[CAL-3362] Use tokens for public mutating endpoints #14342

zomars · 2024-04-04T17:15:15Z

          For a follow up. Generate a token from the email and verify it to avid exposing mutations publicly. Similarly on how we do for confirmation emails:

cal.com/packages/emails/src/templates/OrganizerRequestEmail.tsx

Lines 8 to 11 in 386968f

    
           const seedData = { bookingUid: props.calEvent.uid, userId: props.calEvent.organizer.id }; 
        
           const token = symmetricEncrypt(JSON.stringify(seedData), process.env.CALENDSO_ENCRYPTION_KEY || ""); 
        
           //TODO: We should switch to using org domain if available 
        
           const actionHref = `${WEBAPP_URL}/api/link/?token=${encodeURIComponent(token)}`;

Originally posted by @zomars in #14215 (comment)

_CAL-3362

The text was updated successfully, but these errors were encountered:

zomars changed the title ~~Use tokens for public mutating endpoints~~ [CAL-3362] Use tokens for public mutating endpoints Apr 4, 2024

dosubot bot added security ✨ feature New feature or request labels Apr 4, 2024

alishaz-polymath mentioned this issue Apr 12, 2024

fix: add new styling for emoji links #14481

Merged

zomars added Medium priority Created by Linear-GitHub Sync foundation labels Apr 30, 2024

anikdhabal linked a pull request May 8, 2024 that will close this issue

feat: use tokens for public mutating endpoints #14946

Draft

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CAL-3362] Use tokens for public mutating endpoints #14342

[CAL-3362] Use tokens for public mutating endpoints #14342

zomars commented Apr 4, 2024 •

edited

[CAL-3362] Use tokens for public mutating endpoints #14342

[CAL-3362] Use tokens for public mutating endpoints #14342

Comments

zomars commented Apr 4, 2024 • edited

zomars commented Apr 4, 2024 •

edited