feat: link email to participant (requireEmailForGuests) (calcom#24661)

* feat: link email to participatn

* fix: bugs

* refactor: improve code

* refactor: prevent repload

* chore: remove unued

* fix: type

* refactor

* fix: type

* feat: restrict host

* feat: type

* feat: tests

* fix: don't allow guest

* fix: merk guest

* fix: bugs

* fix: test

* fix: test

* refactor: feedback

* fix: tests

---------

Co-authored-by: Volnei Munhoz <volnei.munhoz@gmail.com>

Author: Udit-takkar

apps/web/app/api/cancel/route.ts

@@ -6,6 +6,7 @@ import type { NextRequest } from "next/server";
 import { getServerSession } from "@calcom/features/auth/lib/getServerSession";
 import handleCancelBooking from "@calcom/features/bookings/lib/handleCancelBooking";
 import { bookingCancelWithCsrfSchema } from "@calcom/prisma/zod-utils";
+import { validateCsrfToken } from "@calcom/web/lib/validateCsrfToken";
 
 import { buildLegacyRequest } from "@lib/buildLegacyCtx";
 
@@ -17,13 +18,11 @@ async function handler(req: NextRequest) {
     return NextResponse.json({ success: false, message: "Invalid JSON" }, { status: 400 });
   }
   const bookingData = bookingCancelWithCsrfSchema.parse(appDirRequestBody);
-  const cookieStore = await cookies();
-  const cookieToken = cookieStore.get("calcom.csrf_token")?.value;
 
-  if (!cookieToken || cookieToken !== bookingData.csrfToken) {
-    return NextResponse.json({ success: false, message: "Invalid CSRF token" }, { status: 403 });
+  const csrfError = await validateCsrfToken(bookingData.csrfToken);
+  if (csrfError) {
+    return csrfError;
   }
-  cookieStore.delete("calcom.csrf_token");
 
   const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) });
 

apps/web/app/api/video/guest-session/route.ts

@@ -0,0 +1,94 @@
+import { defaultResponderForAppDir } from "app/api/defaultResponderForAppDir";
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { z } from "zod";
+
+import {
+  generateGuestMeetingTokenFromOwnerMeetingToken,
+  updateMeetingTokenIfExpired,
+} from "@calcom/app-store/dailyvideo/lib/VideoApiAdapter";
+import { getHostsAndGuests } from "@calcom/features/bookings/lib/getHostsAndGuests";
+import { BookingRepository } from "@calcom/features/bookings/repositories/BookingRepository";
+import { getCalVideoReference } from "@calcom/features/get-cal-video-reference";
+import { VideoCallGuestRepository } from "@calcom/features/video-call-guest/repositories/VideoCallGuestRepository";
+import prisma from "@calcom/prisma";
+import { validateCsrfToken } from "@calcom/web/lib/validateCsrfToken";
+
+const videoCallGuestWithCsrfSchema = z.object({
+  bookingUid: z.string(),
+  email: z.string().email(),
+  name: z.string().min(1),
+  csrfToken: z.string().length(64, "Invalid CSRF token"),
+});
+
+async function handler(req: NextRequest) {
+  let appDirRequestBody;
+  try {
+    appDirRequestBody = await req.json();
+  } catch {
+    return NextResponse.json({ success: false, message: "Invalid JSON" }, { status: 400 });
+  }
+
+  const guestData = videoCallGuestWithCsrfSchema.parse(appDirRequestBody);
+
+  const csrfError = await validateCsrfToken(guestData.csrfToken);
+  if (csrfError) {
+    return csrfError;
+  }
+
+  const bookingRepo = new BookingRepository(prisma);
+  const booking = await bookingRepo.findBookingIncludeCalVideoSettingsAndReferences({
+    bookingUid: guestData.bookingUid,
+  });
+
+  if (!booking) {
+    return NextResponse.json({ error: "Booking not found" }, { status: 404 });
+  }
+
+  const { hosts, guests } = getHostsAndGuests(booking);
+  const isHost = hosts.some((host) => host.email.toLowerCase() === guestData.email.trim().toLowerCase());
+  const isGuest = guests.some((guest) => guest.email.toLowerCase() === guestData.email.trim().toLowerCase());
+
+  if (isHost) {
+    return NextResponse.json({ error: "hosts_must_use_login" }, { status: 403 });
+  } else if (!isGuest) {
+    return NextResponse.json({ error: "invalid_guest_email" }, { status: 403 });
+  }
+
+  const videoCallGuestRepo = new VideoCallGuestRepository(prisma);
+  const guestSession = await videoCallGuestRepo.upsertVideoCallGuest({
+    bookingUid: guestData.bookingUid,
+    email: guestData.email,
+    name: guestData.name,
+  });
+
+  const videoReference = getCalVideoReference(booking.references);
+
+  if (!videoReference) {
+    return NextResponse.json({ error: "Video reference not found" }, { status: 404 });
+  }
+
+  const endTime = new Date(booking.endTime);
+  const fourteenDaysAfter = new Date(endTime.getTime() + 14 * 24 * 60 * 60 * 1000);
+  const epochTimeFourteenDaysAfter = Math.floor(fourteenDaysAfter.getTime() / 1000);
+
+  const videoReferencePassword = await updateMeetingTokenIfExpired({
+    bookingReferenceId: videoReference.id,
+    roomName: videoReference.uid,
+    meetingToken: videoReference.meetingPassword,
+    exp: epochTimeFourteenDaysAfter,
+  });
+
+  const guestMeetingPassword = await generateGuestMeetingTokenFromOwnerMeetingToken({
+    meetingToken: videoReferencePassword,
+    userId: guestSession.id,
+  });
+
+  return NextResponse.json({
+    guestSessionId: guestSession.id,
+    meetingPassword: guestMeetingPassword,
+    meetingUrl: videoReference.meetingUrl,
+  });
+}
+
+export const POST = defaultResponderForAppDir(handler);

apps/web/lib/validateCsrfToken.ts

@@ -0,0 +1,13 @@
+import { cookies } from "next/headers";
+import { NextResponse } from "next/server";
+
+export async function validateCsrfToken(csrfToken: string): Promise<NextResponse | null> {
+  const cookieStore = await cookies();
+  const cookieToken = cookieStore.get("calcom.csrf_token")?.value;
+
+  if (!cookieToken || cookieToken !== csrfToken) {
+    return NextResponse.json({ success: false, message: "Invalid CSRF token" }, { status: 403 });
+  }
+  cookieStore.delete("calcom.csrf_token");
+  return null;
+}

apps/web/lib/video/[uid]/getServerSideProps.ts

@@ -10,7 +10,6 @@ import { getServerSession } from "@calcom/features/auth/lib/getServerSession";
 import { BookingRepository } from "@calcom/features/bookings/repositories/BookingRepository";
 import { OrganizationRepository } from "@calcom/features/ee/organizations/repositories/OrganizationRepository";
 import { EventTypeRepository } from "@calcom/features/eventtypes/repositories/eventTypeRepository";
-import { FeaturesRepository } from "@calcom/features/flags/features.repository";
 import { getCalVideoReference } from "@calcom/features/get-cal-video-reference";
 import { UserRepository } from "@calcom/features/users/repositories/UserRepository";
 import { CAL_VIDEO_MEETING_LINK_FOR_TESTING } from "@calcom/lib/constants";
@@ -26,6 +25,7 @@ type CalVideoSettings = {
   enableAutomaticRecordingForOrganizer: boolean;
   disableTranscriptionForGuests: boolean;
   disableTranscriptionForOrganizer: boolean;
+  requireEmailForGuests: boolean;
 };
 
 const shouldEnableRecordButton = ({
@@ -124,7 +124,7 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
   const { req } = context;
 
   const bookingRepo = new BookingRepository(prisma);
-  const booking = await bookingRepo.findBookingForMeetingPage({
+  const booking = await bookingRepo.findBookingIncludeCalVideoSettingsAndReferences({
     bookingUid: context.query.uid as string,
   });
 
@@ -211,6 +211,7 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
   });
 
   const sessionUserId = session?.user?.impersonatedBy ? session.user.impersonatedBy.id : session?.user.id;
+  const sessionUserEmail = session?.user?.email;
   const isOrganizer = await checkIfUserIsHost({
     booking: {
       eventTypeId: bookingObj.eventType?.id,
@@ -219,18 +220,25 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
     sessionUserId,
   });
 
+  const isAttendee = sessionUserEmail
+    ? bookingObj.attendees?.some(
+        (attendee) => attendee.email.toLowerCase() === sessionUserEmail.toLowerCase()
+      ) ?? false
+    : false;
+
   // set meetingPassword for guests
   if (!isOrganizer) {
+    const userIdForToken = sessionUserId;
+
     const guestMeetingPassword = await generateGuestMeetingTokenFromOwnerMeetingToken({
       meetingToken: videoReferencePassword,
-      userId: sessionUserId,
+      userId: userIdForToken,
     });
 
     bookingObj.references.forEach((bookRef) => {
       bookRef.meetingPassword = guestMeetingPassword;
     });
   }
-
   // Only for backward compatibility and setting user id in participants for organizer
   else {
     const meetingPassword = await setEnableRecordingUIAndUserIdForOrganizer(
@@ -247,11 +255,6 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
 
   const videoReference = getCalVideoReference(bookingObj.references);
 
-  const featureRepo = new FeaturesRepository(prisma);
-  const displayLogInOverlay = profile?.organizationId
-    ? await featureRepo.checkIfTeamHasFeature(profile.organizationId, "cal-video-log-in-overlay")
-    : false;
-
   const showRecordingButton = shouldEnableRecordButton({
     hasTeamPlan: !!hasTeamPlan,
     calVideoSettings: bookingObj.eventType?.calVideoSettings,
@@ -293,7 +296,6 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
       },
       hasTeamPlan: !!hasTeamPlan,
       calVideoLogo,
-      displayLogInOverlay,
       loggedInUserName: sessionUserId ? session?.user?.name : undefined,
       showRecordingButton,
       enableAutomaticTranscription,
@@ -303,6 +305,8 @@ export async function getServerSideProps(context: GetServerSidePropsContext) {
         ? undefined
         : bookingObj.eventType?.calVideoSettings?.redirectUrlOnExit,
       overrideName: Array.isArray(context.query.name) ? context.query.name[0] : context.query.name,
+      requireEmailForGuests: bookingObj.eventType?.calVideoSettings?.requireEmailForGuests ?? false,
+      isLoggedInUserPartOfMeeting: isAttendee || isOrganizer,
     },
   };
 }