diff --git a/.env.example b/.env.example index 6632a31eced23e..4354cb0c36531a 100644 --- a/.env.example +++ b/.env.example @@ -415,3 +415,8 @@ REPLEXICA_API_KEY= # Comma-separated list of DSyncData.directoryId to log SCIM API requests for. It can be enabled temporarily for debugging the requests being sent to SCIM server. DIRECTORY_IDS_TO_LOG= + + +# Set this when Cal.com is used to serve only one organization's booking pages +# Read more about it in the README.md +NEXT_PUBLIC_SINGLE_ORG_SLUG= diff --git a/README.md b/README.md index 3ea2b22c626ab5..6f481c5414ae2a 100644 --- a/README.md +++ b/README.md @@ -485,6 +485,15 @@ Don't code but still want to contribute? Join our [Discussions](https://github.c - Set CSP_POLICY="non-strict" env variable, which enables [Strict CSP](https://web.dev/strict-csp/) except for unsafe-inline in style-src . If you have some custom changes in your instance, you might have to make some code change to make your instance CSP compatible. Right now it enables strict CSP only on login page and on other SSR pages it is enabled in Report only mode to detect possible issues. On, SSG pages it is still not supported. +## Single Org Mode +If you want to have booker.yourcompany.com to be the domain used for both dashboard(e.g. https://booker.yourcompany.com/event-types) and booking pages(e.g. https://booker.yourcompany.com/john.joe/15min). +- Set the `NEXT_PUBLIC_SINGLE_ORG_SLUG` environment variable to the slug of the organization you want to use. `NEXT_PUBLIC_SINGLE_ORG_SLUG=booker` +- Set the `NEXT_PUBLIC_WEBAPP_URL` environment variable to the URL of the Cal.com self-hosted instance e.g. `NEXT_PUBLIC_WEBAPP_URL=https://booker.yourcompany.com`. +- Set the `NEXT_PUBLIC_WEBSITE_URL` environment variable to the URL of the Cal.com self-hosted instance e.g. `NEXT_PUBLIC_WEBSITE_URL=https://booker.yourcompany.com`. +- Set the `NEXTAUTH_URL` environment variable to the URL of the Cal.com self-hosted instance e.g. `NEXTAUTH_URL=https://booker.yourcompany.com`. + +Note: It causes root to serve the dashboard and not the organization profile page which shows all bookable users in the organization. + ## Integrations ### Obtaining the Google API Credentials diff --git a/apps/web/getNextjsOrgRewriteConfig.js b/apps/web/getNextjsOrgRewriteConfig.js new file mode 100644 index 00000000000000..ffb87f5e339480 --- /dev/null +++ b/apps/web/getNextjsOrgRewriteConfig.js @@ -0,0 +1,48 @@ +const isSingleOrgModeEnabled = !!process.env.NEXT_PUBLIC_SINGLE_ORG_SLUG; +const orgSlugCaptureGroupName = "orgSlug"; +/** + * Returns the leftmost subdomain from a given URL. + * It needs the URL domain to have atleast two dots. + * app.cal.com -> app + * app.company.cal.com -> app + * app.company.com -> app + */ +const getLeftMostSubdomain = (url) => { + if (!url.startsWith("http:") && !url.startsWith("https:")) { + // Make it a valid URL. Mabe we can simply return null and opt-out from orgs support till the use a URL scheme. + url = `https://${url}`; + } + const _url = new URL(url); + const regex = new RegExp(/^([a-z]+\:\/{2})?((?[\w-.]+)\.[\w-]+\.\w+)$/); + //console.log(_url.hostname, _url.hostname.match(regex)); + return _url.hostname.match(regex)?.groups?.subdomain || null; +}; + +const getRegExpNotMatchingLeftMostSubdomain = (url) => { + const leftMostSubdomain = getLeftMostSubdomain(url); + const subdomain = leftMostSubdomain ? `(?!${leftMostSubdomain})[^.]+` : "[^.]+"; + return subdomain; +}; + +// For app.cal.com, it will match all domains that are not starting with "app". Technically we would want to match domains like acme.cal.com, dunder.cal.com and not app.cal.com +const getRegExpThatMatchesAllOrgDomains = (exports.getRegExpThatMatchesAllOrgDomains = ({ webAppUrl }) => { + if (isSingleOrgModeEnabled) { + console.log("Single-Org-Mode enabled - Consider all domains to be org domains"); + // It works in combination with next.config.js where in this case we use orgSlug=NEXT_PUBLIC_SINGLE_ORG_SLUG + return `.*`; + } + const subdomainRegExp = getRegExpNotMatchingLeftMostSubdomain(webAppUrl); + return `^(?<${orgSlugCaptureGroupName}>${subdomainRegExp})\\.(?!vercel\.app).*`; +}); + +const nextJsOrgRewriteConfig = { + // :orgSlug is special value which would get matching group from the regex in orgHostPath + orgSlug: process.env.NEXT_PUBLIC_SINGLE_ORG_SLUG || `:${orgSlugCaptureGroupName}`, + orgHostPath: getRegExpThatMatchesAllOrgDomains({ + webAppUrl: process.env.NEXT_PUBLIC_WEBAPP_URL || `https://${process.env.VERCEL_URL}`, + }), + // We disable root path rewrite because we want to serve dashboard on root path + disableRootPathRewrite: isSingleOrgModeEnabled, +}; + +exports.nextJsOrgRewriteConfig = nextJsOrgRewriteConfig; diff --git a/apps/web/getSubdomainRegExp.js b/apps/web/getSubdomainRegExp.js deleted file mode 100644 index 33f38e150c726d..00000000000000 --- a/apps/web/getSubdomainRegExp.js +++ /dev/null @@ -1,15 +0,0 @@ -const getDefaultSubdomain = (url) => { - if (!url.startsWith("http:") && !url.startsWith("https:")) { - // Make it a valid URL. Mabe we can simply return null and opt-out from orgs support till the use a URL scheme. - url = `https://${url}`; - } - const _url = new URL(url); - const regex = new RegExp(/^([a-z]+\:\/{2})?((?[\w-.]+)\.[\w-]+\.\w+)$/); - //console.log(_url.hostname, _url.hostname.match(regex)); - return _url.hostname.match(regex)?.groups?.subdomain || null; -}; -exports.getSubdomainRegExp = (url) => { - const defaultSubdomain = getDefaultSubdomain(url); - const subdomain = defaultSubdomain ? `(?!${defaultSubdomain})[^.]+` : "[^.]+"; - return subdomain; -}; diff --git a/apps/web/next.config.js b/apps/web/next.config.js index 7bd6e133b0d26f..f66a47cedf416d 100644 --- a/apps/web/next.config.js +++ b/apps/web/next.config.js @@ -7,12 +7,11 @@ const { withSentryConfig } = require("@sentry/nextjs"); const { version } = require("./package.json"); const { i18n } = require("./next-i18next.config"); const { - orgHostPath, + nextJsOrgRewriteConfig, orgUserRoutePath, orgUserTypeRoutePath, orgUserTypeEmbedRoutePath, } = require("./pagesAndRewritePaths"); - if (!process.env.NEXTAUTH_SECRET) throw new Error("Please set NEXTAUTH_SECRET"); if (!process.env.CALENDSO_ENCRYPTION_KEY) throw new Error("Please set CALENDSO_ENCRYPTION_KEY"); const isOrganizationsEnabled = @@ -119,55 +118,60 @@ if (process.env.ANALYZE === "true") { } plugins.push(withAxiom); +const orgDomainMatcherConfig = { + root: nextJsOrgRewriteConfig.disableRootPathRewrite + ? null + : { + has: [ + { + type: "host", + value: nextJsOrgRewriteConfig.orgHostPath, + }, + ], + source: "/", + }, -const matcherConfigRootPath = { - has: [ - { - type: "host", - value: orgHostPath, - }, - ], - source: "/", -}; - -const matcherConfigRootPathEmbed = { - has: [ - { - type: "host", - value: orgHostPath, - }, - ], - source: "/embed", -}; + rootEmbed: nextJsOrgRewriteConfig.disableRootEmbedPathRewrite + ? null + : { + has: [ + { + type: "host", + value: nextJsOrgRewriteConfig.orgHostPath, + }, + ], + source: "/embed", + }, -const matcherConfigUserRoute = { - has: [ - { - type: "host", - value: orgHostPath, - }, - ], - source: orgUserRoutePath, -}; + user: { + has: [ + { + type: "host", + value: nextJsOrgRewriteConfig.orgHostPath, + }, + ], + source: orgUserRoutePath, + }, -const matcherConfigUserTypeRoute = { - has: [ - { - type: "host", - value: orgHostPath, - }, - ], - source: orgUserTypeRoutePath, -}; + userType: { + has: [ + { + type: "host", + value: nextJsOrgRewriteConfig.orgHostPath, + }, + ], + source: orgUserTypeRoutePath, + }, -const matcherConfigUserTypeEmbedRoute = { - has: [ - { - type: "host", - value: orgHostPath, - }, - ], - source: orgUserTypeEmbedRoutePath, + userTypeEmbed: { + has: [ + { + type: "host", + value: nextJsOrgRewriteConfig.orgHostPath, + }, + ], + source: orgUserTypeEmbedRoutePath, + }, }; /** @type {import("next").NextConfig} */ @@ -287,6 +291,7 @@ const nextConfig = { return config; }, async rewrites() { + const { orgSlug } = nextJsOrgRewriteConfig; const beforeFiles = [ { source: "/forms/:formQuery*", @@ -322,29 +327,33 @@ const nextConfig = { // These rewrites are other than booking pages rewrites and so that they aren't redirected to org pages ensure that they happen in beforeFiles ...(isOrganizationsEnabled ? [ + orgDomainMatcherConfig.root + ? { + ...orgDomainMatcherConfig.root, + destination: `/team/${orgSlug}?isOrgProfile=1`, + } + : null, + orgDomainMatcherConfig.rootEmbed + ? { + ...orgDomainMatcherConfig.rootEmbed, + destination: `/team/${orgSlug}/embed?isOrgProfile=1`, + } + : null, { - ...matcherConfigRootPath, - destination: "/team/:orgSlug?isOrgProfile=1", + ...orgDomainMatcherConfig.user, + destination: `/org/${orgSlug}/:user`, }, { - ...matcherConfigRootPathEmbed, - destination: "/team/:orgSlug/embed?isOrgProfile=1", + ...orgDomainMatcherConfig.userType, + destination: `/org/${orgSlug}/:user/:type`, }, { - ...matcherConfigUserRoute, - destination: "/org/:orgSlug/:user", - }, - { - ...matcherConfigUserTypeRoute, - destination: "/org/:orgSlug/:user/:type", - }, - { - ...matcherConfigUserTypeEmbedRoute, - destination: "/org/:orgSlug/:user/:type/embed", + ...orgDomainMatcherConfig.userTypeEmbed, + destination: `/org/${orgSlug}/:user/:type/embed`, }, ] : []), - ]; + ].filter(Boolean); let afterFiles = [ { @@ -388,6 +397,7 @@ const nextConfig = { }; }, async headers() { + const { orgSlug } = nextJsOrgRewriteConfig; // This header can be set safely as it ensures the browser will load the resources even when COEP is set. // But this header must be set only on those resources that are safe to be loaded in a cross-origin context e.g. all embeddable pages's resources const CORP_CROSS_ORIGIN_HEADER = { @@ -474,45 +484,47 @@ const nextConfig = { ], ...(isOrganizationsEnabled ? [ + orgDomainMatcherConfig.root + ? { + ...orgDomainMatcherConfig.root, + headers: [ + { + key: "X-Cal-Org-path", + value: `/team/${orgSlug}`, + }, + ], + } + : null, { - ...matcherConfigRootPath, - headers: [ - { - key: "X-Cal-Org-path", - value: "/team/:orgSlug", - }, - ], - }, - { - ...matcherConfigUserRoute, + ...orgDomainMatcherConfig.user, headers: [ { key: "X-Cal-Org-path", - value: "/org/:orgSlug/:user", + value: `/org/${orgSlug}/:user`, }, ], }, { - ...matcherConfigUserTypeRoute, + ...orgDomainMatcherConfig.userType, headers: [ { key: "X-Cal-Org-path", - value: "/org/:orgSlug/:user/:type", + value: `/org/${orgSlug}/:user/:type`, }, ], }, { - ...matcherConfigUserTypeEmbedRoute, + ...orgDomainMatcherConfig.userTypeEmbed, headers: [ { key: "X-Cal-Org-path", - value: "/org/:orgSlug/:user/:type/embed", + value: `/org/${orgSlug}/:user/:type/embed`, }, ], }, ] : []), - ]; + ].filter(Boolean); }, async redirects() { const redirects = [ @@ -592,7 +604,7 @@ const nextConfig = { { type: "header", key: "host", - value: orgHostPath, + value: nextJsOrgRewriteConfig.orgHostPath, }, ], destination: "/event-types?openPlain=true", diff --git a/apps/web/pagesAndRewritePaths.js b/apps/web/pagesAndRewritePaths.js index 2b02b69dfabdb9..722d95417d24c9 100644 --- a/apps/web/pagesAndRewritePaths.js +++ b/apps/web/pagesAndRewritePaths.js @@ -1,5 +1,5 @@ const glob = require("glob"); -const { getSubdomainRegExp } = require("./getSubdomainRegExp"); +const { nextJsOrgRewriteConfig } = require("./getNextjsOrgRewriteConfig"); /** Needed to rewrite public booking page, gets all static pages but [user] */ // Pages found here are excluded from redirects in beforeFiles in next.config.js let pages = (exports.pages = glob @@ -35,10 +35,7 @@ let pages = (exports.pages = glob // [^/]+ makes the RegExp match the full path, it seems like a partial match doesn't work. // book$ ensures that only /book is excluded from rewrite(which is at the end always) and not /booked -let subdomainRegExp = (exports.subdomainRegExp = getSubdomainRegExp( - process.env.NEXT_PUBLIC_WEBAPP_URL || `https://${process.env.VERCEL_URL}` -)); -exports.orgHostPath = `^(?${subdomainRegExp})\\.(?!vercel\.app).*`; +exports.nextJsOrgRewriteConfig = nextJsOrgRewriteConfig; /** * Returns a regex that matches all existing routes, virtual routes (like /forms, /router, /success etc) and nextjs special paths (_next, public) diff --git a/apps/web/test/lib/next-config.test.ts b/apps/web/test/lib/next-config.test.ts index 9330269fbc827f..04cf189f30ff8f 100644 --- a/apps/web/test/lib/next-config.test.ts +++ b/apps/web/test/lib/next-config.test.ts @@ -1,7 +1,7 @@ import { it, expect, describe, beforeAll } from "vitest"; -// eslint-disable-next-line @typescript-eslint/no-var-requires -const { getSubdomainRegExp } = require("../../getSubdomainRegExp"); +import { getRegExpThatMatchesAllOrgDomains } from "../../getNextjsOrgRewriteConfig"; + // eslint-disable-next-line @typescript-eslint/no-var-requires const { match, pathToRegexp } = require("next/dist/compiled/path-to-regexp"); type MatcherRes = (path: string) => { params: Record }; @@ -30,51 +30,64 @@ beforeAll(async () => { }); describe("next.config.js - Org Rewrite", () => { - const orgHostRegExp = (subdomainRegExp: string) => - // RegExp copied from pagesAndRewritePaths.js orgHostPath. Do make the change there as well. - new RegExp(`^(?${subdomainRegExp})\\.(?!vercel\.app).*`); - - describe("Host matching based on NEXT_PUBLIC_WEBAPP_URL", () => { - it("https://app.cal.com", () => { - const subdomainRegExp = getSubdomainRegExp("https://app.cal.com"); - expect(orgHostRegExp(subdomainRegExp).exec("app.cal.com")).toEqual(null); - expect(orgHostRegExp(subdomainRegExp).exec("company.app.cal.com")?.groups?.orgSlug).toEqual("company"); - expect(orgHostRegExp(subdomainRegExp).exec("org.cal.com")?.groups?.orgSlug).toEqual("org"); - - expect(orgHostRegExp(subdomainRegExp).exec("localhost:3000")).toEqual(null); + describe("getRegExpThatMatchesAllOrgDomains", () => { + it("WEBAPP_URL=app.cal.com", () => { + const regExp = new RegExp(getRegExpThatMatchesAllOrgDomains({ webAppUrl: "app.cal.com" })); + expect(regExp.exec("acme.cal.com")?.groups?.orgSlug).toEqual("acme"); + expect(regExp.exec("app.cal.com")).toEqual(null); + // Even though it matches abc. We shouldn't match it as it isn't a subdomain of cal.com(derived from WEBAPP_URL) + // We could fix the RegExp, but that might break some unexpected self-hosted scenarios. So, we can fix it separately. + expect(regExp.exec("abc.sdafasdf.com")?.groups?.orgSlug).toEqual("abc"); }); - it("app.cal.com", () => { - const subdomainRegExp = getSubdomainRegExp("app.cal.com"); - expect(orgHostRegExp(subdomainRegExp).exec("app.cal.com")).toEqual(null); - expect(orgHostRegExp(subdomainRegExp).exec("company.app.cal.com")?.groups?.orgSlug).toEqual("company"); + it("WEBAPP_URL=https://app.cal.com", () => { + const regExp = new RegExp(getRegExpThatMatchesAllOrgDomains({ webAppUrl: "https://app.cal.com" })); + expect(regExp.exec("acme.cal.com")?.groups?.orgSlug).toEqual("acme"); + expect(regExp.exec("app.cal.com")).toEqual(null); + + // This approach though not used by managed cal.com, but might be in use by self-hosted users. + expect(regExp.exec("acme.app.cal.com")?.groups?.orgSlug).toEqual("acme"); + + // TODO: Even though it gives abc orgSlug. We shouldn't match it as it isn't a subdomain of cal.com(derived from WEBAPP_URL) + // We could fix the RegExp, but that might break some unexpected self-hosted scenarios. So, we can fix it separately. + expect(regExp.exec("abc.sdafasdf.com")?.groups?.orgSlug).toEqual("abc"); }); - it("https://calcom.app.company.com", () => { - const subdomainRegExp = getSubdomainRegExp("https://calcom.app.company.com"); - expect(orgHostRegExp(subdomainRegExp).exec("calcom.app.company.com")).toEqual(null); - expect(orgHostRegExp(subdomainRegExp).exec("acme.calcom.app.company.com")?.groups?.orgSlug).toEqual( - "acme" + it("WEBAPP_URL=https://booker.dashboard.company.com", () => { + const regExp = new RegExp( + getRegExpThatMatchesAllOrgDomains({ webAppUrl: "https://booker.dashboard.company.com" }) ); + + // This approach though not used by managed cal.com, but might be in use by self-hosted users. + expect(regExp.exec("acme.booker.dashboard.company.com")?.groups?.orgSlug).toEqual("acme"); + expect(regExp.exec("booker.dashboard.company.com")).toEqual(null); }); - it("https://calcom.example.com", () => { - const subdomainRegExp = getSubdomainRegExp("https://calcom.example.com"); - expect(orgHostRegExp(subdomainRegExp).exec("calcom.example.com")).toEqual(null); - expect(orgHostRegExp(subdomainRegExp).exec("acme.calcom.example.com")?.groups?.orgSlug).toEqual("acme"); - // The following also matches which causes anything other than the domain in NEXT_PUBLIC_WEBAPP_URL to give 404 - expect(orgHostRegExp(subdomainRegExp).exec("some-other.company.com")?.groups?.orgSlug).toEqual( - "some-other" + it("WEBAPP_URL=http://app.cal.local:3000", () => { + const regExp = new RegExp( + getRegExpThatMatchesAllOrgDomains({ webAppUrl: "http://app.cal.local:3000" }) ); + expect(regExp.exec("acme.cal.local:3000")?.groups?.orgSlug).toEqual("acme"); + expect(regExp.exec("acme.app.cal.local:3000")?.groups?.orgSlug).toEqual("acme"); + expect(regExp.exec("app.cal.local:3000")).toEqual(null); }); - it("Should ignore Vercel preview URLs", () => { - const subdomainRegExp = getSubdomainRegExp("https://cal-xxxxxxxx-cal.vercel.app"); - expect( - orgHostRegExp(subdomainRegExp).exec("https://cal-xxxxxxxx-cal.vercel.app") - ).toMatchInlineSnapshot("null"); - expect(orgHostRegExp(subdomainRegExp).exec("cal-xxxxxxxx-cal.vercel.app")).toMatchInlineSnapshot( - "null" - ); + + it("Vercel Preview special handling - vercel.app. Cal.com deployed on vercel apps have different subdomains, so we can't consider them org domains", () => { + const regExp = new RegExp(getRegExpThatMatchesAllOrgDomains({ webAppUrl: "http://app.vercel.app" })); + // It is not matching on vercel.app but would have matched in any other case + expect(regExp.exec("acme.vercel.app")).toEqual(null); + expect(regExp.exec("app.vercel.app")).toEqual(null); + }); + + describe("NEXT_PUBLIC_SINGLE_ORG_MODE_ENABLED=1", () => { + process.env.NEXT_PUBLIC_SINGLE_ORG_MODE_ENABLED = "1"; + it("WEBAPP_URL=http://app.cal.local:3000", () => { + const regExp = new RegExp( + getRegExpThatMatchesAllOrgDomains({ webAppUrl: "http://app.cal.local:3000" }) + ); + expect(regExp.exec("acme.cal.local:3000")?.groups?.orgSlug).toEqual("acme"); + expect(regExp.exec("app.cal.local:3000")).toEqual(null); + }); }); }); diff --git a/turbo.json b/turbo.json index c13effa3087329..a9871f96d354a5 100644 --- a/turbo.json +++ b/turbo.json @@ -457,6 +457,7 @@ "VAPID_PRIVATE_KEY", "HUDDLE01_API_TOKEN", "REPLEXICA_API_KEY", - "DIRECTORY_IDS_TO_LOG" + "DIRECTORY_IDS_TO_LOG", + "NEXT_PUBLIC_SINGLE_ORG_SLUG" ] }