fix: prevent calendar credentials from leaking into video adapter calls (calcom#25200)

* fix: prevent calendar credentials from leaking into video adapter calls

Split getCredentialAndWarnIfNotFound into two category-specific functions:
- getVideoCredentialAndWarnIfNotFound: only searches video credentials
- getCalendarCredentialAndWarnIfNotFound: only searches calendar credentials

This prevents the bug where calendar credentials (like google_calendar) were
being passed to getVideoAdapters() during booking deletion, causing
'Couldn't get adapter for googlecalendar' errors.

The root cause was the fallback logic that searched both videoCredentials
and calendarCredentials when a credential wasn't found by ID. Now each
function only searches within its own credential category and validates
the returned credential has the expected type suffix (_video/_conferencing
or _calendar).

Also fixed pre-existing ESLint warnings in EventManager.ts:
- Prefixed unused delegatedCredentialLast with underscore
- Replaced 'any' types with 'unknown' for better type safety
- Fixed unused variable warning in updateAllCalendarEvents error handler

Fixes the issue where deleteVideoEventForBookingReference could receive
a calendar credential when the video credential was missing, leading to
errors in getVideoAdapters.

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* refactor: remove shared helper and implement logic directly in each function

- Removed getCredentialInternal shared helper
- Implemented logic directly in getVideoCredentialAndWarnIfNotFound
- Implemented logic directly in getCalendarCredentialAndWarnIfNotFound
- Changed fallback to explicitly use this.videoCredentials and this.calendarCredentials

Co-Authored-By: benny@cal.com <sldisek783@gmail.com>

* remove duplicate

* revert

* revert

* revert

* refactor

* add tests

* address

* clean up

* simplify

* simplify

* rename

* rename

* rename

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: Anik Dhabal Babu <81948346+anikdhabal@users.noreply.github.com>

Author: 3 people

packages/features/bookings/lib/EventManager.test.ts

@@ -2,6 +2,7 @@ import { prisma } from "@calcom/prisma/__mocks__/prisma";
 
 import { describe, expect, it, vi, beforeEach } from "vitest";
 
+import { CredentialRepository } from "@calcom/features/credentials/repositories/CredentialRepository";
 import { symmetricDecrypt } from "@calcom/lib/crypto";
 import type { DestinationCalendar } from "@calcom/prisma/client";
 import type { CredentialForCalendarService } from "@calcom/types/Credential";
@@ -16,7 +17,14 @@ vi.mock("@calcom/lib/crypto", () => ({
   symmetricDecrypt: vi.fn(),
 }));
 
+vi.mock("@calcom/features/credentials/repositories/CredentialRepository", () => ({
+  CredentialRepository: {
+    findCredentialForCalendarServiceById: vi.fn(),
+  },
+}));
+
 const mockedSymmetricDecrypt = vi.mocked(symmetricDecrypt);
+const mockedCredentialRepository = vi.mocked(CredentialRepository);
 
 function buildCalDAVCredential(data: {
   id: number;
@@ -57,6 +65,46 @@ function buildDestinationCalendar(data: {
   };
 }
 
+function buildCalendarCredential(data: {
+  id: number;
+  type?: string;
+  userId?: number;
+  delegatedToId?: string | null;
+}): CredentialForCalendarService {
+  return {
+    id: data.id,
+    type: data.type || "google_calendar",
+    key: {},
+    userId: data.userId || 1,
+    user: { email: "test@example.com" },
+    teamId: null,
+    appId: "google-calendar",
+    invalid: false,
+    delegatedTo: null,
+    delegationCredentialId: null,
+    delegatedToId: data.delegatedToId || null,
+  };
+}
+
+function buildVideoCredential(data: {
+  id: number;
+  type?: string;
+  userId?: number;
+}): CredentialForCalendarService {
+  return {
+    id: data.id,
+    type: data.type || "zoom_video",
+    key: {},
+    userId: data.userId || 1,
+    user: { email: "test@example.com" },
+    teamId: null,
+    appId: "zoom",
+    invalid: false,
+    delegatedTo: null,
+    delegationCredentialId: null,
+  };
+}
+
 describe("EventManager CalDAV credential validation", () => {
   let eventManager: EventManager;
 
@@ -456,3 +504,102 @@ describe("EventManager CalDAV credential validation", () => {
     });
   });
 });
+
+describe("EventManager credential lookup methods", () => {
+  let eventManager: EventManager;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe("getVideoCredential", () => {
+    it("returns a cached credential when credentialId matches", async () => {
+      const videoCredential = buildVideoCredential({ id: 42, type: "zoom_video" });
+      eventManager = new EventManager({
+        credentials: [videoCredential],
+        destinationCalendar: null,
+      });
+
+      const result = await (eventManager as any).getVideoCredential(42, "zoom_video");
+
+      expect(result).toMatchObject({ id: 42, type: "zoom_video" });
+      expect(mockedCredentialRepository.findCredentialForCalendarServiceById).not.toHaveBeenCalled();
+    });
+
+    it("fetches credential from repository when not cached locally", async () => {
+      const dbCredential = buildVideoCredential({ id: 7, type: "zoom_video" });
+      eventManager = new EventManager({
+        credentials: [],
+        destinationCalendar: null,
+      });
+      mockedCredentialRepository.findCredentialForCalendarServiceById.mockResolvedValue(dbCredential as any);
+
+      const result = await (eventManager as any).getVideoCredential(7, "zoom_video");
+
+      expect(result).toEqual(dbCredential);
+      expect(mockedCredentialRepository.findCredentialForCalendarServiceById).toHaveBeenCalledWith({ id: 7 });
+    });
+
+    it("falls back to credential type when credentialId is missing", async () => {
+      const zoomCredential = buildVideoCredential({ id: 1, type: "zoom_video" });
+      eventManager = new EventManager({
+        credentials: [zoomCredential],
+        destinationCalendar: null,
+      });
+
+      const result = await (eventManager as any).getVideoCredential(null, "zoom_video");
+
+      expect(result).toMatchObject({ type: "zoom_video" });
+      expect(mockedCredentialRepository.findCredentialForCalendarServiceById).not.toHaveBeenCalled();
+    });
+  });
+
+  describe("getCalendarCredential", () => {
+    it("prefers delegation credentials when delegationCredentialId is provided", async () => {
+      const delegatedCredential = buildCalendarCredential({
+        id: 10,
+        delegatedToId: "delegation-123",
+      });
+      eventManager = new EventManager({
+        credentials: [delegatedCredential],
+        destinationCalendar: null,
+      });
+
+      const result = await (eventManager as any).getCalendarCredential(
+        99,
+        "google_calendar",
+        "delegation-123"
+      );
+
+      expect(result).toMatchObject({ id: 10, delegatedToId: "delegation-123" });
+      expect(mockedCredentialRepository.findCredentialForCalendarServiceById).not.toHaveBeenCalled();
+    });
+
+    it("fetches credential from repository when local cache misses", async () => {
+      const dbCredential = buildCalendarCredential({ id: 5, type: "google_calendar" });
+      eventManager = new EventManager({
+        credentials: [],
+        destinationCalendar: null,
+      });
+      mockedCredentialRepository.findCredentialForCalendarServiceById.mockResolvedValue(dbCredential as any);
+
+      const result = await (eventManager as any).getCalendarCredential(5, "google_calendar");
+
+      expect(result).toEqual(dbCredential);
+      expect(mockedCredentialRepository.findCredentialForCalendarServiceById).toHaveBeenCalledWith({ id: 5 });
+    });
+
+    it("falls back to matching credential type when credentialId is absent", async () => {
+      const calendarCredential = buildCalendarCredential({ id: 22, type: "google_calendar" });
+      eventManager = new EventManager({
+        credentials: [calendarCredential],
+        destinationCalendar: null,
+      });
+
+      const result = await (eventManager as any).getCalendarCredential(null, "google_calendar");
+
+      expect(result).toMatchObject({ id: 22, type: "google_calendar" });
+      expect(mockedCredentialRepository.findCredentialForCalendarServiceById).not.toHaveBeenCalled();
+    });
+  });
+});

packages/features/bookings/lib/EventManager.ts

@@ -509,9 +509,8 @@ export default class EventManager {
         ? reference.thirdPartyRecurringEventId
         : reference.uid;
 
-    const calendarCredential = await this.getCredentialAndWarnIfNotFound(
+    const calendarCredential = await this.getCalendarCredential(
       credentialId,
-      this.calendarCredentials,
       credentialType,
       reference.delegationCredentialId
     );
@@ -530,51 +529,72 @@ export default class EventManager {
     log.debug("deleteVideoEventForBookingReference", safeStringify({ bookingVideoReference: reference }));
     const { uid: bookingRefUid, credentialId } = reference;
 
-    const videoCredential = await this.getCredentialAndWarnIfNotFound(
-      credentialId,
-      this.videoCredentials,
-      reference.type
-    );
+    const videoCredential = await this.getVideoCredential(credentialId, reference.type);
 
     if (videoCredential) {
       await deleteMeeting(videoCredential, bookingRefUid);
     }
   }
 
-  private async getCredentialAndWarnIfNotFound(
+  private async getVideoCredential(
+    credentialId: number | null | undefined,
+    type: string
+  ): Promise<CredentialForCalendarService | null | undefined> {
+    const credential = this.videoCredentials.find((cred) => cred.id === credentialId);
+    if (credential) {
+      return credential;
+    }
+
+    const foundCredential =
+      typeof credentialId === "number" && credentialId > 0
+        ? await CredentialRepository.findCredentialForCalendarServiceById({ id: credentialId })
+        : // Fallback for zero or nullish credentialId which could be the case of Global App e.g. dailyVideo
+          this.videoCredentials.find((cred) => cred.type === type) || null;
+
+    if (!foundCredential) {
+      log.error(
+        "getVideoCredential: Could not find video credential",
+        safeStringify({
+          credentialId,
+          type,
+          videoCredentialIds: this.videoCredentials.map((cred) => cred.id),
+        })
+      );
+    }
+
+    return foundCredential;
+  }
+
+  private async getCalendarCredential(
     credentialId: number | null | undefined,
-    credentials: CredentialForCalendarService[],
     type: string,
     delegationCredentialId?: string | null
-  ) {
+  ): Promise<CredentialForCalendarService | null | undefined> {
     if (delegationCredentialId) {
       return this.calendarCredentials.find((cred) => cred.delegatedToId === delegationCredentialId);
     }
-    const credential = credentials.find((cred) => cred.id === credentialId);
+    const credential = this.calendarCredentials.find((cred) => cred.id === credentialId);
     if (credential) {
       return credential;
-    } else {
-      const credential =
-        typeof credentialId === "number" && credentialId > 0
-          ? await CredentialRepository.findCredentialForCalendarServiceById({ id: credentialId })
-          : // Fallback for zero or nullish credentialId which could be the case of Global App e.g. dailyVideo
-            this.videoCredentials.find((cred) => cred.type === type) ||
-            this.calendarCredentials.find((cred) => cred.type === type) ||
-            null;
-
-      if (!credential) {
-        log.error(
-          "getCredentialAndWarnIfNotFound: Could not find credential",
-          safeStringify({
-            credentialId,
-            type,
-            videoCredentials: this.videoCredentials,
-          })
-        );
-      }
+    }
 
-      return credential;
+    const foundCredential =
+      typeof credentialId === "number" && credentialId > 0
+        ? await CredentialRepository.findCredentialForCalendarServiceById({ id: credentialId })
+        : this.calendarCredentials.find((cred) => cred.type === type) || null;
+
+    if (!foundCredential) {
+      log.error(
+        "getCalendarCredential: Could not find calendar credential",
+        safeStringify({
+          credentialId,
+          type,
+          calendarCredentialIds: this.calendarCredentials.map((cred) => cred.id),
+        })
+      );
     }
+
+    return foundCredential;
   }
 
   /**
@@ -994,7 +1014,7 @@ export default class EventManager {
    * @private
    */
 
-  private getVideoCredential(event: CalendarEvent): CredentialForCalendarService | undefined {
+  private getVideoCredentialByCalendarEvent(event: CalendarEvent): CredentialForCalendarService | undefined {
     if (!event.location) {
       return undefined;
     }
@@ -1038,7 +1058,7 @@ export default class EventManager {
    * @private
    */
   private async createVideoEvent(event: CalendarEvent) {
-    const credential = this.getVideoCredential(event);
+    const credential = this.getVideoCredentialByCalendarEvent(event);
     if (credential) {
       return createMeeting(credential, event);
     } else {
@@ -1198,7 +1218,7 @@ export default class EventManager {
    * @private
    */
   private async updateVideoEvent(event: CalendarEvent, booking: PartialBooking) {
-    const credential = this.getVideoCredential(event);
+    const credential = this.getVideoCredentialByCalendarEvent(event);
 
     if (credential) {
       const bookingRef = booking ? booking.references.filter((ref) => ref.type === credential.type)[0] : null;