refactor: Use confirmHandler directly in link and verify-booking-token routes[booking-audit-prerequisite]

[hariombalhara]

What does this PR do?

Refactors the /api/link and /api/verify-booking-token API routes to call confirmHandler directly instead of using the tRPC caller pattern. This simplifies the code by removing boilerplate for session getters, legacy request building, and context creation.

This PR is extracted from #26523 to create a smaller, focused change that can serve as a base for the booking audit integration work.

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - internal refactoring only.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

1. Test the magic link booking confirmation flow:

   • Create a booking that requires confirmation
   • Use the magic link to accept/reject the booking
   • Verify the booking status changes correctly and redirects work

2. Test the verify-booking-token flow:

   • Test GET request for accepting bookings
   • Test POST request for rejecting bookings with reason
   • Verify error handling redirects preserve the request origin

3. Run the unit tests:

   TZ=UTC yarn test apps/web/app/api/link/__tests__/route.test.ts apps/web/app/api/verify-booking-token/__tests__/route.test.ts

Human Review Checklist

• Verify that calling confirmHandler directly produces the same behavior as the previous tRPC caller pattern
• Verify the user fields selected (id, uuid, email, username, role, destinationCalendar) are sufficient for confirmHandler
• Verify emailsEnabled: true is the correct default for these routes
• Confirm the traceContext is properly constructed with distributedTracing.createTrace()

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have checked if my changes generate no new warnings

---

Link to Devin run: https://app.devin.ai/sessions/c75b539122974b3380ac2d2d68322e16
Requested by: @hariombalhara

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[cubic-dev-ai]

1 issue found across 4 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/web/app/api/verify-booking-token/__tests__/route.test.ts">

<violation number="1" location="apps/web/app/api/verify-booking-token/__tests__/route.test.ts:50">
P2: Mock for `findUniqueOrThrow` returns `null` instead of throwing when record is not found. This doesn't match Prisma's actual behavior where `findUniqueOrThrow` throws an error if no record exists.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[Udit-takkar]

we should move all the prisma queries to repository in follow up

[hariombalhara]

Yup, agreed

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

4 Skipped Deployments

Project	Deployment	Review	Updated (UTC)
api-v2	Ignored	Preview	Jan 8, 2026 7:58am
cal	Ignored		Jan 8, 2026 7:58am
cal-companion	Ignored	Preview	Jan 8, 2026 7:58am
cal-eu	Ignored		Jan 8, 2026 7:58am

[hariombalhara]

Merge activity

• Jan 8, 8:03 AM UTC: Graphite couldn't merge this PR because it was not satisfying all requirements (Failed CI: 'required', 'Tests / Integration').

[github-actions]

E2E results are ready!

• Workflow #97595.1 latest results