feat: add user-specific email verification setting #24298
Draft
+213
−33
Conversation
Add requiresBookerEmailVerification boolean field to User model that allows users to protect their email from impersonation during bookings. When enabled, anyone attempting to book using the protected user's email address (as booker or guest) must complete email verification and be logged in as that email owner. Key changes: - Add requiresBookerEmailVerification field to User schema - Create settings toggle in /settings/my-account/general - Update checkIfBookerEmailIsBlocked to check booker's account setting - Update guest filtering in handleNewBooking and addGuests handlers - Add i18n translations for new setting - Check both primary and verified secondary emails Additional fixes: - Replace 'any' types with proper Prisma and zod types in user.ts - Fix member role type in sessionMiddleware.ts - Fix avatar URL generation bug in sessionMiddleware.ts These type fixes were necessary to resolve pre-commit lint warnings that were blocking the commit. Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
keithwillcode
commented
Oct 6, 2025
packages/features/bookings/lib/handleNewBooking/checkIfBookerEmailIsBlocked.ts
Outdated
Show resolved
Hide resolved
keithwillcode
commented
Oct 6, 2025
packages/prisma/migrations/20251006111422_add_requires_booker_email_verification/migration.sql
Outdated
Show resolved
Hide resolved
- Remove unrelated Watchlist index drops from migration - Add missing Watchlist indexes to schema.prisma to fix drift - Refactor checkIfBookerEmailIsBlocked to throw ErrorWithCode - Move HttpError handling to handleNewBooking caller layer Addresses review comments on PR #24298 Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
keithwillcode
commented
Oct 8, 2025
packages/trpc/server/routers/publicViewer/checkIfUserEmailVerificationRequired.handler.ts
Outdated
Show resolved
Hide resolved
keithwillcode
commented
Oct 8, 2025
packages/trpc/server/routers/viewer/bookings/addGuests.handler.ts
Outdated
Show resolved
Hide resolved
…Watchlist changes - Add findByEmailWithEmailVerificationSetting method to UserRepository - Add findManyByEmailsWithEmailVerificationSettings method to UserRepository - Refactor checkIfUserEmailVerificationRequired handler to use UserRepository - Refactor addGuests handler to use UserRepository - Remove unrelated Watchlist schema indices (organizationId/isGlobal, source) - Remove unrelated WatchlistAudit unique constraint on id Addresses review comments on PR #24298 Co-Authored-By: keith@cal.com <keithwillcode@gmail.com>
keithwillcode
commented
Oct 8, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR converts the global
BLACKLISTED_GUEST_EMAILSenvironment variable into a user-specific setting that allows users to enable email verification for their event bookings. When enabled, anyone trying to book events using the user's email address must verify email ownership and be logged in to prevent impersonation.Key Changes:
requiresBookerEmailVerificationboolean field to User model with database migration/settings/my-account/generalBookerEmailBlocked,BookerEmailRequiresLogin) with proper error handlingRequested by: keith@cal.com
Devin Session: https://app.devin.ai/sessions/5b3b084ccf034d35a488edc707adb59c
Visual Demo
Settings UI
The new toggle appears in General Settings:
Booking Flow
When enabled, users trying to book with the protected email will see email verification prompts (reuses existing verification system).
Mandatory Tasks
How should this be tested?
Environment Setup:
Test Steps:
Settings UI Test:
/settings/my-account/generalBooking Protection Test:
Guest Filtering Test:
Expected Behavior:
Human Reviewer Checklist
🚨 High Risk Areas - Please Review Carefully:
Booking Logic Changes (
packages/features/bookings/lib/handleNewBooking.ts):emailToRequiresVerificationMapHttpErrortoErrorWithCodeRepository Pattern Refactoring:
findByEmailWithEmailVerificationSettingandfindManyByEmailsWithEmailVerificationSettingsError Handling Pattern (
checkIfBookerEmailIsBlocked.ts):HttpErrortoErrorWithCodeDatabase Migration Safety:
requiresBookerEmailVerificationfield with proper default (false)Session & Middleware Updates: