feat: Add async spam check with parallel execution and fake booking redirect #24326

hariombalhara · 2025-10-07T12:46:15Z

What does this PR do?

This PR implements async spam checking in the booking flow that runs in parallel with availability loading to avoid delaying legitimate bookings. When an email is detected as spam, it returns a fake booking response and redirects the user to a convincing booking success page.

Key Features:

✅ Zero performance impact on legitimate bookings (spam check runs in parallel)
✅ Spammers see fake booking confirmation and believe their booking succeeded
✅ No actual bookings are created for blocked emails
✅ Integrates with existing watchlist/blocking infrastructure from feat: Add spam blocker DI structure #24040

Implementation:

Creates SpamCheckService wrapper for async spam checking
Starts spam check early in handleNewBooking, awaits result before booking creation
Generates realistic fake booking responses for blocked emails
Adds new /booking-successful route for deceptive success pages
Updates booking redirect logic to handle spam decoy bookings

This is a stacked PR on top of #24040 (feat: Add spam blocker DI structure).

Visual Demo

The spam detection is intentionally invisible to users. For blocked emails:

Booking form submission → No errors, normal loading experience
Fake booking response → Contains realistic booking data with fake UID
Success page redirect → /booking-successful with query params showing fake booking details
Result → Spammer sees convincing confirmation page, no actual booking created

Mandatory Tasks

I have self-reviewed the code
Documentation updates: N/A - internal security feature
Automated tests: Integration tests needed for spam check flow

How should this be tested?

Environment Setup:

Ensure base PR feat: Add spam blocker DI structure #24040 is available with watchlist database tables

Add test email to watchlist:

INSERT INTO "Watchlist" (email, action, severity, organizationId, createdAt, updatedAt)
VALUES ('spam@test.com', 'BLOCK', 'CRITICAL', null, NOW(), NOW());

Testing Steps:

Navigate to any booking page (e.g., /[username]/[event-type])
Fill form with blocked email spam@test.com
Submit form
Expected Result: Redirect to /booking-successful with fake booking details
Verify: No actual booking created in database
Test Normal Flow: Repeat with non-blocked email, ensure normal booking works

Critical Review Areas:

⚠️ Security: Review fake booking response structure in handleNewBooking.ts lines 1412-1455:

Organizer email is hidden (email: null)
Fake UUID generated for booking ID
All required fields populated to avoid detection

⚠️ Timing: Verify spam check async pattern in handleNewBooking.ts:

Started at line 503 (early in flow)
Awaited at line 1402 (before booking creation)
Runs parallel to availability checking

⚠️ Type Safety: Check isSpamDecoy field handling:

Added to booking response types
Properly detected in redirect logic (useBookings.ts line 284)
Query params correctly formatted for success page

⚠️ Integration: Ensure normal booking flow unaffected:

Non-blocked emails follow standard path
All existing booking validations preserved
No performance impact on legitimate users

Link to Devin run: https://app.devin.ai/sessions/8aaeeecf6dfc45ef90973a7e5249a2aa
Requested by: @hariombalhara

Checklist

My code follows the style guidelines of this project
I have commented hard-to-understand areas (async timing, fake response structure)
I have checked that my changes generate no new warnings (lint passed)

…edirect - Create SpamCheckService to manage async spam checking - Start spam check early in handleNewBooking, await before booking creation - Generate fake booking response for blocked emails with all required fields - Add redirect logic in useBookings to handle spam decoy bookings - Create new /booking-successful route to display fake booking data - Spam check runs in parallel with availability loading (zero delay) - Spammers see convincing fake success page via query params Also fix pre-existing lint warnings in useBookings.ts: - Remove unused catch parameter - Convert optional chaining expressions to if statements - Remove eslint-disable comments for non-existent rule Stacked on PR #24040 Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

devin-ai-integration · 2025-10-07T12:46:17Z

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

Address comments on this PR that start with 'DevinAI' or '@devin'.
Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

Disable automatic comment and CI monitoring

coderabbitai · 2025-10-07T12:46:36Z

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch devin/spam-async-check-1759840597

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

vercel · 2025-10-07T13:19:52Z

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
cal	Ignored			Oct 8, 2025 5:43am
cal-eu	Ignored			Oct 8, 2025 5:43am

- Import and load prismaModule in watchlist container for PrismaClient binding - Fix loggerServiceModule to use synchronous factory (matches prismaModule pattern) - Resolves 'logger.getSubLogger is not a function' error in tests - spam-booking.test.ts now passes successfully Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

…tual implementation Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

…g-successful page Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

pull-request-size bot added the size/L label Oct 7, 2025

keithwillcode added core area: core, team members only enterprise area: enterprise, audit log, organisation, SAML, SSO labels Oct 7, 2025

wip

8df053d

pull-request-size bot removed the size/L label Oct 7, 2025

pull-request-size bot added the size/XL label Oct 7, 2025

vercel bot had a problem deploying to Preview – dev October 7, 2025 13:48 Failure

docs: Update spam-check-flow.mermaid architecture notes to reflect ac…

16beaf6

…tual implementation Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

vercel bot had a problem deploying to Preview – dev October 7, 2025 15:34 Failure

vercel bot deployed to Preview – dev October 7, 2025 16:22 View deployment

fix: Correct Icon import path and add missing translations for bookin…

eb9900b

…g-successful page Co-Authored-By: hariom@cal.com <hariombalhara@gmail.com>

hariombalhara force-pushed the devin/spam-async-check-1759840597 branch from 57db386 to eb9900b Compare October 8, 2025 05:43

pull-request-size bot added size/XXL and removed size/XL labels Oct 8, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: Add async spam check with parallel execution and fake booking redirect #24326

feat: Add async spam check with parallel execution and fake booking redirect #24326

Uh oh!

Uh oh!

Review skipped

Uh oh!

Uh oh!

Uh oh!

feat: Add async spam check with parallel execution and fake booking redirect #24326

Are you sure you want to change the base?

feat: Add async spam check with parallel execution and fake booking redirect #24326

Conversation

What does this PR do?

Visual Demo

Mandatory Tasks

How should this be tested?

Checklist

Uh oh!

🤖 Devin AI Engineer

Uh oh!

Review skipped

Uh oh!

Uh oh!

Uh oh!

Uh oh!