feat(companion): oauth #25245
Closed
feat(companion): oauth #25245
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Pallav <[email protected]>
I am refactoring create teams handler to a service in another PR - thought we should improve the test in the mean time. <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Expand and restructure tests for createTeamsHandler to cover auth, org/slug validation, team creation and migration, redirects, credits, invites, and subscriptions. This improves reliability ahead of the service refactor. - **Refactors** - Rewrote tests into scenario-based suites for Authorization, Organization Validation, Slug Validation, Team Creation/Migration, Redirects, and Edge Cases. - Added helpers (createTestProfile, flexible createScenario/createTestMembership) and organization/profile support to model slug collisions. - Assert TRPCError codes/messages and redirect records; cover platform orgs, unpublished/non-existent teams, and empty names. - Mocked Stripe subscription cancel and inviteMembersWithNoInviterPermissionCheck; verified credit transfer and owner memberships. <sup>Written for commit 8c216c6. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. -->
calcom#25204) * feat: add defaultPhoneCountry prop to BookerPlatformWrapper - Add defaultPhoneCountry to BookerStore type and implementation - Add defaultPhoneCountry prop to BookerPlatformWrapper types - Pass defaultPhoneCountry through store initialization - Update PhoneInput to use defaultPhoneCountry from store - Support default phone country extension for phone inputs in booker form * feat: add strict typing for defaultPhoneCountry with ISO 3166-1 alpha-2 codes - Define CountryCode type using ISO 3166-1 alpha-2 country codes - Update defaultPhoneCountry prop type in BookerPlatformWrapper to use CountryCode - Update defaultPhoneCountry type in BookerStore to use CountryCode - Ensures type safety by only allowing valid country codes like 'us', 'gb', 'ee', etc. - Fix lint warnings by prefixing type-only constants with underscore Co-Authored-By: [email protected] <[email protected]> * refactor: export CountryCode from store to avoid duplication - Export CountryCode type from packages/features/bookings/Booker/store.ts - Import CountryCode in packages/platform/atoms/booker/types.ts from store - Remove duplicate CountryCode definition from types.ts - Maintains single source of truth for country code type definition Co-Authored-By: [email protected] <[email protected]> * fix: add type-safe casts for CountryCode in PhoneInput - Import CountryCode type from store - Add explicit type annotation to useState<CountryCode> - Add safe type casts with isSupportedCountry validation - Validate navigator.language country code before using it - Fixes CI type error: string not assignable to CountryCode Co-Authored-By: [email protected] <[email protected]> * docs: add defaultPhoneCountry prop documentation and changeset - Add defaultPhoneCountry prop to booker.mdx documentation - Add changeset for minor version bump - Document ISO 3166-1 alpha-2 country code support Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Rajiv Sahal <[email protected]>
…present (calcom#25170) Co-authored-by: Dhairyashil Shinde <[email protected]>
Co-authored-by: Morgan <[email protected]>
…25147) * style: hide icons from booking actions dialog in mobile view * apply correct padding in mobile view --------- Co-authored-by: Pallav <[email protected]>
…alcom#25232) * fix: delegation credential error webhooks * refactor: extract repeated delegation credential error webhook logic into helper methods - Added private triggerDelegationCredentialError method in Office365CalendarService class - Added triggerDelegationCredentialError helper function in TeamsVideoApiAdapter - Replaced all 4 instances in Office365CalendarService with helper method call - Replaced all 4 instances in TeamsVideoApiAdapter with helper function call - Keeps code DRY by eliminating repeated if statement and webhook trigger logic Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* Revert "fix: resolve flaky integration tests (calcom#25030)" This reverts commit 4e5d4f6. * update * test * Remove connection pool setup in Prisma index Set the connection pool to undefined, removing conditional pooling logic. * update
* unable to update username * update * Add import for useEffect and useState hooks
…alcom#25128) ## What does this PR do? - Fixes calcom#25116 - Fixes [CAL-6741](https://linear.app/calcom/issue/CAL-6741/make-routing-edit-question-form-less-intrusive-on-how-it-handles-the) https://github.com/user-attachments/assets/d78c4c62-2af5-44d8-b25c-e938cc8ddf6f Improves the routing form field identifier auto-fill behavior to generate URL-safe identifiers from labels. Previously, the identifier field simply duplicated the label text. Now it normalizes the input to be URL-friendly. **Changes:** - Converts labels to lowercase with hyphens (e.g., "What is your name?" → "what-is-your-name") - Limits identifiers to the first 5 words (e.g., "What do you work on and how can we help?" → "what-do-you-work-on") - Updates the Identifier label to clarify it's a URL parameter with an example - Preserves manual identifier edits when the label changes **Link to Devin run:** https://app.devin.ai/sessions/f569297990fe4436bab1fec89d8b71ac **Requested by:** @PeerRich ([email protected]) ## Key Implementation Details The `normalizeIdentifier` function: - Strips special characters and replaces them with spaces - Converts to lowercase - Splits on whitespace and takes first 5 words - Joins with hyphens The auto-fill logic only updates the identifier if: 1. The identifier field is empty, OR 2. The identifier matches the normalized version of the previous label This preserves manual edits while still providing helpful auto-fill for new fields. ## Mandatory Tasks (DO NOT REMOVE) - [x] I have self-reviewed the code (A decent size PR without self-review might be rejected). - [x] I have updated the developer docs in /docs if this PR makes changes that would require a [documentation change](https://cal.com/docs). If N/A, write N/A here and check the checkbox. **N/A** - This is a UI behavior change that doesn't require documentation updates. - [ ] I confirm automated tests are in place that prove my fix is effective or that my feature works. **Note:** No automated tests were added for this change. Manual testing is recommended. ## How should this be tested? **Test Cases:** 1. **Basic normalization:** - Create a new routing form field - Enter label: "What is your name?" - Verify identifier auto-fills to: "what-is-your-name" 2. **5-word limit:** - Enter label: "What do you work on and how can we help?" - Verify identifier becomes: "what-do-you-work-on" 3. **Special characters:** - Enter label: "Email (required)!" - Verify identifier becomes: "email-required" 4. **Manual edit preservation:** - Enter label: "Test Field" - Manually change identifier to: "custom-id" - Change label to: "New Test Field" - Verify identifier stays: "custom-id" (not auto-updated) 5. **Updated label text:** - Verify the Identifier field label shows: "Identifier (URL Parameter, i.e.: &what-is-your-name=john-doe)" **Environment:** - No special environment variables needed - Test in the routing forms builder at `/apps/routing-forms/[formId]` ## Important Review Points⚠️ **No automated tests**: The normalization function and auto-fill behavior lack test coverage. Consider adding unit tests for edge cases. 🔍 **Auto-fill logic**: The identifier only auto-updates if it's empty or matches the previous normalized label. This preserves manual edits but may be surprising to users in some scenarios. 🌍 **Unicode handling**: Non-ASCII characters are replaced with spaces. This may not be ideal for international users with non-English labels. ## Checklist - [x] I have read the [contributing guide](https://github.com/calcom/cal.com/blob/main/CONTRIBUTING.md) - [x] My code follows the style guidelines of this project - [x] I have commented my code, particularly in hard-to-understand areas - [x] I have checked if my changes generate no new warnings
…alcom#25003) * fix: routing-form org redirects when profile slug equals legacy slug * update * Update packages/app-store/routing-forms/getEventTypeRedirectUrl.ts Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * fix type error * addressed review --------- Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
|
@dhairyashiil is attempting to deploy a commit to the cal Team on Vercel. A member of the Team first needs to authorize it. |
keithwillcode
added
the
community-interns
- Change dropdown z-index from z-10 to z-50 to ensure dropdowns appear above navigation elements - TopNav uses z-40, so dropdowns need higher z-index to be properly visible - Fixes issue where Cal.com logo was appearing above dropdown menus Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* Fix cache to fetch only when it's available * Non hierarchical feature check * Fix tests: Add missing mock method and comprehensive CalendarCacheWrapper tests - Add checkIfUserHasFeatureNonHierarchical to features.repository mock to fix failing GoogleCalendar tests - Add comprehensive unit tests for CalendarCacheWrapper covering: - Calendars with sync only (cache-only path) - Calendars without sync only (original calendar path) - Mixed calendars (both cache and original) - Timezone handling with UTC defaults - Edge cases (empty arrays, undefined methods, null ids) - Use proper types instead of 'as any' to satisfy lint rules Co-Authored-By: Volnei Munhoz <[email protected]> * Fix: Sanitize logging to avoid exposing PII - Replace logging full selectedCalendars objects with only calendar IDs and count - Prevents exposure of email fields and other sensitive information in logs - Addresses AI code reviewer feedback Co-Authored-By: Volnei Munhoz <[email protected]> * Apply suggestion from @volnei --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
* feat: add organization-level autofill disable setting - Create DisableAutofillOnBookingPageSwitch component following existing patterns - Add toggle to organization general page alongside other settings - Update tRPC organizations update handler to support new field - Add organization-level check to useShouldBeDisabledDueToPrefill hook - Add translation keys for new autofill disable setting - Include database migration for disableAutofillOnBookingPage field - Maintain backward compatibility with individual field settings Co-Authored-By: [email protected] <[email protected]> * feat: complete autofill disable implementation - Add disableAutofillOnBookingPage to orgSettings type definition - Update Prisma schema with new organization setting field - Clean up test file formatting Co-Authored-By: [email protected] <[email protected]> * fix: resolve tRPC mocking issues in tests and add missing disableAutofillOnBookingPage to organization repository - Fix tRPC module mocking in useShouldBeDisabledDueToPrefill tests - Add disableAutofillOnBookingPage to organization repository select and return statements - All form builder tests now pass (24/24) - Organization-level autofill disable tests working correctly Co-Authored-By: [email protected] <[email protected]> * test: simplify autofill disable test to single focused test - Replace multiple tests with one test that verifies org setting blocks autocomplete - Test includes searchParams with prefill data to verify blocking behavior - Removes unnecessary test complexity as requested Co-Authored-By: [email protected] <[email protected]> * fix: add missing disableAutofillOnBookingPage to organizationSettings select statements - Add disableAutofillOnBookingPage to both parent and main organizationSettings select statements in getTeamWithMembers - Resolves TypeScript error in getServerSideProps.tsx where MinimumOrganizationSettings type requires this property - Ensures organization settings type compatibility across the codebase Co-Authored-By: [email protected] <[email protected]> * Remove disableAutofillOnBookingPage setting Removed 'disableAutofillOnBookingPage' setting from organization configuration. * update * Remove duplicate settings in common.json Removed duplicate entries for automatic transcription and autofill settings. * Fix syntax error in common.json * update * add tests * Remove comments for autofill disabled check Removed comments explaining scenarios for autofill check. * addressed review * fix * change * Add handling for disableAutofillOnBookingPage input --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…calcom#25099) * docs: update embed-events.mdx with all currently emitted embed events Co-Authored-By: [email protected] <[email protected]> * docs: remove V2 suffix from event names in documentation Per feedback, the documentation should not expose internal versioning details. Event names are now presented as clean, non-versioned names: - bookingSuccessful (instead of bookingSuccessfulV2) - rescheduleBookingSuccessful (instead of rescheduleBookingSuccessfulV2) - dryRunBookingSuccessful (instead of dryRunBookingSuccessfulV2) - dryRunRescheduleBookingSuccessful (instead of dryRunRescheduleBookingSuccessfulV2) Added note about using wildcard listener for future-proofing. Co-Authored-By: [email protected] <[email protected]> * docs: use V2 suffix for embed event names to match code (calcom#25263) * docs: update embed events to use V2 event names - Document bookingSuccessfulV2 instead of deprecated bookingSuccessful - Document rescheduleBookingSuccessfulV2 instead of deprecated rescheduleBookingSuccessful - Keep dryRunBookingSuccessful and dryRunRescheduleBookingSuccessful without V2 suffix (only V2 versions exist) - Add comprehensive event documentation with all public and internal events - Organize events into Public Events and Internal Events sections Co-Authored-By: [email protected] <[email protected]> * fix: use V2 suffix for dry-run event names - Change dryRunBookingSuccessful to dryRunBookingSuccessfulV2 - Change dryRunRescheduleBookingSuccessful to dryRunRescheduleBookingSuccessfulV2 - These match the actual event names emitted in the code (only V2 versions exist) Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: Hariom Balhara <[email protected]>
…conversion issues (calcom#25235) Replace dayjs.tz() with dayjs.utc() when parsing recurring booking date strings to ensure dates are interpreted as UTC timestamps rather than being converted to the specified timezone. This prevents incorrect date/time display when the dateStr is already in UTC format.
* feat: remove OAuth clients link from settings navigation Co-Authored-By: [email protected] <[email protected]> * fix: resolve infinite loop in sidebar close effect Use functional state update to avoid reading sideContainerOpen in dependency array, which was causing infinite re-renders when navigating between settings pages. Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…database schema and repositories) (calcom#24838) * feat: Implement Booking Audit System with database architecture and repository interfaces - Added `ARCHITECTURE.md` detailing the design and structure of the Booking Audit System, including core tables `AuditActor` and `BookingAudit`. - Created repository interfaces `IAuditActorRepository` and `IBookingAuditRepository` for managing audit actor and booking audit records. - Implemented `PrismaAuditActorRepository` and `PrismaBookingAuditRepository` for database interactions. - Defined enums for `BookingAuditType`, `BookingAuditAction`, and `AuditActorType` in the Prisma schema. - Added migration scripts to create necessary database tables and enums for the audit system. This commit establishes a robust framework for tracking booking-related actions, ensuring compliance and data integrity. * feat(audit): add system actor migration
Resolved conflicts in companion/app/_layout.tsx by: - Keeping AuthProvider wrapper (needed for OAuth) - Keeping ErrorBoundary (crash protection) - Keeping SafeAreaProvider for native (iOS stability) - Keeping deep link handler (OAuth callback) - Keeping all OAuth-related screens (onboarding, oauth/callback, oauth-helper) - Using upstream's improved flex: 1 for web view All our OAuth features preserved while incorporating upstream improvements.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
12 issues found across 23 files
Prompt for AI agents (all 12 issues)
Understand the root cause of the following 12 issues and fix them.
<file name="companion/services/oauth.ts">
<violation number="1" location="companion/services/oauth.ts:34">
The Cal.com OAuth client secret is embedded in the client bundle and used from the device to exchange codes/tokens, so anyone with the app can extract it and impersonate the client. Move the token exchange/refresh flow to a trusted backend (or use PKCE without a secret) so the secret is never shipped to end users.</violation>
<violation number="2" location="companion/services/oauth.ts:56">
OAuth state is generated with Math.random(), which is not cryptographically secure. Use a CSPRNG (e.g., crypto.getRandomValues/Expo Random) so the state cannot be guessed and the authorization flow retains CSRF protection.</violation>
<violation number="3" location="companion/services/oauth.ts:125">
Rule violated: **Avoid Logging Sensitive Information**
Logging the full token exchange response prints the raw OAuth payload (including access_token and refresh_token), directly violating the "Avoid Logging Sensitive Information" rule.</violation>
</file>
<file name="companion/app/oauth/callback.tsx">
<violation number="1" location="companion/app/oauth/callback.tsx:21">
The OAuth callback never verifies the `state` value before exchanging the authorization code, so any forged redirect can be accepted and tokens issued without CSRF protection.</violation>
<violation number="2" location="companion/app/oauth/callback.tsx:31">
UI strings and error messages are hardcoded English instead of using t(), violating the project’s localization requirement and making translations impossible.</violation>
</file>
<file name="companion/index.js">
<violation number="1" location="companion/index.js:10">
Replacing ErrorUtils’ global handler without calling the previous handler swallows fatal errors, preventing React Native’s default crash/reload flow and hiding production failures.</violation>
</file>
<file name="companion/components/ErrorBoundary.tsx">
<violation number="1" location="companion/components/ErrorBoundary.tsx:49">
User-facing strings are hard-coded instead of using the required t() localization helper, so this screen won’t be translatable.</violation>
</file>
<file name="companion/contexts/AuthContext.tsx">
<violation number="1" location="companion/contexts/AuthContext.tsx:113">
Replacing expo-secure-store with the in-memory storage utility means mobile tokens are no longer persisted across app restarts, so users are logged out whenever the app is killed. Please keep using a persistent native store (e.g., SecureStore/AsyncStorage) instead of this memory-only helper.</violation>
</file>
<file name="companion/app/onboarding.tsx">
<violation number="1" location="companion/app/onboarding.tsx:25">
Please wrap the alert title/message/button label in t() (with an import if needed) so the onboarding error path is localizable.</violation>
<violation number="2" location="companion/app/onboarding.tsx:69">
Wrap the CTA label in t() (and add the corresponding translation key) so the button text is localizable.</violation>
<violation number="3" location="companion/app/onboarding.tsx:81">
Use t() for the helper link copy so the message can be localized along with the rest of the onboarding UI.</violation>
</file>
<file name="companion/app/_layout.tsx">
<violation number="1" location="companion/app/_layout.tsx:36">
Rule violated: **Avoid Logging Sensitive Information**
Logging the full deep-link URL reveals OAuth authorization codes/state in console output, violating the "Avoid Logging Sensitive Information" rule. Remove or sanitize the sensitive parameters before logging.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
…ypes (calcom#24978) * fix: prevent bulk update of locked locations in child managed event types - Filter out child managed event types with locked locations in getBulkUserEventTypes - Add validation in bulkUpdateEventsToDefaultLocation to prevent updating locked fields - Implements defense in depth with validation at multiple layers Co-Authored-By: [email protected] <[email protected]> * Abstract filtering logic * test: add comprehensive tests for bulk location update filtering - Add unit tests for filterEventTypesWhereLocationUpdateIsAllowed - Add unit tests for bulkUpdateEventsToDefaultLocation - Add integration tests for getBulkUserEventTypes - Fix bug: change unlockedFields?.locations check from !== undefined to === true This ensures that locations: false is properly treated as locked, addressing the security issue identified in PR review comments Co-Authored-By: [email protected] <[email protected]> * fix: filter locked managed event types on app installation page - Add parentId to eventTypeSelect in getEventTypes function - Apply filterEventTypesWhereLocationUpdateIsAllowed to both team and user event types - Only filter when isConferencing is true to avoid affecting other app types - Fixes issue where locked managed event types were showing in the event type selection list on /apps/installation/event-types page Co-Authored-By: [email protected] <[email protected]> * fix(embed-react): remove obsolete availabilityLoaded event listener The availabilityLoaded event does not exist in the EventDataMap type system in embed-core. This code was causing 5 TypeScript errors in CI: - Type 'availabilityLoaded' does not satisfy constraint 'keyof EventDataMap' - 'data' is of type 'unknown' (2 occurrences) - Type 'availabilityLoaded' is not assignable to action union (2 occurrences) Since this is an example file and the event is not defined in the type system, removing this obsolete code resolves the type errors. Co-Authored-By: [email protected] <[email protected]> * fix: correct Prisma type for metadata in test helper function Co-Authored-By: [email protected] <[email protected]> * fix: use flexible PrismaLike type for better test compatibility Co-Authored-By: [email protected] <[email protected]> * fix: properly type mock Prisma objects in test files Co-Authored-By: [email protected] <[email protected]> * fix: properly mock Prisma methods in test file Co-Authored-By: [email protected] <[email protected]> * Filter out metadata * Undo change in embed file * Address feedback --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
4 issues found across 5 files (reviewed changes from recent commits).
Prompt for AI agents (all 4 issues)
Understand the root cause of the following 4 issues and fix them.
<file name="companion/app/onboarding.tsx">
<violation number="1" location="companion/app/onboarding.tsx:23">
Authorization uses http://localhost:8081/oauth/callback but the later token exchange still posts expo-wxt-app://oauth/callback, so Cal.com will reject every code on iOS due to redirect_uri mismatch.</violation>
</file>
<file name="companion/app/oauth/webview.tsx">
<violation number="1" location="companion/app/oauth/webview.tsx:81">
Rule violated: **Avoid Logging Sensitive Information**
The redirect URL (which includes the OAuth authorization code) is logged verbatim, leaking the code to device logs. Remove or sanitize these `console.log` statements so the code/token is never written to logs, per the "Avoid Logging Sensitive Information" rule.</violation>
<violation number="2" location="companion/app/oauth/webview.tsx:128">
All user-facing strings in this screen are hardcoded (e.g., alerts, headers, button labels) instead of using t(), so the OAuth UI cannot be localized and violates the project’s localization requirement.</violation>
</file>
<file name="companion/app/_layout.tsx">
<violation number="1" location="companion/app/_layout.tsx:25">
Rule violated: **Avoid Logging Sensitive Information**
Logging the raw deep-link URL exposes OAuth codes/state parameters in device logs, leaking sensitive credentials and violating the Avoid Logging Sensitive Information rule.</violation>
</file>
Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR
* docs: add Stripe Connect atom documentation Co-Authored-By: [email protected] <[email protected]> * docs: restructure Stripe Connect docs with Steps component - Add Steps component explaining two ways to connect Stripe - Step 1: Direct Stripe Connect atom usage - Step 2: Event Type Settings payment tab usage - Include code examples for both methods - Add image placeholders for visual demonstrations - Move advanced usage examples under separate section Co-Authored-By: [email protected] <[email protected]> * chore: add link to stripe connect atom * chore: update docs * chore: implement feedback --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
…om#25224) * feat: add avatarUrl to /v2/me endpoint response - Add avatarUrl field to userSchemaResponse schema in packages/platform/types/me.ts - Update e2e tests to verify avatarUrl is returned in GET and PATCH /v2/me responses - Field is nullable to match User model in Prisma schema - Fix pre-existing lint warnings by removing 'as any' type assertions in test file Co-Authored-By: [email protected] <[email protected]> * feat: add avatarUrl to MeOutput DTO for OpenAPI docs - Add avatarUrl field to MeOutput class in apps/api/v2/src/ee/me/outputs/me.output.ts - Field is nullable to match the Zod schema and Prisma model - This ensures OpenAPI documentation will include avatarUrl when regenerated Co-Authored-By: [email protected] <[email protected]> * feat: add bio field to /v2/me endpoint response - Add bio field to userSchemaResponse Zod schema in packages/platform/types/me.ts - Add bio field to MeOutput NestJS DTO in apps/api/v2/src/ee/me/outputs/me.output.ts - Update e2e tests to verify bio is returned in both GET and PATCH responses - Field is nullable to match the User model in Prisma schema Co-Authored-By: [email protected] <[email protected]> --------- Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Co-authored-by: chauhan_s <[email protected]>
Member
Author
|
closing, addressed by #25298 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
17 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
IOS: External Browser
Screen.Recording.2025-11-19.at.11.11.20.PM.mov
IOS: webview
Screen.Recording.2025-11-19.at.11.52.17.PM.mov
Web:
Screen.Recording.2025-11-19.at.11.12.43.PM.mov
Summary by cubic
Implemented Cal.com OAuth end-to-end with deep linking: onboarding triggers auth (iOS uses an in-app WebView), the callback exchanges/verifies tokens, saves auth, and logs in to event types. Added an OAuth helper for redirect issues, fixed token exchange headers/URL, and improved iOS stability with ErrorBoundary, SafeArea, AuthProvider, and global error handlers.
New Features
Bug Fixes
Written for commit fcf0afd. Summary will update automatically on new commits.