fix(api): return original email without OAuth suffix in bookings#25593
Merged
ThyMinimalDev merged 13 commits intomainfrom Jan 12, 2026
Merged
fix(api): return original email without OAuth suffix in bookings#25593ThyMinimalDev merged 13 commits intomainfrom
ThyMinimalDev merged 13 commits intomainfrom
Conversation
github-actions
bot
added
High priority
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
ThyMinimalDev
previously approved these changes
Dec 4, 2025
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
ThyMinimalDev
previously approved these changes
Dec 12, 2025
The seated booking tests were missing displayEmail in the attendee assertions for the second booking test and cancel-as-host test, causing CI test failures
volnei
previously approved these changes
Dec 22, 2025
ThyMinimalDev
previously approved these changes
Jan 6, 2026
Contributor
Devin AI is resolving merge conflictsThis PR has merge conflicts with the Devin will:
If you prefer to resolve conflicts manually, you can close the Devin session and handle it yourself. |
Resolved merge conflicts in docs/api-reference/v2/openapi.json by: - Preserving the displayEmail field additions from the PR - Using the multi-line array formatting from main branch Co-Authored-By: unknown <>
devin-ai-integration
bot
dismissed stale reviews from volnei and ThyMinimalDev
via
b6cbb56
ThyMinimalDev
approved these changes
Jan 12, 2026
Anshumancanrock
pushed a commit
to Anshumancanrock/cal.com
that referenced
this pull request
Jan 12, 2026
…com#25593) * fix(api): remove OAuth client ID suffix from email in booking API responses Fixes calcom#25494 | Linear: CAL-6843 When managed users create or receive bookings, their emails were being returned with an internal OAuth client ID suffix (e.g., bob+cuid123@example.com). This suffix is used internally for user identification but should not be exposed in API responses. Changes: - Add cleanOAuthEmailSuffix() helper using CUID regex pattern - Clean email suffix in hosts[], attendees[], bookingFieldsResponses.email, bookingFieldsResponses.guests[], and reassignedTo.email - Pattern consistent with google-calendar.service.ts implementation Affected output methods: - getOutputBooking - getOutputRecurringBooking - getOutputSeatedBooking - getOutputRecurringSeatedBooking - getOutputReassignedBooking - getHost * refactor(api): preserve original email, add displayEmail field Per team discussion, keep original email unchanged to avoid breaking changes for platform customers. Add displayEmail field with CUID suffix removed for display purposes * feat(api): add displayEmail to booking output DTOs Add displayEmail property to BookingAttendee, BookingHost and ReassignedToDto for API documentation and type safety * test(api): add e2e tests for displayEmail fields in managed user bookings Add tests to verify that displayEmail fields correctly strip CUID suffix from OAuth managed user emails in booking API responses: - Test host displayEmail returns email without CUID suffix - Test attendee displayEmail returns email without CUID suffix - Test bookingFieldsResponses.displayEmail returns clean email - Test displayGuests array returns emails without CUID suffix * false positive breaking change * false positive breaking change * test(api): update existing e2e tests to expect displayEmail field * fix(api): add missing displayEmail to seated booking test assertions The seated booking tests were missing displayEmail in the attendee assertions for the second booking test and cancel-as-host test, causing CI test failures --------- Co-authored-by: cal.com <morgan@cal.com> Co-authored-by: Morgan <33722304+ThyMinimalDev@users.noreply.github.com>
This was referenced Jan 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR fixes a bug in API v2 (2024-08-13) where emails in booking API responses contained the OAuth client ID as a suffix (
+{cuid}). This suffix exists to prevent email collisions between managed users of different OAuth clients.Fixes #25494 | Linear: CAL-6843
Problem:
bob+cmidditrv0000mza4q93hbcau@example.combob@example.comSolution:
To avoid breaking changes for platform customers who may rely on the original email format, we preserve the original
emailfield and add a newdisplayEmailfield with the CUID suffix removed.Key Changes:
getDisplayEmail()helper to strip CUID suffix from emailsdisplayEmailfield to all relevant response objectsemailfield unchanged for backwards compatibilityRegex pattern used:
/\+[a-zA-Z0-9]{25}/(CUID format, consistent withgoogle-calendar.service.ts)Affected Fields
hosts[].emailbob+{cuid}@example.com(unchanged)hosts[].displayEmailbob@example.com(new)attendees[].emailbob+{cuid}@example.com(unchanged)attendees[].displayEmailbob@example.com(new)bookingFieldsResponses.emailbob+{cuid}@example.com(unchanged)bookingFieldsResponses.displayEmailbob@example.com(new)bookingFieldsResponses.guests[]guest+{cuid}@example.com(unchanged)bookingFieldsResponses.displayGuests[]guest@example.com(new)reassignedTo.emailbob+{cuid}@example.com(unchanged)reassignedTo.displayEmailbob@example.com(new)How should this be tested?
Test Scenario 1 - Managed user as HOST:
GET /v2/bookings/{uid}with headerCal-Api-Version: 2024-08-13hosts[].emailreturns original email with suffixhosts[].displayEmailreturns email without suffixTest Scenario 2 - Managed user as ATTENDEE:
GET /v2/bookings/{uid}with headerCal-Api-Version: 2024-08-13attendees[].emailreturns original email with suffixattendees[].displayEmailreturns email without suffixTest Scenario 3 - Self-booking:
emailanddisplayEmailfields are present and correctExpected result:
emailfields preserve original value,displayEmailfields return clean email without+{cuid}suffixMandatory Tasks (DO NOT REMOVE)
Human Review Checklist
/\+[a-zA-Z0-9]{25}/correctly strips CUID suffixes without affecting normal emailsemailfield values are unchangeddisplayEmailis added to all booking output types (hosts, attendees, reassignedTo)