fix: OptionalApiAuthGuard when only client id is provided (calcom#23783)

Author: ThyMinimalDev

apps/api/v2/src/modules/auth/guards/optional-api-auth/optional-api-auth.guard.ts

@@ -1,10 +1,19 @@
 import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
-import { NO_AUTH_PROVIDED_MESSAGE } from "@/modules/auth/strategies/api-auth/api-auth.strategy";
+import {
+  NO_AUTH_PROVIDED_MESSAGE,
+  ONLY_CLIENT_ID_PROVIDED_MESSAGE,
+} from "@/modules/auth/strategies/api-auth/api-auth.strategy";
 
 export class OptionalApiAuthGuard extends ApiAuthGuard {
   handleRequest(error: Error, user: any) {
     // note(Lauris): optional means that auth is not required but if it is invalid then still throw error.
     const noAuthProvided = error && error.message.includes(NO_AUTH_PROVIDED_MESSAGE);
+    const onlyClientIdProvided = error && error.message.includes(ONLY_CLIENT_ID_PROVIDED_MESSAGE);
+
+    if (onlyClientIdProvided) {
+      return null;
+    }
+
     if (user || noAuthProvided || !error) {
       return user || null;
     } else {

apps/api/v2/src/modules/auth/strategies/api-auth/api-auth.strategy.ts

@@ -32,6 +32,9 @@ export type ApiAuthGuardRequest = Request & {
 export const NO_AUTH_PROVIDED_MESSAGE =
   "No authentication method provided. Either pass an API key as 'Bearer' header or OAuth client credentials as 'x-cal-secret-key' and 'x-cal-client-id' headers";
 
+export const ONLY_CLIENT_ID_PROVIDED_MESSAGE =
+  "Only 'x-cal-client-id' header provided. Please also provide 'x-cal-secret-key' header or Auth bearer token as 'Authentication' header";
+
 @Injectable()
 export class ApiAuthStrategy extends PassportStrategy(BaseStrategy, "api-auth") {
   private readonly logger = new Logger("ApiAuthStrategy");
@@ -117,10 +120,15 @@ export class ApiAuthStrategy extends PassportStrategy(BaseStrategy, "api-auth")
       }
 
       const noAuthProvided = !oAuthClientId && !oAuthClientSecret && !bearerToken && !nextAuthToken;
+      const onlyClientIdProvided = !!oAuthClientId && !oAuthClientSecret && !bearerToken && !nextAuthToken;
       if (noAuthProvided) {
         throw new UnauthorizedException(`ApiAuthStrategy - ${NO_AUTH_PROVIDED_MESSAGE}`);
       }
 
+      if (onlyClientIdProvided) {
+        throw new UnauthorizedException(`ApiAuthStrategy - ${ONLY_CLIENT_ID_PROVIDED_MESSAGE}`);
+      }
+
       throw new UnauthorizedException(
         `ApiAuthStrategy - Invalid authentication method. Please provide one of the allowed methods: ${
           allowedMethods && allowedMethods.length > 0 ? allowedMethods.join(", ") : "Any supported method"