chore: Integrate confirmation booking audit (calcom#26523)

* chore: Integrate booking confirmation booking audit

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* fix: Use BookingStatus type instead of string for booking.status

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* Make booking-audit integration test utils reusable

* refactor: enhance handlePaymentSuccess to accept appSlug and actor identification

- Updated handlePaymentSuccess function to accept an object with paymentId, bookingId, appSlug, and traceContext.
- Introduced getActor function to determine the actor based on appSlug and credentialId.
- Modified webhook handlers for Alby, BTCPayServer, HitPay, PayPal, and Stripe to pass the new parameters.
- Improved logging for missing credentialId in payment processing.
- Adjusted related schemas to ensure proper type handling for booking status and actor identification.

* fix: Correct import paths and getActor function call

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* fix: Use ActorIdentification type instead of AuditActor in getActor

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* fix: Add guard clause for undefined actor in fireBookingAcceptedEvent

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* fix: Add actionSource to all confirm calls

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* refactor: Integrate actor identification and action source updates across booking services

- Added `makeUserActor` to various booking service files to enhance actor identification.
- Updated action source handling in booking confirmation and related functions to include "MAGIC_LINK".
- Refactored schemas to accommodate new actor and action source requirements, ensuring consistent type handling.
- Improved error handling and logging for booking actions to enhance traceability.

* Remvoe formatting changes

* Add test

* refactor: Enhance booking confirmation tests and event handling

- Updated `confirm.handler.test.ts` to improve test coverage for booking acceptance and rejection scenarios, including bulk bookings.
- Refactored the mock implementation of `BookingEventHandlerService` to streamline event handling for accepted and rejected bookings.
- Adjusted the `handleConfirmation` function to utilize `acceptedBookings` for better clarity and maintainability.
- Added tests to ensure correct invocation of event handler methods for both single and bulk booking confirmations and rejections.

* fix tests

* refactor: Use confirmHandler directly in link and verify-booking-token routes

Refactors the link and verify-booking-token API routes to call confirmHandler directly instead of using the tRPC caller pattern. This simplifies the code by removing the need for session getter, legacy request building, and context creation.

Changes:
- apps/web/app/api/link/route.ts: Use confirmHandler directly with ctx and input
- apps/web/app/api/verify-booking-token/route.ts: Use confirmHandler directly with ctx and input
- Updated tests to mock confirmHandler instead of tRPC caller

Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

* fix ts errors due to merge frommain

* feat: introduce getAppActor utility for actor creation

This commit adds a new utility function, getAppActor, to streamline the process of creating actor objects for apps based on their slug and credential ID. The function is integrated into handlePaymentSuccess and handleStripePaymentSuccess, replacing the previous inline actor creation logic. This refactor enhances code maintainability and readability by centralizing actor creation logic.

Changes:
- New file: packages/app-store/_utils/getAppActor.ts
- Updated handlePaymentSuccess and handleStripePaymentSuccess to use getAppActor
- Removed redundant actor creation code from these functions

* refactor: Update appSlug in payment success handlers to use appConfig.slug

This commit modifies the appSlug parameter in the handlePaymentSuccess function across multiple payment webhook handlers to utilize the appConfig.slug value instead of hardcoded strings. This change enhances consistency and maintainability of the code.

Changes:
- Updated appSlug in handlePaymentSuccess for btcpayserver, hitpay, and paypal webhooks.
- Adjusted a test case to reflect the new appSlug value for consistency.

* test: Enhance booking token verification and audit action tests

This commit adds additional assertions to the booking token verification tests to ensure that the confirmHandler is not called when an error occurs. It also introduces a mechanism to clean up additional booking UIDs after each test in the accepted action integration tests, improving test reliability. Furthermore, it updates the action source schema comment for clarity.

Changes:
- Updated tests in `verify-booking-token` to check that `mockConfirmHandler` is not called on error.
- Implemented cleanup logic for additional booking UIDs in `accepted-action.integration-test.ts`.
- Clarified comment in `actionSource.ts` regarding the schema for action sources.
- Refactored `handleConfirmation.ts` and `confirm.handler.ts` to include tracing logger for error handling in booking events.

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: hariombalhara

apps/api/v2/src/ee/bookings/2024-08-13/services/bookings.service.ts

@@ -69,6 +69,7 @@ import {
 import type { RescheduleSeatedBookingInput_2024_08_13 } from "@calcom/platform-types";
 import type { PrismaClient } from "@calcom/prisma";
 import type { EventType, User, Team } from "@calcom/prisma/client";
+import { makeUserActor } from "@calcom/features/booking-audit/lib/makeActor";
 
 type CreatedBooking = {
   hosts: { id: number }[];
@@ -921,40 +922,40 @@ export class BookingsService_2024_08_13 {
     return await this.getBooking(recurringBookingUid, authUser);
   }
 
-    async markAbsent(
-      bookingUid: string,
-      bookingOwnerId: number,
-      body: MarkAbsentBookingInput_2024_08_13,
-      userUuid?: string
-    ) {
-      const bodyTransformed = this.inputService.transformInputMarkAbsentBooking(body);
-      const bookingBefore = await this.bookingsRepository.getByUid(bookingUid);
-
-      if (!bookingBefore) {
-        throw new NotFoundException(`Booking with uid=${bookingUid} not found.`);
-      }
+  async markAbsent(
+    bookingUid: string,
+    bookingOwnerId: number,
+    body: MarkAbsentBookingInput_2024_08_13,
+    userUuid?: string
+  ) {
+    const bodyTransformed = this.inputService.transformInputMarkAbsentBooking(body);
+    const bookingBefore = await this.bookingsRepository.getByUid(bookingUid);
+
+    if (!bookingBefore) {
+      throw new NotFoundException(`Booking with uid=${bookingUid} not found.`);
+    }
 
-      const nowUtc = DateTime.utc();
-      const bookingStartTimeUtc = DateTime.fromJSDate(bookingBefore.startTime, { zone: "utc" });
+    const nowUtc = DateTime.utc();
+    const bookingStartTimeUtc = DateTime.fromJSDate(bookingBefore.startTime, { zone: "utc" });
 
-      if (nowUtc < bookingStartTimeUtc) {
-        throw new BadRequestException(
-          `Bookings can only be marked as absent after their scheduled start time. Current time in UTC+0: ${nowUtc.toISO()}, Booking start time in UTC+0: ${bookingStartTimeUtc.toISO()}`
-        );
-      }
+    if (nowUtc < bookingStartTimeUtc) {
+      throw new BadRequestException(
+        `Bookings can only be marked as absent after their scheduled start time. Current time in UTC+0: ${nowUtc.toISO()}, Booking start time in UTC+0: ${bookingStartTimeUtc.toISO()}`
+      );
+    }
 
-      const platformClientParams = bookingBefore?.eventTypeId
-        ? await this.platformBookingsService.getOAuthClientParams(bookingBefore.eventTypeId)
-        : undefined;
+    const platformClientParams = bookingBefore?.eventTypeId
+      ? await this.platformBookingsService.getOAuthClientParams(bookingBefore.eventTypeId)
+      : undefined;
 
-      await handleMarkNoShow({
-        bookingUid,
-        attendees: bodyTransformed.attendees,
-        noShowHost: bodyTransformed.noShowHost,
-        userId: bookingOwnerId,
-        userUuid,
-        platformClientParams,
-      });
+    await handleMarkNoShow({
+      bookingUid,
+      attendees: bodyTransformed.attendees,
+      noShowHost: bodyTransformed.noShowHost,
+      userId: bookingOwnerId,
+      userUuid,
+      platformClientParams,
+    });
 
     const booking = await this.bookingsRepository.getByUidWithAttendeesAndUserAndEvent(bookingUid);
 
@@ -1146,6 +1147,8 @@ export class BookingsService_2024_08_13 {
         recurringEventId: booking.recurringEventId ?? undefined,
         emailsEnabled,
         platformClientParams,
+        actionSource: "API_V2",
+        actor: makeUserActor(requestUser.uuid),
       },
     });
 
@@ -1179,6 +1182,8 @@ export class BookingsService_2024_08_13 {
         reason,
         emailsEnabled,
         platformClientParams,
+        actionSource: "API_V2",
+        actor: makeUserActor(requestUser.uuid),
       },
     });
 

apps/web/app/api/link/__tests__/route.test.ts

@@ -78,6 +78,10 @@ vi.mock("@calcom/lib/tracing/factory", () => ({
   },
 }));
 
+vi.mock("@calcom/features/booking-audit/lib/makeActor", () => ({
+  makeUserActor: vi.fn().mockReturnValue({ type: "user", id: "test-uuid" }),
+}));
+
 // Import after mocks are set up
 import { GET } from "../route";
 import prisma from "@calcom/prisma";
@@ -171,7 +175,9 @@ describe("link route", () => {
       const { TRPCError } = await import("@trpc/server");
 
       // Mock confirmHandler to throw a TRPCError
-      mockConfirmHandler.mockRejectedValueOnce(new TRPCError({ code: "BAD_REQUEST", message: "Custom error" }));
+      mockConfirmHandler.mockRejectedValueOnce(
+        new TRPCError({ code: "BAD_REQUEST", message: "Custom error" })
+      );
 
       const baseUrl = "https://app.example.com/api/link?action=accept&token=encrypted-token";
       const req = createMockRequest(baseUrl);
@@ -206,4 +212,122 @@ describe("link route", () => {
       expect(location).not.toContain("localhost");
     });
   });
+
+  describe("confirmHandler flow", () => {
+    it("should call confirmHandler with correct arguments for accept action", async () => {
+      const baseUrl = "https://app.example.com/api/link?action=accept&token=encrypted-token";
+      const req = createMockRequest(baseUrl);
+
+      await GET(req, { params: Promise.resolve({}) });
+
+      expect(mockConfirmHandler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          input: expect.objectContaining({
+            bookingId: 1,
+            confirmed: true,
+            emailsEnabled: true,
+            actionSource: "MAGIC_LINK",
+          }),
+        })
+      );
+    });
+
+    it("should call confirmHandler with confirmed=false for reject action", async () => {
+      const baseUrl = "https://app.example.com/api/link?action=reject&token=encrypted-token";
+      const req = createMockRequest(baseUrl);
+
+      await GET(req, { params: Promise.resolve({}) });
+
+      expect(mockConfirmHandler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          input: expect.objectContaining({
+            bookingId: 1,
+            confirmed: false,
+            emailsEnabled: true,
+            actionSource: "MAGIC_LINK",
+          }),
+        })
+      );
+    });
+
+    it("should call confirmHandler with reason when provided in query params", async () => {
+      const baseUrl =
+        "https://app.example.com/api/link?action=reject&token=encrypted-token&reason=test-reason";
+      const req = createMockRequest(baseUrl);
+
+      await GET(req, { params: Promise.resolve({}) });
+
+      expect(mockConfirmHandler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          input: expect.objectContaining({
+            bookingId: 1,
+            confirmed: false,
+            reason: "test-reason",
+            emailsEnabled: true,
+            actionSource: "MAGIC_LINK",
+          }),
+        })
+      );
+    });
+
+    it("should pass recurringEventId when booking has one", async () => {
+      // Update mock to return booking with recurringEventId
+      vi.mocked(prisma.booking.findUniqueOrThrow).mockResolvedValueOnce({
+        id: 1,
+        uid: "test-booking-uid",
+        recurringEventId: "recurring-123",
+      } as Awaited<ReturnType<typeof prisma.booking.findUniqueOrThrow>>);
+
+      const baseUrl = "https://app.example.com/api/link?action=accept&token=encrypted-token";
+      const req = createMockRequest(baseUrl);
+
+      await GET(req, { params: Promise.resolve({}) });
+
+      expect(mockConfirmHandler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          input: expect.objectContaining({
+            bookingId: 1,
+            recurringEventId: "recurring-123",
+            confirmed: true,
+          }),
+        })
+      );
+    });
+
+    it("should pass user context to confirmHandler", async () => {
+      const baseUrl = "https://app.example.com/api/link?action=accept&token=encrypted-token";
+      const req = createMockRequest(baseUrl);
+
+      await GET(req, { params: Promise.resolve({}) });
+
+      expect(mockConfirmHandler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          ctx: expect.objectContaining({
+            user: expect.objectContaining({
+              id: 1,
+              uuid: "user-uuid",
+              email: "test@example.com",
+              username: "testuser",
+              role: "USER",
+            }),
+          }),
+        })
+      );
+    });
+
+    it("should pass actor from makeUserActor to confirmHandler", async () => {
+      const baseUrl = "https://app.example.com/api/link?action=accept&token=encrypted-token";
+      const req = createMockRequest(baseUrl);
+
+      await GET(req, { params: Promise.resolve({}) });
+
+      expect(mockConfirmHandler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          input: expect.objectContaining({
+            actor: { type: "user", id: "test-uuid" },
+          }),
+        })
+      );
+    });
+  });
 });

apps/web/app/api/link/route.ts

@@ -8,6 +8,7 @@ import { distributedTracing } from "@calcom/lib/tracing/factory";
 import prisma from "@calcom/prisma";
 import { confirmHandler } from "@calcom/trpc/server/routers/viewer/bookings/confirm.handler";
 import { TRPCError } from "@trpc/server";
+import { makeUserActor } from "@calcom/features/booking-audit/lib/makeActor";
 
 enum DirectAction {
   ACCEPT = "accept",
@@ -90,6 +91,8 @@ async function handler(request: NextRequest) {
               platformBookingUrl,
             }
           : undefined,
+        actionSource: "MAGIC_LINK",
+        actor: makeUserActor(user.uuid),
       },
     });
   } catch (e) {