feat: Add spam blocker DI structure (calcom#24040)

* --init

* --

* replace old structure with new DI

* fix type

* --

* moving stuff around

* moving stuff around again

* minor clean up

* --

* resolve conflict

* clea up

* old schema clean up

* further clean up

* removing unwanted merged responsibilities

* --

* improve DI and SOLID

* some type fixes

* --1

* clean up --cont

* fix DI in facade for test

* more fix

* fix

* checking

* o.o

* fix import

* fix failing test --2

* fix failing test --3

* fix failing test --4

* normalization use

* introduce facade container injection

* uniform async telemetry spans

* further improvements

* replace prismock with repo mocks

* ensure we don't pass prisma outside of repo

* fix import

* remove try catch from repo calls

* async await fixes

* using deps pattern

* more clean up and fixes

* more clean up

* address feedback --1

* separation of concern

* clean up

* test clean up

* feedback --2

* remove extra fetch

* remove await

* migrate _post test from prismock

* fix type

* --

* fix tokens path

* rename AuditRepo

* test --1

* update _post to integration test

* fix test

* fix test

* test fix maybe?

* --

* feedback

* feedback

* fixes

* more feedback

* NIT

* use sentry and logger imports as planned

* assertion in test

* add missing test case

* add tests for controllers and services

* NITs

* fix domain normalisation

Author: alishaz-polymath

apps/api/v1/lib/helpers/verifyApiKey.test.ts

@@ -1,19 +1,42 @@
-import prismock from "../../../../../tests/libs/__mocks__/prisma";
-
+/**
+ * Unit Tests for verifyApiKey middleware
+ *
+ * These tests verify the middleware logic without touching the database.
+ * All dependencies (repositories, utilities) are mocked.
+ */
 import type { Request, Response } from "express";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { createMocks } from "node-mocks-http";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 
 import type { ILicenseKeyService } from "@calcom/ee/common/server/LicenseKeyService";
-import LicenseKeyService from "@calcom/ee/common/server/LicenseKeyService";
-import { hashAPIKey } from "@calcom/features/ee/api-keys/lib/apiKeys";
+import LicenseKeyService, { LicenseKeySingleton } from "@calcom/ee/common/server/LicenseKeyService";
+import { PrismaApiKeyRepository } from "@calcom/lib/server/repository/PrismaApiKeyRepository";
 import type { IDeploymentRepository } from "@calcom/lib/server/repository/deployment.interface";
-import prisma from "@calcom/prisma";
-import { MembershipRole, UserPermissionRole } from "@calcom/prisma/enums";
+import { ApiKeyService } from "@calcom/lib/server/service/ApiKeyService";
+import { UserPermissionRole } from "@calcom/prisma/enums";
 
+import { isAdminGuard } from "../utils/isAdmin";
+import { isLockedOrBlocked } from "../utils/isLockedOrBlocked";
+import { ScopeOfAdmin } from "../utils/scopeOfAdmin";
 import { verifyApiKey } from "./verifyApiKey";
 
+vi.mock("@calcom/lib/server/service/ApiKeyService", () => ({
+  ApiKeyService: vi.fn(),
+}));
+
+vi.mock("@calcom/lib/server/repository/PrismaApiKeyRepository", () => ({
+  PrismaApiKeyRepository: vi.fn(),
+}));
+
+vi.mock("../utils/isAdmin", () => ({
+  isAdminGuard: vi.fn(),
+}));
+
+vi.mock("../utils/isLockedOrBlocked", () => ({
+  isLockedOrBlocked: vi.fn(),
+}));
+
 vi.mock("@calcom/lib/crypto", () => ({
   symmetricDecrypt: vi.fn().mockReturnValue("mocked-decrypted-value"),
   symmetricEncrypt: vi.fn().mockReturnValue("mocked-encrypted-value"),
@@ -32,17 +55,29 @@ afterEach(() => {
 });
 
 const mockDeploymentRepository: IDeploymentRepository = {
-  getLicenseKeyWithId: vi.fn().mockResolvedValue("mockLicenseKey"), // Mocked return value
+  getLicenseKeyWithId: vi.fn().mockResolvedValue("mockLicenseKey"),
   getSignatureToken: vi.fn().mockResolvedValue("mockSignatureToken"),
 };
 
-describe("Verify API key", () => {
+describe("Verify API key - Unit Tests", () => {
   let service: ILicenseKeyService;
+  let mockApiKeyService: ApiKeyService;
 
   beforeEach(async () => {
     service = await LicenseKeyService.create(mockDeploymentRepository);
-
     vi.spyOn(service, "checkLicense");
+
+    vi.spyOn(LicenseKeySingleton, "getInstance").mockResolvedValue(service as LicenseKeyService);
+
+    mockApiKeyService = {
+      verifyKeyByHashedKey: vi.fn(),
+    } as unknown as ApiKeyService;
+
+    vi.mocked(ApiKeyService).mockImplementation(() => mockApiKeyService);
+    vi.mocked(PrismaApiKeyRepository).mockImplementation(() => ({} as unknown as PrismaApiKeyRepository));
+
+    vi.mocked(isAdminGuard).mockReset();
+    vi.mocked(isLockedOrBlocked).mockReset();
   });
 
   it("should throw an error if the api key is not valid", async () => {
@@ -98,22 +133,25 @@ describe("Verify API key", () => {
       query: {
         apiKey: "cal_test_key",
       },
-      prisma,
     });
-    const hashedKey = hashAPIKey("test_key");
-    await prismock.apiKey.create({
-      data: {
-        hashedKey,
-        user: {
-          create: {
-            email: "admin@example.com",
-            role: UserPermissionRole.ADMIN,
-            locked: false,
-          },
-        },
+
+    vi.mocked(mockApiKeyService.verifyKeyByHashedKey).mockResolvedValue({
+      valid: true,
+      userId: 1,
+      user: {
+        role: UserPermissionRole.ADMIN,
+        locked: false,
+        email: "admin@example.com",
       },
     });
 
+    vi.mocked(isAdminGuard).mockResolvedValue({
+      isAdmin: true,
+      scope: ScopeOfAdmin.SystemWide,
+    });
+
+    vi.mocked(isLockedOrBlocked).mockResolvedValue(false);
+
     const middleware = {
       fn: verifyApiKey,
     };
@@ -139,40 +177,25 @@ describe("Verify API key", () => {
       query: {
         apiKey: "cal_test_key",
       },
-      prisma,
     });
-    const hashedKey = hashAPIKey("test_key");
-    await prismock.apiKey.create({
-      data: {
-        hashedKey,
-        user: {
-          create: {
-            email: "org-admin@acme.com",
-            role: UserPermissionRole.USER,
-            locked: false,
-            teams: {
-              create: {
-                accepted: true,
-                role: MembershipRole.OWNER,
-                team: {
-                  create: {
-                    name: "ACME",
-                    isOrganization: true,
-                    organizationSettings: {
-                      create: {
-                        isAdminAPIEnabled: true,
-                        orgAutoAcceptEmail: "acme.com",
-                      },
-                    },
-                  },
-                },
-              },
-            },
-          },
-        },
+
+    vi.mocked(mockApiKeyService.verifyKeyByHashedKey).mockResolvedValue({
+      valid: true,
+      userId: 2,
+      user: {
+        role: UserPermissionRole.USER,
+        locked: false,
+        email: "org-admin@acme.com",
       },
     });
 
+    vi.mocked(isAdminGuard).mockResolvedValue({
+      isAdmin: true,
+      scope: ScopeOfAdmin.OrgOwnerOrAdmin,
+    });
+
+    vi.mocked(isLockedOrBlocked).mockResolvedValue(false);
+
     const middleware = {
       fn: verifyApiKey,
     };
@@ -198,22 +221,25 @@ describe("Verify API key", () => {
       query: {
         apiKey: "cal_test_key",
       },
-      prisma,
     });
-    const hashedKey = hashAPIKey("test_key");
-    await prismock.apiKey.create({
-      data: {
-        hashedKey,
-        user: {
-          create: {
-            email: "locked@example.com",
-            role: UserPermissionRole.USER,
-            locked: true,
-          },
-        },
+
+    vi.mocked(mockApiKeyService.verifyKeyByHashedKey).mockResolvedValue({
+      valid: true,
+      userId: 3,
+      user: {
+        role: UserPermissionRole.USER,
+        locked: true,
+        email: "locked@example.com",
       },
     });
 
+    vi.mocked(isAdminGuard).mockResolvedValue({
+      isAdmin: false,
+      scope: ScopeOfAdmin.SystemWide,
+    });
+
+    vi.mocked(isLockedOrBlocked).mockResolvedValue(true);
+
     const middleware = {
       fn: verifyApiKey,
     };

apps/api/v1/lib/helpers/verifyApiKey.ts

@@ -3,21 +3,15 @@ import type { NextMiddleware } from "next-api-middleware";
 import { LicenseKeySingleton } from "@calcom/ee/common/server/LicenseKeyService";
 import { hashAPIKey } from "@calcom/features/ee/api-keys/lib/apiKeys";
 import { IS_PRODUCTION } from "@calcom/lib/constants";
+import { PrismaApiKeyRepository } from "@calcom/lib/server/repository/PrismaApiKeyRepository";
 import { DeploymentRepository } from "@calcom/lib/server/repository/deployment";
-import prisma from "@calcom/prisma";
+import { ApiKeyService } from "@calcom/lib/server/service/ApiKeyService";
+import { prisma } from "@calcom/prisma";
 
 import { isAdminGuard } from "../utils/isAdmin";
 import { isLockedOrBlocked } from "../utils/isLockedOrBlocked";
 import { ScopeOfAdmin } from "../utils/scopeOfAdmin";
 
-// Used to check if the apiKey is not expired, could be extracted if reused. but not for now.
-export const dateNotInPast = function (date: Date) {
-  const now = new Date();
-  if (now.setHours(0, 0, 0, 0) > date.setHours(0, 0, 0, 0)) {
-    return true;
-  }
-};
-
 // This verifies the apiKey and sets the user if it is valid.
 export const verifyApiKey: NextMiddleware = async (req, res, next) => {
   const deploymentRepo = new DeploymentRepository(prisma);
@@ -32,24 +26,19 @@ export const verifyApiKey: NextMiddleware = async (req, res, next) => {
 
   const strippedApiKey = `${req.query.apiKey}`.replace(process.env.API_KEY_PREFIX || "cal_", "");
   const hashedKey = hashAPIKey(strippedApiKey);
-  const apiKey = await prisma.apiKey.findUnique({
-    where: { hashedKey },
-    include: {
-      user: {
-        select: { role: true, locked: true, email: true },
-      },
-    },
-  });
-  if (!apiKey) return res.status(401).json({ error: "Your API key is not valid." });
-  if (apiKey.expiresAt && dateNotInPast(apiKey.expiresAt)) {
-    return res.status(401).json({ error: "This API key is expired." });
+
+  // Use service layer for API key verification
+  const apiKeyRepo = new PrismaApiKeyRepository(prisma);
+  const apiKeyService = new ApiKeyService({ apiKeyRepo });
+  const result = await apiKeyService.verifyKeyByHashedKey(hashedKey);
+
+  if (!result.valid) {
+    return res.status(401).json({ error: result.error });
   }
-  if (!apiKey.userId || !apiKey.user)
-    return res.status(404).json({ error: "No user found for this API key." });
 
   // save the user id in the request for later use
-  req.userId = apiKey.userId;
-  req.user = apiKey.user;
+  req.userId = result.userId!;
+  req.user = result.user!;
 
   const { isAdmin, scope } = await isAdminGuard(req);
   const userIsLockedOrBlocked = await isLockedOrBlocked(req);

apps/api/v1/lib/utils/isLockedOrBlocked.ts

@@ -1,9 +1,17 @@
 import type { NextApiRequest } from "next";
 
+import { sentrySpan } from "@calcom/features/watchlist/lib/telemetry";
 import { checkIfEmailIsBlockedInWatchlistController } from "@calcom/features/watchlist/operations/check-if-email-in-watchlist.controller";
 
 export async function isLockedOrBlocked(req: NextApiRequest) {
   const user = req.user;
   if (!user?.email) return false;
-  return user.locked || (await checkIfEmailIsBlockedInWatchlistController(user.email));
+  return (
+    user.locked ||
+    (await checkIfEmailIsBlockedInWatchlistController({
+      email: user.email,
+      organizationId: null,
+      span: sentrySpan,
+    }))
+  );
 }