feat: update recording, transcript endpoint and add tests

[tomerqodo]

Benchmark PR from agentic-review-benchmarks#16

Summary by CodeRabbit

• Bug Fixes

  • Enabled authentication and authorization for recording and transcript retrieval endpoints.
  • Removed public access to the mark-absent endpoint.

• API Changes

  • Removed informational message field from recording and transcript API responses for simplified payloads.

• Tests

  • Added authorization test coverage for recording and transcript endpoints.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes introduce stricter authentication and authorization controls to booking endpoints for recordings and transcripts, remove the public mark-absent endpoint, eliminate informational messages from responses, and activate corresponding authorization tests. Output types are updated to remove optional message fields from the API responses.

Changes

Cohort / File(s)	Summary
Controller Authorization Updates apps/api/v2/src/ee/bookings/2024-08-13/controllers/bookings.controller.ts	Enhanced authentication and authorization for GET recordings (changed permission from BOOKING_READ to BOOKING_WRITE, reordered guards) and transcripts endpoints (added Pbac guard). Removed public exposure of POST mark-absent endpoint. Service calls no longer awaited; removed informational messages from responses.
E2E Test Activation apps/api/v2/src/ee/bookings/2024-08-13/controllers/e2e/booking-access-auth.e2e-spec.ts	Uncommented and activated authorization tests for recordings and transcripts endpoints. Tests now validate successful (200) and unauthorized (403) responses with mocked CalVideoService methods.
Output Type Cleanup packages/platform/types/bookings/2024-08-13/outputs/get-booking-recordings.output.ts, packages/platform/types/bookings/2024-08-13/outputs/get-booking-transcripts.output.ts	Removed optional message?: string field and its decorators from both output types, reducing the public API response surface.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Guards stand tall at the booking gate,
Protecting recordings from those who wait,
Messages fade like morning dew,
Authentication tests shine fresh and new,
Stronger walls for data so sweet,
Making our API complete! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main changes: updating recording and transcript endpoints and adding tests, which aligns with the core modifications across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch coderabbit_full_head_feat_update_recording_transcript_endpoint_and_add_tests__pr16

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@apps/api/v2/src/ee/bookings/2024-08-13/controllers/bookings.controller.ts`:
- Around line 226-232: The getBookingRecordings handler is assigning a Promise
to data because it calls the async method getRecordings without awaiting it;
update the getBookingRecordings method to await
this.calVideoService.getRecordings(bookingUid) (same pattern as getTranscripts)
so recordings holds the resolved array before returning the
GetBookingRecordingsOutput response.
- Around line 236-238: The guards for the transcripts endpoint are ordered
incorrectly: change the `@UseGuards` invocation that currently lists
BookingPbacGuard, ApiAuthGuard, BookingUidGuard to the consistent order
ApiAuthGuard, BookingUidGuard, BookingPbacGuard so that ApiAuthGuard establishes
the user context before BookingPbacGuard runs; update the `@UseGuards` decorator
on the transcripts controller method (the one annotated with
`@Pbac`(["booking.readRecordings"]) and `@Permissions`([BOOKING_READ])) to use
ApiAuthGuard, BookingUidGuard, BookingPbacGuard.

🧹 Nitpick comments (1)

packages/platform/types/bookings/2024-08-13/outputs/get-booking-recordings.output.ts (1)

6-6: Unused type import.

BookingRepository is imported but never used in this file. Remove this dead import.

Proposed fix

-import type { BookingRepository } from "@calcom/features/bookings/lib/BookingRepository";

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Missing await causes API to return Promise instead of recordings data.

getRecordings is an async method but is called without await. This returns a Promise object to data instead of the actual recordings array. When serialized to JSON, the Promise becomes {}, breaking the API response.

Compare with line 252 where getTranscripts correctly uses await.

Proposed fix

   async getBookingRecordings(`@Param`("bookingUid") bookingUid: string): Promise<GetBookingRecordingsOutput> {
-    const recordings = this.calVideoService.getRecordings(bookingUid);
+    const recordings = await this.calVideoService.getRecordings(bookingUid);

     return {
       status: SUCCESS_STATUS,
       data: recordings,
     };
   }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	async getBookingRecordings(@Param("bookingUid") bookingUid: string): Promise<GetBookingRecordingsOutput> {
	const recordings = await this.calVideoService.getRecordings(bookingUid);
	const recordings = this.calVideoService.getRecordings(bookingUid);
	return {
	status: SUCCESS_STATUS,
	data: recordings,
	message:
	"This endpoint will require authentication in a future release. Please update your integration to include valid credentials. See https://cal.com/docs/api-reference/v2/introduction#authentication for details.",
	};
	async getBookingRecordings(`@Param`("bookingUid") bookingUid: string): Promise<GetBookingRecordingsOutput> {
	const recordings = await this.calVideoService.getRecordings(bookingUid);
	return {
	status: SUCCESS_STATUS,
	data: recordings,
	};
	}

🤖 Prompt for AI Agents

In `@apps/api/v2/src/ee/bookings/2024-08-13/controllers/bookings.controller.ts`
around lines 226 - 232, The getBookingRecordings handler is assigning a Promise
to data because it calls the async method getRecordings without awaiting it;
update the getBookingRecordings method to await
this.calVideoService.getRecordings(bookingUid) (same pattern as getTranscripts)
so recordings holds the resolved array before returning the
GetBookingRecordingsOutput response.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Inconsistent guard ordering may cause authorization issues.

The guard order for transcripts (BookingPbacGuard, ApiAuthGuard, BookingUidGuard) differs from recordings (line 217) and conferencing-sessions (line 563) which both use ApiAuthGuard, BookingUidGuard, BookingPbacGuard.

BookingPbacGuard likely depends on user context set by ApiAuthGuard. Running it first may cause failures or unexpected behavior.

Proposed fix - align with recordings/conferencing-sessions order

   `@Pbac`(["booking.readRecordings"])
   `@Permissions`([BOOKING_READ])
-  `@UseGuards`(BookingPbacGuard, ApiAuthGuard, BookingUidGuard)
+  `@UseGuards`(ApiAuthGuard, BookingUidGuard, BookingPbacGuard)
   `@ApiHeader`(API_KEY_OR_ACCESS_TOKEN_HEADER)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@Pbac(["booking.readRecordings"])
	@Permissions([BOOKING_READ])
	@UseGuards(BookingUidGuard)
	// @UseGuards(ApiAuthGuard, BookingUidGuard, BookingPbacGuard)
	@UseGuards(BookingPbacGuard, ApiAuthGuard, BookingUidGuard)
	`@Pbac`(["booking.readRecordings"])
	`@Permissions`([BOOKING_READ])
	`@UseGuards`(ApiAuthGuard, BookingUidGuard, BookingPbacGuard)

🤖 Prompt for AI Agents

In `@apps/api/v2/src/ee/bookings/2024-08-13/controllers/bookings.controller.ts`
around lines 236 - 238, The guards for the transcripts endpoint are ordered
incorrectly: change the `@UseGuards` invocation that currently lists
BookingPbacGuard, ApiAuthGuard, BookingUidGuard to the consistent order
ApiAuthGuard, BookingUidGuard, BookingPbacGuard so that ApiAuthGuard establishes
the user context before BookingPbacGuard runs; update the `@UseGuards` decorator
on the transcripts controller method (the one annotated with
`@Pbac`(["booking.readRecordings"]) and `@Permissions`([BOOKING_READ])) to use
ApiAuthGuard, BookingUidGuard, BookingPbacGuard.