cal.com icon indicating copy to clipboard operation
cal.com copied to clipboard
verified publisher icon calcom

fix(api): accept avatar URLs and use email for user creation

Open pedroccastro opened this issue 4 weeks ago • 1 comments

What does this PR do?

This PR fixes two bugs in API v2 user creation endpoint POST /v2/organizations/{orgId}/users:

Bug 1 - avatarValidator rejecting URLs:

  • The validator only accepted base64 encoded images
  • API documentation and all e2e tests show URL examples
  • Users received empty avatarValidator: "" constraint error

Bug 2 - User creation failing when username provided:

  • createNewUsersConnectToOrgIfExists requires a valid email
  • Service was passing username instead of email when username was provided
  • Error: "Invite failed because {username} is not a valid email address"

Key Changes:

  • avatarValidator.ts: Accept HTTPS URLs (HTTP rejected for security) and base64 images
  • organizations-users-service.ts: Always use email for user creation; username is applied via updateOrganizationUser after creation

Visual Demo

Before - Avatar URL rejected

avatar_error

Before - Username causing TRPCError

trpc_error

After - Full payload working

working

How should this be tested?

Test Scenario 1 - Avatar URL accepted:

  1. POST /v2/organizations/{orgId}/users
  2. Body: { "email": "[email protected]", "avatarUrl": "https://avatars.githubusercontent.com/u/583231?v=4" }
  3. Expected: User created successfully with avatarUrl

Test Scenario 2 - Username with avatar:

  1. POST /v2/organizations/{orgId}/users
  2. Body:
{
  "email": "[email protected]",
  "username": "testuser",
  "avatarUrl": "https://avatars.githubusercontent.com/u/583231?v=4",
  "locale": "pt",
  "timeZone": "America/Sao_Paulo",
  "timeFormat": 24
}
  1. Expected: User created with correct username and avatarUrl

Test Scenario 3 - Minimal payload (regression):

  1. POST /v2/organizations/{orgId}/users
  2. Body: { "email": "[email protected]" }
  3. Expected: User created successfully (existing behavior preserved)

Mandatory Tasks (DO NOT REMOVE)

  • [x] I have self-reviewed the code
  • [ ] N/A I have updated the developer docs in /docs if this PR makes changes that would require a documentation change.
  • [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works.

pedroccastro avatar Dec 05 '25 02:12 pedroccastro

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
cal-companion Ready Ready Preview, Comment Dec 16, 2025 2:31pm
2 Skipped Deployments
Project Deployment Review Updated (UTC)
cal Ignored Ignored Dec 16, 2025 2:31pm
cal-eu Ignored Ignored Dec 16, 2025 2:31pm

vercel[bot] avatar Dec 05 '25 11:12 vercel[bot]