chore: auth on api-v2 with api-key (#15455)

* chore: enable apiv2 auth with api keys

* chore: enable apiv2 auth with api keys

* chore: enable apiv2 auth with api keys

* chore: enable apiv2 auth with api keys

* chore: enable apiv2 auth with api keys

* fixup! chore: enable apiv2 auth with api keys

* fixup! Merge branch 'chore-apiv2-auth-api-key' of github.com:calcom/cal.com into chore-apiv2-auth-api-key

* fixup! fixup! Merge branch 'chore-apiv2-auth-api-key' of github.com:calcom/cal.com into chore-apiv2-auth-api-key

* fixup! fixup! fixup! Merge branch 'chore-apiv2-auth-api-key' of github.com:calcom/cal.com into chore-apiv2-auth-api-key

Author: ThyMinimalDev

apps/api/v2/.env.example

@@ -20,3 +20,7 @@ STRIPE_API_KEY=
 STRIPE_WEBHOOK_SECRET=
 
 WEB_APP_URL=http://localhost:3000/
+CALCOM_LICENSE_KEY=
+API_KEY_PREFIX=cal_
+GET_LICENSE_KEY_URL="https://console.cal.com/api/license"
+IS_E2E=false

apps/api/v2/README.md

@@ -42,6 +42,16 @@ $ yarn prisma generate
 
 Copy `.env.example` to `.env` and fill values.
 
+## Add license Key to deployments table in DB
+
+id, logo  theme licenseKey                              agreedLicenseAt
+1,  null, null, 'c4234812-12ab-42s6-a1e3-55bedd4a5bb7', '2023-05-15 21:39:47.611'
+
+your CALCOM_LICENSE_KEY env var need to contain the same value
+
+.env
+CALCOM_LICENSE_KEY=c4234812-12ab-42s6-a1e3-55bedd4a5bb
+
 ## Running the app
 
 ```bash

apps/api/v2/src/app.ts

@@ -30,9 +30,7 @@ export const bootstrap = (app: NestExpressApplication): NestExpressApplication =
     type: VersioningType.CUSTOM,
     extractor: (request: unknown) => {
       const headerVersion = (request as Request)?.headers[CAL_API_VERSION_HEADER] as string | undefined;
-      console.log("asap header headerVersion", headerVersion);
       if (headerVersion && API_VERSIONS.includes(headerVersion as API_VERSIONS_ENUM)) {
-        console.log("asap return header headerVersion", headerVersion);
         return headerVersion;
       }
       return VERSION_2024_04_15;

apps/api/v2/src/config/app.ts

@@ -15,6 +15,9 @@ const loadConfig = (): AppConfig => {
           ? `:${Number(getEnv("API_PORT", "5555"))}`
           : ""
       }/v2`,
+      keyPrefix: getEnv("API_KEY_PREFIX", "cal_"),
+      licenseKey: getEnv("CALCOM_LICENSE_KEY", ""),
+      licenceKeyUrl: getEnv("GET_LICENSE_KEY_URL", "https://console.cal.com/api/license"),
     },
     db: {
       readUrl: getEnv("DATABASE_READ_URL"),
@@ -31,6 +34,7 @@ const loadConfig = (): AppConfig => {
     app: {
       baseUrl: getEnv("WEB_APP_URL", "https://app.cal.com"),
     },
+    e2e: getEnv("IS_E2E", false),
   };
 };
 

apps/api/v2/src/config/type.ts

@@ -6,6 +6,9 @@ export type AppConfig = {
     port: number;
     path: string;
     url: string;
+    keyPrefix: string;
+    licenseKey: string;
+    licenceKeyUrl: string;
   };
   db: {
     readUrl: string;
@@ -22,4 +25,5 @@ export type AppConfig = {
   app: {
     baseUrl: string;
   };
+  e2e: boolean;
 };

apps/api/v2/src/ee/bookings/controllers/bookings.controller.e2e-spec.ts

@@ -16,7 +16,7 @@ import * as request from "supertest";
 import { BookingsRepositoryFixture } from "test/fixtures/repository/bookings.repository.fixture";
 import { EventTypesRepositoryFixture } from "test/fixtures/repository/event-types.repository.fixture";
 import { UserRepositoryFixture } from "test/fixtures/repository/users.repository.fixture";
-import { withAccessTokenAuth } from "test/utils/withAccessTokenAuth";
+import { withApiAuth } from "test/utils/withApiAuth";
 
 import { SUCCESS_STATUS, ERROR_STATUS } from "@calcom/platform-constants";
 import { handleNewBooking } from "@calcom/platform-libraries-0.0.2";
@@ -39,7 +39,7 @@ describe("Bookings Endpoints", () => {
     let createdBooking: Awaited<ReturnType<typeof handleNewBooking>>;
 
     beforeAll(async () => {
-      const moduleRef = await withAccessTokenAuth(
+      const moduleRef = await withApiAuth(
         userEmail,
         Test.createTestingModule({
           imports: [AppModule, PrismaModule, UsersModule, SchedulesModule_2024_04_15],

apps/api/v2/src/ee/bookings/controllers/bookings.controller.ts

@@ -5,7 +5,7 @@ import { GetBookingsOutput } from "@/ee/bookings/outputs/get-bookings.output";
 import { API_VERSIONS_VALUES } from "@/lib/api-versions";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
-import { AccessTokenGuard } from "@/modules/auth/guards/access-token/access-token.guard";
+import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
 import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard";
 import { BillingService } from "@/modules/billing/services/billing.service";
 import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
@@ -89,7 +89,7 @@ export class BookingsController {
   ) {}
 
   @Get("/")
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   @Permissions([BOOKING_READ])
   @ApiQuery({ name: "filters[status]", enum: Status, required: true })
   @ApiQuery({ name: "limit", type: "number", required: false })

apps/api/v2/src/ee/calendars/controllers/calendars.controller.ts

@@ -6,7 +6,7 @@ import { OutlookService } from "@/ee/calendars/services/outlook.service";
 import { API_VERSIONS_VALUES } from "@/lib/api-versions";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
-import { AccessTokenGuard } from "@/modules/auth/guards/access-token/access-token.guard";
+import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
 import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard";
 import { UserWithProfile } from "@/modules/users/users.repository";
 import {
@@ -42,7 +42,7 @@ export class CalendarsController {
     private readonly googleCalendarService: GoogleCalendarService
   ) {}
 
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   @Get("/busy-times")
   async getBusyTimes(
     @Query() queryParams: CalendarBusyTimesInput,
@@ -71,7 +71,7 @@ export class CalendarsController {
   }
 
   @Get("/")
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   async getCalendars(@GetUser("id") userId: number): Promise<ConnectedCalendarsOutput> {
     const calendars = await this.calendarsService.getCalendars(userId);
 
@@ -81,7 +81,7 @@ export class CalendarsController {
     };
   }
 
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   @Get("/:calendar/connect")
   @HttpCode(HttpStatus.OK)
   async redirect(
@@ -135,7 +135,7 @@ export class CalendarsController {
 
   @Get("/:calendar/check")
   @HttpCode(HttpStatus.OK)
-  @UseGuards(AccessTokenGuard, PermissionsGuard)
+  @UseGuards(ApiAuthGuard, PermissionsGuard)
   @Permissions([APPS_READ])
   async check(@GetUser("id") userId: number, @Param("calendar") calendar: string): Promise<ApiResponse> {
     switch (calendar) {

apps/api/v2/src/ee/event-types/controllers/event-types.controller.e2e-spec.ts

@@ -22,7 +22,7 @@ import { EventTypesRepositoryFixture } from "test/fixtures/repository/event-type
 import { OAuthClientRepositoryFixture } from "test/fixtures/repository/oauth-client.repository.fixture";
 import { TeamRepositoryFixture } from "test/fixtures/repository/team.repository.fixture";
 import { UserRepositoryFixture } from "test/fixtures/repository/users.repository.fixture";
-import { withAccessTokenAuth } from "test/utils/withAccessTokenAuth";
+import { withApiAuth } from "test/utils/withApiAuth";
 
 import { SUCCESS_STATUS } from "@calcom/platform-constants";
 import {
@@ -79,7 +79,7 @@ describe("Event types Endpoints", () => {
     let user: User;
 
     beforeAll(async () => {
-      const moduleRef = await withAccessTokenAuth(
+      const moduleRef = await withApiAuth(
         userEmail,
         Test.createTestingModule({
           providers: [PrismaExceptionFilter, HttpExceptionFilter],
@@ -288,7 +288,7 @@ describe("Event types Endpoints", () => {
     it(`/GET/:id`, async () => {
       const response = await request(app.getHttpServer())
         .get(`/api/v2/event-types/${eventType.id}`)
-        // note: bearer token value mocked using "withAccessTokenAuth" for user which id is used when creating event type above
+        // note: bearer token value mocked using "withApiAuth" for user which id is used when creating event type above
         .set("Authorization", `Bearer whatever`)
         .expect(200);
 
@@ -305,7 +305,7 @@ describe("Event types Endpoints", () => {
     it(`/GET/:username/public`, async () => {
       const response = await request(app.getHttpServer())
         .get(`/api/v2/event-types/${username}/public`)
-        // note: bearer token value mocked using "withAccessTokenAuth" for user which id is used when creating event type above
+        // note: bearer token value mocked using "withApiAuth" for user which id is used when creating event type above
         .set("Authorization", `Bearer whatever`)
         .expect(200);
 
@@ -323,7 +323,7 @@ describe("Event types Endpoints", () => {
     it(`/GET/:username/:eventSlug/public`, async () => {
       const response = await request(app.getHttpServer())
         .get(`/api/v2/event-types/${username}/${eventType.slug}/public`)
-        // note: bearer token value mocked using "withAccessTokenAuth" for user which id is used when creating event type above
+        // note: bearer token value mocked using "withApiAuth" for user which id is used when creating event type above
         .set("Authorization", `Bearer whatever`)
         .expect(200);
 
@@ -340,7 +340,7 @@ describe("Event types Endpoints", () => {
     it(`/GET/`, async () => {
       const response = await request(app.getHttpServer())
         .get(`/api/v2/event-types`)
-        // note: bearer token value mocked using "withAccessTokenAuth" for user which id is used when creating event type above
+        // note: bearer token value mocked using "withApiAuth" for user which id is used when creating event type above
         .set("Authorization", `Bearer whatever`)
         .expect(200);
 
@@ -359,7 +359,7 @@ describe("Event types Endpoints", () => {
     it(`/GET/public/:username/`, async () => {
       const response = await request(app.getHttpServer())
         .get(`/api/v2/event-types/${username}/public`)
-        // note: bearer token value mocked using "withAccessTokenAuth" for user which id is used when creating event type above
+        // note: bearer token value mocked using "withApiAuth" for user which id is used when creating event type above
         .set("Authorization", `Bearer whatever`)
         .expect(200);
 
@@ -375,7 +375,7 @@ describe("Event types Endpoints", () => {
     it(`/GET/:id not existing`, async () => {
       await request(app.getHttpServer())
         .get(`/api/v2/event-types/1000`)
-        // note: bearer token value mocked using "withAccessTokenAuth" for user which id is used when creating event type above
+        // note: bearer token value mocked using "withApiAuth" for user which id is used when creating event type above
         .set("Authorization", `Bearer whatever`)
         .expect(404);
     });

apps/api/v2/src/ee/event-types/controllers/event-types.controller.ts

@@ -13,7 +13,7 @@ import { EventTypesService } from "@/ee/event-types/services/event-types.service
 import { API_VERSIONS_VALUES } from "@/lib/api-versions";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
-import { AccessTokenGuard } from "@/modules/auth/guards/access-token/access-token.guard";
+import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
 import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard";
 import { PrismaReadService } from "@/modules/prisma/prisma-read.service";
 import { UserWithProfile } from "@/modules/users/users.repository";
@@ -54,7 +54,7 @@ export class EventTypesController {
 
   @Post("/")
   @Permissions([EVENT_TYPE_WRITE])
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   async createEventType(
     @Body() body: CreateEventTypeInput,
     @GetUser() user: UserWithProfile
@@ -69,7 +69,7 @@ export class EventTypesController {
 
   @Get("/:eventTypeId")
   @Permissions([EVENT_TYPE_READ])
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   async getEventType(
     @Param() params: EventTypeIdParams,
     @Param("eventTypeId", ParseIntPipe) eventTypeId: number,
@@ -90,7 +90,7 @@ export class EventTypesController {
 
   @Get("/")
   @Permissions([EVENT_TYPE_READ])
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   async getEventTypes(@GetUser() user: UserWithProfile): Promise<GetEventTypesOutput> {
     const eventTypes = await getEventTypesByViewer({
       id: user.id,
@@ -146,7 +146,7 @@ export class EventTypesController {
 
   @Patch("/:eventTypeId")
   @Permissions([EVENT_TYPE_WRITE])
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   @HttpCode(HttpStatus.OK)
   async updateEventType(
     @Param() params: EventTypeIdParams,
@@ -164,7 +164,7 @@ export class EventTypesController {
 
   @Delete("/:eventTypeId")
   @Permissions([EVENT_TYPE_WRITE])
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   async deleteEventType(
     @Param() params: EventTypeIdParams,
     @Param("eventTypeId", ParseIntPipe) eventTypeId: number,

apps/api/v2/src/ee/gcal/gcal.controller.ts

@@ -6,7 +6,7 @@ import { API_VERSIONS_VALUES } from "@/lib/api-versions";
 import { GCalService } from "@/modules/apps/services/gcal.service";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
-import { AccessTokenGuard } from "@/modules/auth/guards/access-token/access-token.guard";
+import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
 import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard";
 import { CredentialsRepository } from "@/modules/credentials/credentials.repository";
 import { SelectedCalendarsRepository } from "@/modules/selected-calendars/selected-calendars.repository";
@@ -61,7 +61,7 @@ export class GcalController {
 
   @Get("/oauth/auth-url")
   @HttpCode(HttpStatus.OK)
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   async redirect(
     @Headers("Authorization") authorization: string,
     @Req() req: Request
@@ -90,7 +90,7 @@ export class GcalController {
 
   @Get("/check")
   @HttpCode(HttpStatus.OK)
-  @UseGuards(AccessTokenGuard, PermissionsGuard)
+  @UseGuards(ApiAuthGuard, PermissionsGuard)
   @Permissions([APPS_READ])
   async check(@GetUser("id") userId: number): Promise<GcalCheckOutput> {
     const gcalCredentials = await this.credentialRepository.getByTypeAndUserId("google_calendar", userId);

apps/api/v2/src/ee/me/me.controller.e2e-spec.ts

@@ -13,7 +13,7 @@ import { User } from "@prisma/client";
 import * as request from "supertest";
 import { SchedulesRepositoryFixture } from "test/fixtures/repository/schedules.repository.fixture";
 import { UserRepositoryFixture } from "test/fixtures/repository/users.repository.fixture";
-import { withAccessTokenAuth } from "test/utils/withAccessTokenAuth";
+import { withApiAuth } from "test/utils/withApiAuth";
 
 import { SUCCESS_STATUS } from "@calcom/platform-constants";
 import { UserResponse } from "@calcom/platform-types";
@@ -30,7 +30,7 @@ describe("Me Endpoints", () => {
     let user: User;
 
     beforeAll(async () => {
-      const moduleRef = await withAccessTokenAuth(
+      const moduleRef = await withApiAuth(
         userEmail,
         Test.createTestingModule({
           imports: [AppModule, PrismaModule, UsersModule, TokensModule, SchedulesModule_2024_04_15],

apps/api/v2/src/ee/me/me.controller.ts

@@ -4,7 +4,7 @@ import { SchedulesService_2024_04_15 } from "@/ee/schedules/schedules_2024_04_15
 import { API_VERSIONS_VALUES } from "@/lib/api-versions";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
-import { AccessTokenGuard } from "@/modules/auth/guards/access-token/access-token.guard";
+import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
 import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard";
 import { UpdateManagedUserInput } from "@/modules/users/inputs/update-managed-user.input";
 import { UserWithProfile, UsersRepository } from "@/modules/users/users.repository";
@@ -18,7 +18,7 @@ import { userSchemaResponse } from "@calcom/platform-types";
   path: "/v2/me",
   version: API_VERSIONS_VALUES,
 })
-@UseGuards(AccessTokenGuard, PermissionsGuard)
+@UseGuards(ApiAuthGuard, PermissionsGuard)
 @DocsTags("Me")
 export class MeController {
   constructor(

apps/api/v2/src/ee/provider/provider.controller.ts

@@ -2,7 +2,7 @@ import { ProviderVerifyAccessTokenOutput } from "@/ee/provider/outputs/verify-ac
 import { ProviderVerifyClientOutput } from "@/ee/provider/outputs/verify-client.output";
 import { API_VERSIONS_VALUES } from "@/lib/api-versions";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
-import { AccessTokenGuard } from "@/modules/auth/guards/access-token/access-token.guard";
+import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
 import { OAuthClientRepository } from "@/modules/oauth-clients/oauth-client.repository";
 import { UserWithProfile } from "@/modules/users/users.repository";
 import {
@@ -45,7 +45,7 @@ export class CalProviderController {
 
   @Get("/:clientId/access-token")
   @HttpCode(HttpStatus.OK)
-  @UseGuards(AccessTokenGuard)
+  @UseGuards(ApiAuthGuard)
   async verifyAccessToken(
     @Param("clientId") clientId: string,
     @GetUser() user: UserWithProfile

apps/api/v2/src/ee/schedules/schedules_2024_04_15/controllers/schedules.controller.e2e-spec.ts

@@ -16,7 +16,7 @@ import { User } from "@prisma/client";
 import * as request from "supertest";
 import { SchedulesRepositoryFixture } from "test/fixtures/repository/schedules.repository.fixture";
 import { UserRepositoryFixture } from "test/fixtures/repository/users.repository.fixture";
-import { withAccessTokenAuth } from "test/utils/withAccessTokenAuth";
+import { withApiAuth } from "test/utils/withApiAuth";
 
 import { CAL_API_VERSION_HEADER, SUCCESS_STATUS, VERSION_2024_04_15 } from "@calcom/platform-constants";
 import { UpdateScheduleInput_2024_04_15 } from "@calcom/platform-types";
@@ -37,7 +37,7 @@ describe("Schedules Endpoints", () => {
     const defaultAvailabilityEndTime = "1970-01-01T17:00:00.000Z";
 
     beforeAll(async () => {
-      const moduleRef = await withAccessTokenAuth(
+      const moduleRef = await withApiAuth(
         userEmail,
         Test.createTestingModule({
           imports: [AppModule, PrismaModule, UsersModule, TokensModule, SchedulesModule_2024_04_15],

apps/api/v2/src/ee/schedules/schedules_2024_04_15/controllers/schedules.controller.ts

@@ -8,7 +8,7 @@ import { SchedulesService_2024_04_15 } from "@/ee/schedules/schedules_2024_04_15
 import { VERSION_2024_04_15_VALUE } from "@/lib/api-versions";
 import { GetUser } from "@/modules/auth/decorators/get-user/get-user.decorator";
 import { Permissions } from "@/modules/auth/decorators/permissions/permissions.decorator";
-import { AccessTokenGuard } from "@/modules/auth/guards/access-token/access-token.guard";
+import { ApiAuthGuard } from "@/modules/auth/guards/api-auth/api-auth.guard";
 import { PermissionsGuard } from "@/modules/auth/guards/permissions/permissions.guard";
 import { UserWithProfile } from "@/modules/users/users.repository";
 import {
@@ -35,7 +35,7 @@ import { CreateScheduleInput_2024_04_15 } from "../inputs/create-schedule.input"
   path: "/v2/schedules",
   version: VERSION_2024_04_15_VALUE,
 })
-@UseGuards(AccessTokenGuard, PermissionsGuard)
+@UseGuards(ApiAuthGuard, PermissionsGuard)
 @DocsTags("Schedules")
 export class SchedulesController_2024_04_15 {
   constructor(private readonly schedulesService: SchedulesService_2024_04_15) {}