {}
+
+  @Get("/")
+  @Permissions([BOOKING_READ])
+  @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard)
+  @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER)
+  @ApiOperation({
+    summary: "Get all attendees for a booking",
+    description: `Retrieve all attendees for a specific booking by its UID.
+    
+    <Note>The cal-api-version header is required for this endpoint. Without it, the request will fail with a 404 error.</Note>
+    `,
+  })
+  async getBookingAttendees(
+    @Param("bookingUid") bookingUid: string,
+    @GetUser() user: ApiAuthGuardUser
+  ): Promise<GetBookingAttendeesOutput_2024_08_13> {
+    const attendees = await this.bookingAttendeesService.getBookingAttendees(
+      bookingUid
+    );
+
+    return {
+      status: SUCCESS_STATUS,
+      data: attendees,
+    };
+  }
+
+  @Get("/:attendeeId")
+  @Permissions([BOOKING_READ])
+  @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard)
+  @ApiHeader(API_KEY_OR_ACCESS_TOKEN_HEADER)
+  @ApiOperation({
+    summary: "Get a specific attendee for a booking",
+    description: `Retrieve a specific attendee by their ID for a booking identified by its UID.
+        
+      <Note>The cal-api-version header is required for this endpoint. Without it, the request will fail with a 404 error.</Note>
+      `,
+  })
+  async getBookingAttendee(
+    @Param("bookingUid") bookingUid: string,
+    @Param("attendeeId", ParseIntPipe) attendeeId: number
+  ): Promise<GetBookingAttendeeOutput_2024_08_13> {
+    const attendee = await this.bookingAttendeesService.getBookingAttendee(
+      bookingUid,
+      attendeeId
+    );
+
+    return {
+      status: SUCCESS_STATUS,
+      data: attendee,
+    };
+  }
 
   @Post("/")
   @HttpCode(HttpStatus.CREATED)
@@ -61,7 +135,11 @@ export class BookingAttendeesController_2024_08_13 {
     @Body() body: AddAttendeeInput_2024_08_13,
     @GetUser() user: ApiAuthGuardUser
   ): Promise<AddAttendeeOutput_2024_08_13> {
-    const attendee = await this.bookingAttendeesService.addAttendee(bookingUid, body, user);
+    const attendee = await this.bookingAttendeesService.addAttendee(
+      bookingUid,
+      body,
+      user
+    );
 
     return {
       status: SUCCESS_STATUS,