feat: add user-specific email verification setting (calcom#24298)

* feat: add user-specific email verification setting

Add requiresBookerEmailVerification boolean field to User model that allows
users to protect their email from impersonation during bookings.

When enabled, anyone attempting to book using the protected user's email
address (as booker or guest) must complete email verification and be logged
in as that email owner.

Key changes:
- Add requiresBookerEmailVerification field to User schema
- Create settings toggle in /settings/my-account/general
- Update checkIfBookerEmailIsBlocked to check booker's account setting
- Update guest filtering in handleNewBooking and addGuests handlers
- Add i18n translations for new setting
- Check both primary and verified secondary emails

Additional fixes:
- Replace 'any' types with proper Prisma and zod types in user.ts
- Fix member role type in sessionMiddleware.ts
- Fix avatar URL generation bug in sessionMiddleware.ts

These type fixes were necessary to resolve pre-commit lint warnings that
were blocking the commit.

Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>

* fix: address PR review comments

- Remove unrelated Watchlist index drops from migration
- Add missing Watchlist indexes to schema.prisma to fix drift
- Refactor checkIfBookerEmailIsBlocked to throw ErrorWithCode
- Move HttpError handling to handleNewBooking caller layer

Addresses review comments on PR calcom#24298

Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>

* refactor: move Prisma queries to UserRepository and remove unrelated Watchlist changes

- Add findByEmailWithEmailVerificationSetting method to UserRepository
- Add findManyByEmailsWithEmailVerificationSettings method to UserRepository
- Refactor checkIfUserEmailVerificationRequired handler to use UserRepository
- Refactor addGuests handler to use UserRepository
- Remove unrelated Watchlist schema indices (organizationId/isGlobal, source)
- Remove unrelated WatchlistAudit unique constraint on id

Addresses review comments on PR calcom#24298

Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>

* fix: better error codes + use repo

* Updated db query with manully written one using UNION (calcom#24430)

* fix: resolve usage of deprecated secondary email in return value

* fix: type errors from refactors

* fix: address CodeRabbit PR review comments

- Add NOT NULL constraint to requiresBookerEmailVerification migration
- Dedupe guest input by base email to handle plus-addressing correctly
- Compare attendees by base email instead of raw strings
- Send emails only to filtered uniqueGuests (not all guests)
- Improve error logging with actual error details

Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>

* fix: indices added by mistake

Co-authored-by: Carina Wollendorfer <30310907+CarinaWolli@users.noreply.github.com>

* chore: update label of setting

* fix: return matched email for guests

* chore: remove whitespace

* test: add comprehensive email verification tests

- Add 9 test scenarios covering user email verification setting
- Test main booker verification (logged in/out, with/without code)
- Test secondary email verification as main booker and guest
- Test guest filtering when verification is required
- Test plus-addressed email handling
- Test multiple guests with mixed verification requirements
- Test invalid verification code error handling
- Update bookingScenario helper to support requiresBookerEmailVerification and secondaryEmails

Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>

* fix: correct guest placement in test mock data

Move guests array from top-level booking data into responses object
to match expected structure in getBookingData.ts which looks for
responses.guests (line 74).

Fixes three failing tests:
- should filter out guest that requires verification
- should filter out secondary email with verification when added as guest
- should filter only guests requiring verification from multiple guests

Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Rodrigo Ehlers <rodrigoehlers@outlook.com>
Co-authored-by: Dhairyashil Shinde <93669429+dhairyashiil@users.noreply.github.com>
Co-authored-by: Rodrigo Ehlers <rodrigo@chatbyte.ai>
Co-authored-by: Carina Wollendorfer <30310907+CarinaWolli@users.noreply.github.com>

Author: 5 people

apps/web/modules/settings/my-account/general-view.tsx

@@ -147,6 +147,9 @@ const GeneralView = ({ user, travelSchedules }: GeneralViewProps) => {
   const [isReceiveMonthlyDigestEmailChecked, setIsReceiveMonthlyDigestEmailChecked] = useState(
     !!user.receiveMonthlyDigestEmail
   );
+  const [isRequireBookerEmailVerificationChecked, setIsRequireBookerEmailVerificationChecked] = useState(
+    !!user.requiresBookerEmailVerification
+  );
 
   const watchedTzSchedules = formMethods.watch("travelSchedules");
 
@@ -353,6 +356,19 @@ const GeneralView = ({ user, travelSchedules }: GeneralViewProps) => {
           }}
           switchContainerClassName="mt-6"
         />
+
+        <SettingsToggle
+          toggleSwitchAtTheEnd={true}
+          title={t("require_booker_email_verification")}
+          description={t("require_booker_email_verification_description")}
+          disabled={mutation.isPending}
+          checked={isRequireBookerEmailVerificationChecked}
+          onCheckedChange={(checked) => {
+            setIsRequireBookerEmailVerificationChecked(checked);
+            mutation.mutate({ requiresBookerEmailVerification: checked });
+          }}
+          switchContainerClassName="mt-6"
+        />
         <TravelScheduleModal
           open={isTZScheduleOpen}
           onOpenChange={() => setIsTZScheduleOpen(false)}

apps/web/public/static/locales/en/common.json

@@ -3626,6 +3626,8 @@
   "no_members_affected_by_disabling_delegation_credential": "No members affected by disabling delegation credential",
   "download_expense_log": "Download Expense Log",
   "error_downloading_expense_log": "Error downloading expense log",
+  "require_booker_email_verification": "Prevent Impersonation on Bookings",
+  "require_booker_email_verification_description": "When enabled, anyone trying to book events using your email address must verify they own it via a one time code or be logged in to prevent impersonation",
   "offer_to_reschedule_last_booking": "Offer to reschedule last active booking to chosen time slot",
   "booker_limit_exceeded_error": "Booker maximum active booking limit exceeded",
   "booker_limit_exceeded_error_reschedule": "You already have a booking for this event on {{date}}. Would you like to reschedule to the new selected time?",

apps/web/test/utils/bookingScenario/bookingScenario.ts

@@ -9,12 +9,12 @@ import type { z } from "zod";
 
 import { appStoreMetadata } from "@calcom/app-store/appStoreMetaData";
 import { handleStripePaymentSuccess } from "@calcom/features/ee/payments/api/webhook";
+import { ProfileRepository } from "@calcom/features/profile/repositories/ProfileRepository";
 import { weekdayToWeekIndex, type WeekDays } from "@calcom/lib/dayjs";
 import type { HttpError } from "@calcom/lib/http-error";
 import type { IntervalLimit } from "@calcom/lib/intervalLimits/intervalLimitSchema";
 import logger from "@calcom/lib/logger";
 import { safeStringify } from "@calcom/lib/safeStringify";
-import { ProfileRepository } from "@calcom/features/profile/repositories/ProfileRepository";
 import type { BookingReference, Attendee, Booking, Membership } from "@calcom/prisma/client";
 import type { Prisma } from "@calcom/prisma/client";
 import type { WebhookTriggerEvents } from "@calcom/prisma/client";
@@ -240,6 +240,8 @@ type InputUser = Omit<typeof TestData.users.example, "defaultScheduleId"> & {
       end: string;
     }[];
   };
+  requiresBookerEmailVerification?: boolean;
+  secondaryEmails?: { email: string; emailVerified: Date | null }[];
 };
 
 export type InputEventType = {
@@ -834,6 +836,21 @@ export async function addUsersToDb(users: InputUser[]) {
     }
   }
 
+  for (const user of users) {
+    if (user.secondaryEmails) {
+      log.debug("Creating SecondaryEmail entries for user", user.id);
+      for (const secondaryEmail of user.secondaryEmails) {
+        await prismock.secondaryEmail.create({
+          data: {
+            email: secondaryEmail.email,
+            emailVerified: secondaryEmail.emailVerified,
+            userId: user.id,
+          },
+        });
+      }
+    }
+  }
+
   const allUsers = await prismock.user.findMany({
     include: {
       credentials: true,
@@ -845,6 +862,7 @@ export async function addUsersToDb(users: InputUser[]) {
         },
       },
       destinationCalendar: true,
+      secondaryEmails: true,
     },
   });
 
@@ -1554,6 +1572,8 @@ export function getOrganizer({
   username,
   locked,
   emailVerified,
+  requiresBookerEmailVerification,
+  secondaryEmails,
 }: {
   name: string;
   email: string;
@@ -1572,6 +1592,8 @@ export function getOrganizer({
   username?: string;
   locked?: boolean;
   emailVerified?: Date | null;
+  requiresBookerEmailVerification?: boolean;
+  secondaryEmails?: { email: string; emailVerified: Date | null }[];
 }) {
   username = username ?? TestData.users.example.username;
   return {
@@ -1594,6 +1616,8 @@ export function getOrganizer({
     completedOnboarding,
     locked,
     emailVerified,
+    requiresBookerEmailVerification,
+    secondaryEmails,
   };
 }
 

apps/web/test/utils/bookingScenario/getMockRequestDataForBooking.ts

@@ -27,6 +27,7 @@ type CommonPropsMockRequestData = {
   rescheduledBy?: string;
   cancelledBy?: string;
   schedulingType?: SchedulingType;
+  guests?: string[];
   responses: {
     email: string;
     name: string;

packages/features/bookings/lib/handleNewBooking.ts

@@ -58,7 +58,7 @@ import { groupHostsByGroupId } from "@calcom/lib/bookings/hostGroupUtils";
 import { shouldIgnoreContactOwner } from "@calcom/lib/bookings/routing/utils";
 import { DEFAULT_GROUP_ID } from "@calcom/lib/constants";
 import { ErrorCode } from "@calcom/lib/errorCodes";
-import { getErrorFromUnknown } from "@calcom/lib/errors";
+import { getErrorFromUnknown, ErrorWithCode } from "@calcom/lib/errors";
 import { extractBaseEmail } from "@calcom/lib/extract-base-email";
 import getOrgIdFromMemberOrTeamId from "@calcom/lib/getOrgIdFromMemberOrTeamId";
 import { getTeamIdFromEventType } from "@calcom/lib/getTeamIdFromEventType";
@@ -490,6 +490,7 @@ async function handler(
   const {
     prismaClient: prisma,
     bookingRepository,
+    userRepository,
     cacheService,
     checkBookingAndDurationLimitsService,
     luckyUserService,
@@ -545,7 +546,18 @@ async function handler(
   const loggerWithEventDetails = createLoggerWithEventDetails(eventTypeId, reqBody.user, eventTypeSlug);
   const emailsAndSmsHandler = new BookingEmailSmsHandler({ logger: loggerWithEventDetails });
 
-  await checkIfBookerEmailIsBlocked({ loggedInUserId: userId, bookerEmail });
+  try {
+    await checkIfBookerEmailIsBlocked({
+      loggedInUserId: userId,
+      bookerEmail,
+      verificationCode: reqBody.verificationCode,
+    });
+  } catch (error) {
+    if (error instanceof ErrorWithCode) {
+      throw new HttpError({ statusCode: 403, message: error.message });
+    }
+    throw error;
+  }
 
   const spamCheckService = getSpamCheckService();
   const eventOrganizationId = await getEventOrganizationId({
@@ -1196,13 +1208,31 @@ async function handler(
     ? process.env.BLACKLISTED_GUEST_EMAILS.split(",")
     : [];
 
+  const guestEmails = (reqGuests || []).map((email) => extractBaseEmail(email).toLowerCase());
+  const guestUsers = await userRepository.findManyByEmailsWithEmailVerificationSettings({
+    emails: guestEmails,
+  });
+
+  const emailToRequiresVerification = new Map<string, boolean>();
+  for (const user of guestUsers) {
+    const matchedBase = extractBaseEmail(user.matchedEmail ?? user.email).toLowerCase();
+    emailToRequiresVerification.set(matchedBase, user.requiresBookerEmailVerification === true);
+  }
+
   const guestsRemoved: string[] = [];
   const guests = (reqGuests || []).reduce((guestArray, guest) => {
     const baseGuestEmail = extractBaseEmail(guest).toLowerCase();
+
     if (blacklistedGuestEmails.some((e) => e.toLowerCase() === baseGuestEmail)) {
       guestsRemoved.push(guest);
       return guestArray;
     }
+
+    if (emailToRequiresVerification.get(baseGuestEmail)) {
+      guestsRemoved.push(guest);
+      return guestArray;
+    }
+
     // If it's a team event, remove the team member from guests
     if (isTeamEventType && users.some((user) => user.email === guest)) {
       return guestArray;

packages/features/bookings/lib/handleNewBooking/checkIfBookerEmailIsBlocked.ts

@@ -1,27 +1,28 @@
+import { ErrorCode } from "@calcom/lib/errorCodes";
+import { ErrorWithCode } from "@calcom/lib/errors";
 import { extractBaseEmail } from "@calcom/lib/extract-base-email";
-import { HttpError } from "@calcom/lib/http-error";
 import prisma from "@calcom/prisma";
+import { verifyCodeUnAuthenticated } from "@calcom/trpc/server/routers/viewer/auth/util";
 
 export const checkIfBookerEmailIsBlocked = async ({
   bookerEmail,
   loggedInUserId,
+  verificationCode,
 }: {
   bookerEmail: string;
   loggedInUserId?: number;
+  verificationCode?: string;
 }) => {
   const baseEmail = extractBaseEmail(bookerEmail);
+
   const blacklistedGuestEmails = process.env.BLACKLISTED_GUEST_EMAILS
     ? process.env.BLACKLISTED_GUEST_EMAILS.split(",")
     : [];
 
-  const blacklistedEmail = blacklistedGuestEmails.find(
+  const blacklistedByEnv = blacklistedGuestEmails.find(
     (guestEmail: string) => guestEmail.toLowerCase() === baseEmail.toLowerCase()
   );
 
-  if (!blacklistedEmail) {
-    return false;
-  }
-
   const user = await prisma.user.findFirst({
     where: {
       OR: [
@@ -46,17 +47,46 @@ export const checkIfBookerEmailIsBlocked = async ({
     select: {
       id: true,
       email: true,
+      requiresBookerEmailVerification: true,
     },
   });
 
+  const blockedByUserSetting = user?.requiresBookerEmailVerification ?? false;
+  const shouldBlock = !!blacklistedByEnv || blockedByUserSetting;
+
+  if (!shouldBlock) {
+    return false;
+  }
+
   if (!user) {
-    throw new HttpError({ statusCode: 403, message: "Cannot use this email to create the booking." });
+    throw new ErrorWithCode(ErrorCode.BookerEmailBlocked, "Cannot use this email to create the booking.");
   }
 
   if (user.id !== loggedInUserId) {
-    throw new HttpError({
-      statusCode: 403,
-      message: `Attendee email has been blocked. Make sure to login as ${bookerEmail} to use this email for creating a booking.`,
-    });
+    // If a verification code is provided, validate it
+    if (verificationCode) {
+      let isValid = false;
+
+      try {
+        isValid = await verifyCodeUnAuthenticated(baseEmail, verificationCode);
+      } catch {
+        throw new ErrorWithCode(
+          ErrorCode.UnableToValidateVerificationCode,
+          "There was an error validating the verification code"
+        );
+      }
+
+      if (!isValid) {
+        throw new ErrorWithCode(ErrorCode.InvalidVerificationCode, "Invalid verification code");
+      }
+
+      return false;
+    }
+
+    throw new ErrorWithCode(
+      ErrorCode.BookerEmailRequiresLogin,
+      `Attendee email has been blocked. Make sure to login as ${bookerEmail} to use this email for creating a booking.`,
+      { email: bookerEmail }
+    );
   }
 };