cal.com
cal.com copied to clipboard
calcom
feat: Implement CSRF protection for public TRPC endpoints
What does this PR do?
Fixes # (issue)
Requirement/Documentation
- If there is a requirement document, please, share it here.
- If there is ab UI/UX design document, please, share it here.
Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] Chore (refactoring code, technical debt, workflow improvements)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] This change requires a documentation update
How should this be tested?
- Are there environment variables that should be set?
- What are the minimal test data to have?
- What is expected (happy path) to have (input and output)?
- Any other important info that could help to test that PR
Mandatory Tasks
- [ ] Make sure you have self-reviewed the code. A decent size PR without self-review might be rejected.
Checklist
- I haven't read the contributing guide
- My code doesn't follow the style guidelines of this project
- I haven't commented my code, particularly in hard-to-understand areas
- I haven't checked if my PR needs changes to the documentation
- I haven't checked if my changes generate no new warnings
- I haven't added tests that prove my fix is effective or that my feature works
- I haven't checked if new and existing unit tests pass locally with my changes
CAL-2724 Implement CSRF protection for public tRPC endpoints
Recently there has been some attempts from unknown actors to abuse our public tRPC endpoints. We're planning into rate limit these endpoints. But also tRPC endpoints aren't meant to be used as a public API. That's what's the public API is for.
To prevent usage outside of Web App we want to implement Cross-Site Request Forgery across our public tRPC endpoints.
Here are some good articles and examples that we could use as a starting point
https://blog.logrocket.com/protecting-next-js-apps-csrf-attacks/
![linear[bot] avatar](https://avatars.githubusercontent.com/in/20150?v=4 "Published by a pub.dev verified publisher"){kind=small}
The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| ai | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Nov 27, 2023 1:44pm |
| api | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Nov 27, 2023 1:44pm |
| dev | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | Nov 27, 2023 1:44pm |
4 Ignored Deployments
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| cal | ⬜️ Ignored (Inspect) | Visit Preview | Nov 27, 2023 1:44pm | |
| cal-demo | ⬜️ Ignored (Inspect) | Visit Preview | Nov 27, 2023 1:44pm | |
| qa | ⬜️ Ignored (Inspect) | Visit Preview | Nov 27, 2023 1:44pm | |
| ui | ⬜️ Ignored (Inspect) | Visit Preview | Nov 27, 2023 1:44pm |
![vercel[bot] avatar](https://avatars.githubusercontent.com/in/8329?v=4 "Published by a pub.dev verified publisher"){kind=small}
Current dependencies on/for this PR:
- main
- PR #12392
👈
- PR #12392
This stack of pull requests is managed by Graphite.
Thank you for following the naming conventions! 🙏 Feel free to join our discord and post your PR link to collect XP and win prizes!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
New dependencies detected. Learn more about Socket for GitHub ↗︎
| Packages | Version | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|---|
| universal-cookie | 6.1.1 | None | +2 |
87.2 kB | exon |
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
📦 Next.js Bundle Analysis for @calcom/web
This analysis was generated by the Next.js Bundle Analysis action. 🤖
⚠️ Global Bundle Size Increased
| Page | Size (compressed) |
|---|---|
global |
164.84 KB (🟡 +1.54 KB) |
Details
The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.
Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis
If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!
Current Playwright Test Results Summary
✅ 8 Passing - ❌ 17 Failing - ⚠️ 2 Flaky
Run may still be in progress, this comment will be updated as current testing workflow or job completes...
(Last updated on 11/27/2023 01:49:51pm UTC)
Run Details
Running Workflow PR Update on Github Actions
Commit: dcff308392db62ecc73ca6451318fee963cba556
Started: 11/27/2023 01:43:07pm UTC
❌ Failures
📄 apps/web/playwright/oauth-provider.e2e.ts • 2 Failures
Top 1 Common Error Messages
|
|
2 Test Cases Affected |
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
OAuth Provider should create valid access toke & refresh token for user
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded. |
1.07% (3)3 / 280 runsfailed over last 7 days |
0.36% (1)1 / 280 runflaked over last 7 days |
|
OAuth Provider should create valid access toke & refresh token for team
Initial Attempt Error: Test timeout of 60000ms exceeded. |
0.72% (2)2 / 279 runsfailed over last 7 days |
1.08% (3)3 / 279 runsflaked over last 7 days |
📄 packages/app-store/routing-forms/playwright/tests/basic.e2e.ts • 2 Failures
Top 1 Common Error Messages
|
|
2 Test Cases Affected |
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Routing Forms Zero State Routing Forms should be able to add a new form and view it
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded. |
9.71% (27)27 / 278 runsfailed over last 7 days |
0.36% (1)1 / 278 runflaked over last 7 days |
Routing Forms Zero State Routing Forms F1
Retry 2 • Retry 1 • Initial AttemptError: Test timeout of 60000ms exceeded. |
3.23% (9)9 / 279 runsfailed over last 7 days |
1.08% (3)3 / 279 runsflaked over last 7 days |
📄 packages/app-store/typeform/playwright/tests/basic.e2e.ts • 2 Failures
Top 1 Common Error Messages
|
|
2 Test Cases Affected |
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Typeform App Typeform Redirect Link should copy link in RoutingForms list
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded. |
2.84% (8)8 / 282 runsfailed over last 7 days |
0% (0)0 / 282 runsflaked over last 7 days |
|
Typeform App Typeform Redirect Link should copy link in editing area
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded. |
2.84% (8)8 / 282 runsfailed over last 7 days |
0% (0)0 / 282 runsflaked over last 7 days |
📄 apps/web/playwright/reschedule.e2e.ts • 2 Failures
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Reschedule Tests Should display request reschedule send on bookings/cancelled
Retry 2 • Retry 1 • Initial Attempt Error: Timed out 30000ms waiting for expect(received).toBeVisible()... |
1.05% (3)3 / 285 runsfailed over last 7 days |
0% (0)0 / 285 runsflaked over last 7 days |
|
Reschedule Tests Unpaid rescheduling should go to payment page
Initial Attempt Error: page.waitForURL: Timeout 30000ms exceeded.... |
1.40% (4)4 / 285 runsfailed over last 7 days |
1.75% (5)5 / 285 runsflaked over last 7 days |
📄 apps/web/playwright/booking/multipleEmailQuestion.e2e.ts • 2 Failures
Top 1 Common Error Messages
|
|
2 Test Cases Affected |
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Booking With Multiple Email Question and Each Other Question Booking With Multiple Email Question and Address Question Multiple Email and Address not required
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded while running "beforeEach" hook. |
2.89% (8)8 / 277 runsfailed over last 7 days |
0.36% (1)1 / 277 runflaked over last 7 days |
|
Booking With Multiple Email Question and Each Other Question Booking With Multiple Email Question and checkbox group Question Multiple Email required and checkbox group required
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded while running "beforeEach" hook. |
2.90% (8)8 / 276 runsfailed over last 7 days |
0.36% (1)1 / 276 runflaked over last 7 days |
📄 packages/embeds/embed-core/playwright/tests/inline.e2e.ts • 1 Failure
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Inline Iframe Inline Iframe - Configured with Dark Theme
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded. |
1.08% (3)3 / 279 runsfailed over last 7 days |
34.41% (96)96 / 279 runsflaked over last 7 days |
📄 apps/web/playwright/auth/delete-account.e2e.ts • 1 Failure
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Can delete user account
Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded. |
0.72% (2)2 / 276 runsfailed over last 7 days |
0% (0)0 / 276 runsflaked over last 7 days |
📄 apps/web/playwright/managed-event-types.e2e.ts • 1 Failure
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Managed Event Types tests Can create managed event type
Retry 2 • Retry 1 • Initial Attempt Error: page.waitForURL: Timeout 30000ms exceeded.... |
9.29% (26)26 / 280 runsfailed over last 7 days |
8.57% (24)24 / 280 runsflaked over last 7 days |
📄 packages/embeds/embed-core/playwright/tests/action-based.e2e.ts • 1 Failure
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Popup Tests should open embed iframe on click - Configured with light theme
Retry 2 • Retry 1 • Initial Attempt Error: Test timeout of 60000ms exceeded. |
0.71% (2)2 / 283 runsfailed over last 7 days |
54.42% (154)154 / 283 runsflaked over last 7 days |
📄 apps/web/playwright/event-types.e2e.ts • 1 Failure
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Event Types A/B tests should point to the /future/event-types page
Initial Attempt Error: Timed out 30000ms waiting for expect(received).toBeVisible()... |
2.34% (3)3 / 128 runsfailed over last 7 days |
0% (0)0 / 128 runsflaked over last 7 days |
📄 apps/web/playwright/app-list-card.e2e.ts • 1 Failure
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
AppListCard should remove the highlight from the URL
Retry 2 • Retry 1 • Initial Attempt Error: page.waitForURL: Timeout 30000ms exceeded.... |
1.44% (4)4 / 278 runsfailed over last 7 days |
0% (0)0 / 278 runsflaked over last 7 days |
📄 apps/web/playwright/embed-code-generator.e2e.ts • 1 Failure
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Embed Code Generator Tests Event Type Edit Page open Embed Dialog for the Event Type
Retry 2 • Retry 1 • Initial Attempt Error: page.waitForURL: Timeout 30000ms exceeded.... |
1.07% (3)3 / 281 runsfailed over last 7 days |
0% (0)0 / 281 runsflaked over last 7 days |
⚠️ Flakes
📄 packages/embeds/embed-core/playwright/tests/action-based.e2e.ts • 1 Flake
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
Popup Tests should open Routing Forms embed on click
Retry 1 • Initial Attempt |
2.11% (6)6 / 284 runsfailed over last 7 days |
29.58% (84)84 / 284 runsflaked over last 7 days |
📄 apps/web/playwright/app-store.e2e.ts • 1 Flake
Test Case Results
| Test Case | Last 7 days Failures | Last 7 days Flakes |
|---|---|---|
|
App Store - Authed Browse apple-calendar and try to install
Retry 1 • Initial Attempt |
2.51% (7)7 / 279 runsfailed over last 7 days |
0.72% (2)2 / 279 runsflaked over last 7 days |
![deploysentinel[bot] avatar](https://avatars.githubusercontent.com/in/210057?v=4 "Published by a pub.dev verified publisher"){kind=small}
lets throw an error for people who are using it:
"You are using a private API endpoint which is for internal use only. To access the public API, please reach out to [email protected]"
(do we have [email protected] ?)
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
13 out of 15 committers have signed the CLA.
:white_check_mark: ThyMinimalDev
:white_check_mark: emrysal
:white_check_mark: SomayChauhan
:white_check_mark: ujjwalgoyal19
:white_check_mark: Udit-takkar
:white_check_mark: manpoffc
:white_check_mark: LarsArtmann
:white_check_mark: Adugnatad
:white_check_mark: joeauyeung
:white_check_mark: nicolls1
:white_check_mark: Amit91848
:white_check_mark: grzpab
:white_check_mark: ubinatus
:x: crowdin-bot
:x: sebzz2k2
You have signed the CLA already but the status is still pending? Let us recheck it.
Could https://github.com/calcom/cal.com/pull/12491 be merged in + deployed before getting the CSRF fix in?
We've been working around not having and endpoint for getting an event type by slug by leveraging the public TRPC endpoints.
