feat: Add async spam check with parallel execution and fake booking redirect #24326
+1,031
−35
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…edirect - Create SpamCheckService to manage async spam checking - Start spam check early in handleNewBooking, await before booking creation - Generate fake booking response for blocked emails with all required fields - Add redirect logic in useBookings to handle spam decoy bookings - Create new /booking-successful route to display fake booking data - Spam check runs in parallel with availability loading (zero delay) - Spammers see convincing fake success page via query params Also fix pre-existing lint warnings in useBookings.ts: - Remove unused catch parameter - Convert optional chaining expressions to if statements - Remove eslint-disable comments for non-existent rule Stacked on PR #24040 Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
- Import and load prismaModule in watchlist container for PrismaClient binding - Fix loggerServiceModule to use synchronous factory (matches prismaModule pattern) - Resolves 'logger.getSubLogger is not a function' error in tests - spam-booking.test.ts now passes successfully Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
…tual implementation Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
…g-successful page Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
…g-successful page Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
57db386 to
eb9900b
Compare
- Resolved merge conflict in watchlist.ts by keeping DI_TOKENS import (required for line 20) - Updated spam-check-flow.mermaid architecture notes to reflect base branch changes: - GlobalBlockingService now takes orgRepo instead of auditService - OrganizationBlockingService has optional audit logging Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
- Resolve merge conflict in watchlist.ts by keeping DI_TOKENS import - Add optional chaining to searchParams in booking-successful page - Add missing iCalUID, paymentId, and luckyUsers properties to fake booking response - Update CombinedBlockingService and OrganizationBlockingService per base branch changes (audit logging now only in CombinedBlockingService) - Prefix unused organizationId parameter with underscore per linting rules All type checks and linting passing with 0 errors. Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
The remote branch refactored the spam check architecture: - Removed CombinedBlockingService.ts (logic moved to SpamCheckService) - SpamCheckService now directly uses GlobalBlockingService and OrganizationBlockingService - Added SpamCheckService.container.ts for DI setup - Enhanced spam-booking.test.ts with comprehensive test coverage - Improved OrganizationBlockingService with better email normalization This is a cleaner architecture that simplifies the service layer. Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
- Updated OrganizationBlockingService to match base branch (removed audit logging) - Updated mappers.ts to match base branch (removed extra types and functions) - Fixed TypeScript errors caused by merge conflict resolution - All type checks now passing Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
- Removed reference to CombinedBlockingService (doesn't exist in base branch) - Updated to show SpamCheckService directly calling GlobalBlockingService and OrganizationBlockingService - Clarified parallel execution flow - Updated architecture notes to match actual implementation Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>
89258f0 to
649e0c2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR implements an async spam blocker for Cal.com that runs spam checks in parallel with availability loading to achieve zero performance impact on legitimate bookings.
Key Features:
Stacked on: #24040 (feat: Add spam blocker DI structure)
Visual Demo
Manual testing completed for both spam and legitimate booking paths:
Spam Path Test:
spamtest@blocked.com(added to Watchlist with BLOCK action)/booking-successfulpageLegitimate Path Test:
legitimate@user.com(clean, not in watchlist)Architecture
New Components
SpamCheckService: Orchestrates parallel global + org blocking checks/booking-successfulpage: Fake success page that deceives spammersspamCheck.tsfor dependency injectionbooking_confirmed_description,confirmation_email_sentKey Flow Changes
spamCheckService.startCheck(email, orgId)await spamCheckService.waitForCheck()isSpamDecoy: trueflagHow should this be tested?
Prerequisites
Test Scenarios
Spam Detection Path:
action: BLOCK/booking-successful(not standard success page)Legitimate User Path:
Performance Testing:
Checklist
Risk Areas for Review
eventType.team?.parentIdpattern matches existing codebase conventions for organization ID extraction.waitForCheck()call must complete before proceeding./booking-successfulpage for proper sanitization of URL parameters to prevent XSS.CombinedBlockingService- verify my implementation correctly uses separateGlobalBlockingServiceandOrganizationBlockingService.Mandatory Tasks
spam-booking.test.tspasses without additional mocking)Requested by: @hariombalhara
Devin Session: https://app.devin.ai/sessions/8aaeeecf6dfc45ef90973a7e5249a2aa