feat: authentication secured event types (calcom#23217)

* feat: EventType bookingRequiresAuthentication column

* feat: toggle EventType bookingRequiresAuthentication via api

* feat: check bookingRequiresAuthentication when booking

* docs: v2 swagger

* fix: ts error

* refactor: use Forbidden exception instead of Unauthorized

* refactor: use findFirst instead of unique

* fix: only count accepted memberships

* fix: orgs schedules docs

* regenerate docs

* chore: update platform libraries

* fix: unit test

* fix: e2e test

Author: supalarry

apps/api/v2/package.json

@@ -38,7 +38,7 @@
     "@axiomhq/winston": "^1.2.0",
     "@calcom/platform-constants": "*",
     "@calcom/platform-enums": "*",
-    "@calcom/platform-libraries": "npm:@calcom/platform-libraries@0.0.320",
+    "@calcom/platform-libraries": "npm:@calcom/platform-libraries@0.0.321",
     "@calcom/platform-types": "*",
     "@calcom/platform-utils": "*",
     "@calcom/prisma": "*",

apps/api/v2/src/ee/bookings/2024-08-13/bookings.module.ts

@@ -22,6 +22,7 @@ import { BookingSeatModule } from "@/modules/booking-seat/booking-seat.module";
 import { BookingSeatRepository } from "@/modules/booking-seat/booking-seat.repository";
 import { CredentialsRepository } from "@/modules/credentials/credentials.repository";
 import { KyselyModule } from "@/modules/kysely/kysely.module";
+import { MembershipsModule } from "@/modules/memberships/memberships.module";
 import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
 import { OAuthClientUsersService } from "@/modules/oauth-clients/services/oauth-clients-users.service";
 import { OAuthFlowService } from "@/modules/oauth-clients/services/oauth-flow.service";
@@ -53,6 +54,7 @@ import { Module } from "@nestjs/common";
     StripeModule,
     TeamsModule,
     TeamsEventTypesModule,
+    MembershipsModule,
   ],
   providers: [
     TokensRepository,

apps/api/v2/src/ee/bookings/2024-08-13/controllers/bookings.controller.ts

@@ -13,10 +13,14 @@ import { CalVideoService } from "@/ee/bookings/2024-08-13/services/cal-video.ser
 import { VERSION_2024_08_13_VALUE, VERSION_2024_08_13 } from "@/lib/api-versions";
 import { API_KEY_OR_ACCESS_TOKEN_HEADER } from "@/lib/docs/headers";
 import { PlatformPlan } from "@/modules/auth/decorators/billing/platform-plan.decorator";
+import {
+  AuthOptionalUser,
+  GetOptionalUser,
+} from "@/modules/auth/decorators/get-optional-user/get-optional-user.decorator";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
-import { Roles } from "@/modules/auth/decorators/roles/roles.decorator";
 import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
+import { OptionalApiAuthGuard } from "@/modules/auth/guards/optional-api-auth/optional-api-auth.guard";
 import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard";
 import { UsersService } from "@/modules/users/services/users.service";
 import { UserWithProfile } from "@/modules/users/users.repository";
@@ -96,6 +100,7 @@ export class BookingsController_2024_08_13 {
   ) {}
 
   @Post("/")
+  @UseGuards(OptionalApiAuthGuard)
   @ApiOperation({
     summary: "Create a booking",
     description: `
@@ -138,9 +143,10 @@ export class BookingsController_2024_08_13 {
   async createBooking(
     @Body(new CreateBookingInputPipe())
     body: CreateBookingInput,
-    @Req() request: Request
+    @Req() request: Request,
+    @GetOptionalUser() user: AuthOptionalUser
   ): Promise<CreateBookingOutput_2024_08_13> {
-    const booking = await this.bookingsService.createBooking(request, body);
+    const booking = await this.bookingsService.createBooking(request, body, user);
 
     if (Array.isArray(booking)) {
       await this.bookingsService.billBookings(booking);

apps/api/v2/src/ee/bookings/2024-08-13/controllers/e2e/managed-user-bookings.e2e-spec.ts

@@ -3,6 +3,7 @@ import { AppModule } from "@/app.module";
 import { HttpExceptionFilter } from "@/filters/http-exception.filter";
 import { PrismaExceptionFilter } from "@/filters/prisma-exception.filter";
 import { Locales } from "@/lib/enums/locales";
+import { MembershipsModule } from "@/modules/memberships/memberships.module";
 import {
   CreateManagedUserData,
   CreateManagedUserOutput,
@@ -80,7 +81,7 @@ describe("Managed user bookings 2024-08-13", () => {
   beforeAll(async () => {
     const moduleRef = await Test.createTestingModule({
       providers: [PrismaExceptionFilter, HttpExceptionFilter],
-      imports: [AppModule, UsersModule],
+      imports: [AppModule, UsersModule, MembershipsModule],
     }).compile();
 
     app = moduleRef.createNestApplication();
@@ -772,6 +773,77 @@ describe("Managed user bookings 2024-08-13", () => {
     });
   });
 
+  describe("event type booking requires authentication", () => {
+    let eventTypeRequiringAuthenticationId: number;
+
+    let body: CreateBookingInput_2024_08_13;
+
+    beforeAll(async () => {
+      const eventTypeRequiringAuthentication = await eventTypesRepositoryFixture.create(
+        {
+          title: `event-type-requiring-authentication-${randomString()}`,
+          slug: `event-type-requiring-authentication-${randomString()}`,
+          length: 60,
+          requiresConfirmation: true,
+          bookingRequiresAuthentication: true,
+        },
+        secondManagedUser.user.id
+      );
+      eventTypeRequiringAuthenticationId = eventTypeRequiringAuthentication.id;
+
+      body = {
+        start: new Date(Date.UTC(2030, 0, 9, 15, 0, 0)).toISOString(),
+        eventTypeId: eventTypeRequiringAuthenticationId,
+        attendee: {
+          email: "external@example.com",
+          name: "External Attendee",
+          timeZone: "Europe/Rome",
+        },
+      };
+    });
+
+    it("can't be booked without credentials", async () => {
+      await request(app.getHttpServer())
+        .post(`/v2/bookings`)
+        .send(body)
+        .set(CAL_API_VERSION_HEADER, VERSION_2024_08_13)
+        .expect(401);
+    });
+
+    it("can't be booked with managed user credentials who is not admin and not event type owner", async () => {
+      await request(app.getHttpServer())
+        .post(`/v2/bookings`)
+        .send(body)
+        .set(CAL_API_VERSION_HEADER, VERSION_2024_08_13)
+        .set("Authorization", `Bearer ${firstManagedUser.accessToken}`)
+        .expect(403);
+    });
+
+    it("can be booked with managed user credentials who is event type owner", async () => {
+      const response = await request(app.getHttpServer())
+        .post(`/v2/bookings`)
+        .send(body)
+        .set(CAL_API_VERSION_HEADER, VERSION_2024_08_13)
+        .set("Authorization", `Bearer ${secondManagedUser.accessToken}`)
+        .expect(201);
+
+      const bookingId = response.body.data.id;
+      await bookingsRepositoryFixture.deleteById(bookingId);
+    });
+
+    it("can be booked with managed user credentials who is admin", async () => {
+      const response = await request(app.getHttpServer())
+        .post(`/v2/bookings`)
+        .send(body)
+        .set(CAL_API_VERSION_HEADER, VERSION_2024_08_13)
+        .set("Authorization", `Bearer ${orgAdminManagedUser.accessToken}`)
+        .expect(201);
+
+      const bookingId = response.body.data.id;
+      await bookingsRepositoryFixture.deleteById(bookingId);
+    });
+  });
+
   afterAll(async () => {
     await userRepositoryFixture.delete(firstManagedUser.user.id);
     await userRepositoryFixture.delete(secondManagedUser.user.id);

apps/api/v2/src/ee/bookings/2024-08-13/services/bookings.service.ts

@@ -6,9 +6,12 @@ import { OutputBookingsService_2024_08_13 } from "@/ee/bookings/2024-08-13/servi
 import { PlatformBookingsService } from "@/ee/bookings/shared/platform-bookings.service";
 import { EventTypesRepository_2024_06_14 } from "@/ee/event-types/event-types_2024_06_14/event-types.repository";
 import { getPagination } from "@/lib/pagination/pagination";
+import { AuthOptionalUser } from "@/modules/auth/decorators/get-optional-user/get-optional-user.decorator";
 import { BillingService } from "@/modules/billing/services/billing.service";
 import { BookingSeatRepository } from "@/modules/booking-seat/booking-seat.repository";
 import { KyselyReadService } from "@/modules/kysely/kysely-read.service";
+import { MembershipsRepository } from "@/modules/memberships/memberships.repository";
+import { MembershipsService } from "@/modules/memberships/services/memberships.service";
 import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
 import { OAuthClientUsersService } from "@/modules/oauth-clients/services/oauth-clients-users.service";
 import { OrganizationsRepository } from "@/modules/organizations/index/organizations.repository";
@@ -18,7 +21,14 @@ import { TeamsEventTypesRepository } from "@/modules/teams/event-types/teams-eve
 import { TeamsRepository } from "@/modules/teams/teams/teams.repository";
 import { UsersService } from "@/modules/users/services/users.service";
 import { UsersRepository, UserWithProfile } from "@/modules/users/users.repository";
-import { ConflictException, Injectable, Logger, NotFoundException } from "@nestjs/common";
+import {
+  ConflictException,
+  ForbiddenException,
+  Injectable,
+  Logger,
+  NotFoundException,
+  UnauthorizedException,
+} from "@nestjs/common";
 import { BadRequestException } from "@nestjs/common";
 import { Request } from "express";
 import { DateTime } from "luxon";
@@ -95,10 +105,12 @@ export class BookingsService_2024_08_13 {
     private readonly organizationsRepository: OrganizationsRepository,
     private readonly teamsRepository: TeamsRepository,
     private readonly teamsEventTypesRepository: TeamsEventTypesRepository,
+    private readonly membershipsRepository: MembershipsRepository,
+    private readonly membershipsService: MembershipsService,
     private readonly errorsBookingsService: ErrorsBookingsService_2024_08_13
   ) {}
 
-  async createBooking(request: Request, body: CreateBookingInput) {
+  async createBooking(request: Request, body: CreateBookingInput, authUser: AuthOptionalUser) {
     let bookingTeamEventType = false;
     try {
       const eventType = await this.getBookedEventType(body);
@@ -108,6 +120,7 @@ export class BookingsService_2024_08_13 {
       if (!eventType) {
         this.errorsBookingsService.handleEventTypeToBeBookedNotFound(body);
       }
+      await this.checkBookingRequiresAuthenticationSetting(eventType, authUser);
 
       if (eventType.schedulingType === "MANAGED") {
         throw new BadRequestException(
@@ -142,6 +155,56 @@ export class BookingsService_2024_08_13 {
     }
   }
 
+  async checkBookingRequiresAuthenticationSetting(
+    eventType: EventTypeWithOwnerAndTeam,
+    authUser: AuthOptionalUser
+  ) {
+    if (!eventType.bookingRequiresAuthentication) return true;
+    if (!authUser) {
+      throw new UnauthorizedException(
+        "checkBookingRequiresAuthentication - request must be authenticated by passing credentials belonging to event type owner, host or team or org admin or owner."
+      );
+    }
+
+    const authUserId = authUser.id;
+    const authUserRole = authUser.role;
+    const eventTypeId = eventType.id;
+    const teamId = eventType.teamId;
+    const bookingUserId = eventType.owner?.id || null;
+
+    if (authUserRole === "ADMIN") return;
+
+    if (bookingUserId === authUserId) return;
+
+    if (eventTypeId) {
+      const [isUserHost, isUserAssigned] = await Promise.all([
+        this.eventTypesRepository.isUserHostOfEventType(authUserId, eventTypeId),
+        this.eventTypesRepository.isUserAssignedToEventType(authUserId, eventTypeId),
+      ]);
+
+      if (isUserHost || isUserAssigned) return;
+    }
+
+    if (teamId) {
+      const membership = await this.membershipsRepository.getUserAdminOrOwnerTeamMembership(
+        authUserId,
+        teamId
+      );
+      if (membership) return;
+    }
+
+    if (
+      bookingUserId &&
+      (await this.membershipsService.isUserOrgAdminOrOwnerOfAnotherUser(authUserId, bookingUserId))
+    ) {
+      return;
+    }
+
+    throw new ForbiddenException(
+      "checkBookingRequiresAuthentication - user is not authorized to access this event type. User has to be either event type owner, host, team admin or owner or org admin or owner."
+    );
+  }
+
   async getBookedEventType(body: CreateBookingInput) {
     if (body.eventTypeId) {
       return await this.eventTypesRepository.getEventTypeByIdWithOwnerAndTeam(body.eventTypeId);

apps/api/v2/src/ee/event-types/event-types_2024_06_14/controllers/event-types.controller.e2e-spec.ts

@@ -498,6 +498,7 @@ describe("Event types Endpoints", () => {
           lightThemeHex: "#fafafa",
         },
         customName: `{Event type title} between {Organiser} and {Scheduler}`,
+        bookingRequiresAuthentication: true,
       };
 
       return request(app.getHttpServer())
@@ -570,6 +571,7 @@ describe("Event types Endpoints", () => {
           ];
 
           expect(createdEventType.bookingFields).toEqual(expectedBookingFields);
+          expect(createdEventType.bookingRequiresAuthentication).toEqual(true);
           eventType = responseBody.data;
         });
     });
@@ -1026,6 +1028,7 @@ describe("Event types Endpoints", () => {
           lightThemeHex: "#fafafa",
         },
         customName: `{Event type title} betweennnnnnnnnnn {Organiser} and {Scheduler}`,
+        bookingRequiresAuthentication: false,
       };
 
       return request(app.getHttpServer())
@@ -1120,6 +1123,8 @@ describe("Event types Endpoints", () => {
           eventType.color = updatedEventType.color;
           eventType.bookingFields = updatedEventType.bookingFields;
           eventType.calVideoSettings = updatedEventType.calVideoSettings;
+
+          expect(updatedEventType.bookingRequiresAuthentication).toEqual(false);
         });
     });
 
@@ -2028,7 +2033,6 @@ describe("Event types Endpoints", () => {
     const username = name;
     let user: User;
     let legacyEventTypeId1: number;
-    let legacyEventTypeId2: number;
 
     beforeAll(async () => {
       const moduleRef = await withApiAuth(

apps/api/v2/src/ee/event-types/event-types_2024_06_14/event-types.repository.ts

@@ -132,4 +132,26 @@ export class EventTypesRepository_2024_06_14 {
   async deleteEventType(eventTypeId: number) {
     return this.dbWrite.prisma.eventType.delete({ where: { id: eventTypeId } });
   }
+
+  async isUserHostOfEventType(userId: number, eventTypeId: number) {
+    const eventType = await this.dbRead.prisma.eventType.findFirst({
+      where: {
+        id: eventTypeId,
+        hosts: { some: { userId: userId } },
+      },
+      select: { id: true },
+    });
+    return !!eventType;
+  }
+
+  async isUserAssignedToEventType(userId: number, eventTypeId: number) {
+    const eventType = await this.dbRead.prisma.eventType.findFirst({
+      where: {
+        id: eventTypeId,
+        users: { some: { id: userId } },
+      },
+      select: { id: true },
+    });
+    return !!eventType;
+  }
 }

apps/api/v2/src/ee/event-types/event-types_2024_06_14/services/output-event-types.service.ts

@@ -90,6 +90,7 @@ type Input = Pick<
   | "hideOrganizerEmail"
   | "calVideoSettings"
   | "hidden"
+  | "bookingRequiresAuthentication"
 >;
 
 @Injectable()
@@ -129,6 +130,7 @@ export class OutputEventTypesService_2024_06_14 {
       hideOrganizerEmail,
       calVideoSettings,
       hidden,
+      bookingRequiresAuthentication,
     } = databaseEventType;
 
     const locations = this.transformLocations(databaseEventType.locations);
@@ -206,6 +208,7 @@ export class OutputEventTypesService_2024_06_14 {
       hideOrganizerEmail,
       calVideoSettings,
       hidden,
+      bookingRequiresAuthentication,
     };
   }
 

apps/api/v2/src/modules/auth/decorators/get-optional-user/get-optional-user.decorator.ts

@@ -2,6 +2,8 @@ import { ApiAuthGuardUser } from "@/modules/auth/strategies/api-auth/api-auth.st
 import { ExecutionContext } from "@nestjs/common";
 import { createParamDecorator } from "@nestjs/common";
 
+export type AuthOptionalUser = ApiAuthGuardUser | null;
+
 export const GetOptionalUser = createParamDecorator<
   keyof ApiAuthGuardUser | (keyof ApiAuthGuardUser)[],
   ExecutionContext