fix: security and quality improvements across tRPC routers

Dnyanesh182 · Dnyanesh182 · commit ffe2beae7796 · 2026-06-02T23:21:49.000+05:30
- fix(bookings): replace credentials: true with select to prevent credential.key exposure in booking middleware - fix(eventTypes): remove console.log statements that leaked private hashed link data to stdout - fix(schedule): replace console.log with structured logger.error in getScheduleByEventTypeSlug - refactor(eventTypes): replace Prisma include with select in getEventTypesFromGroup and duplicate handlers - fix(eventTypes): add missing scheduleId/groupId/memberId to hosts select in duplicate handler - fix(eventTypes): remove @ts-expect-error by typing reduce accumulator as Record<string, unknown>
diff --git a/packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts b/packages/trpc/server/routers/viewer/availability/schedule/getScheduleByEventTypeSlug.handler.ts
@@ -1,3 +1,4 @@
+import logger from "@calcom/lib/logger";
 import type { PrismaClient } from "@calcom/prisma";
 
 import type { TrpcSessionUser } from "../../../../types";
@@ -57,7 +58,7 @@ export const getScheduleByEventSlugHandler = async ({ ctx, input }: GetOptions)
       },
     });
   } catch (e) {
-    console.log(e);
+    logger.error("Failed to retrieve schedule by event type slug", e);
     return {
       id: -1,
       name: "No schedules found",
diff --git a/packages/trpc/server/routers/viewer/bookings/util.ts b/packages/trpc/server/routers/viewer/bookings/util.ts
@@ -39,7 +39,13 @@ export const bookingsProcedure = authedProcedure
       user: {
         include: {
           destinationCalendar: true,
-          credentials: true,
+          credentials: {
+            select: {
+              id: true,
+              type: true,
+              appId: true,
+            },
+          },
           profiles: {
             select: {
               organizationId: true,
@@ -114,7 +120,7 @@ export type BookingsProcedureContext = {
     user:
       | (User & {
           destinationCalendar: DestinationCalendar | null;
-          credentials: Credential[];
+          credentials: Pick<Credential, "id" | "type" | "appId">[];
           profiles: { organizationId: number }[];
         })
       | null;
diff --git a/packages/trpc/server/routers/viewer/eventTypes/getEventTypesFromGroup.handler.ts b/packages/trpc/server/routers/viewer/eventTypes/getEventTypesFromGroup.handler.ts
@@ -176,7 +176,7 @@ export const getEventTypesFromGroup = async ({
       accepted: true,
       role: "MEMBER",
     },
-    include: {
+    select: {
       team: {
         select: {
           isPrivate: true,
diff --git a/packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts b/packages/trpc/server/routers/viewer/eventTypes/heavy/duplicate.handler.ts
@@ -38,9 +38,28 @@ export const duplicateHandler = async ({ ctx, input }: DuplicateOptions) => {
             id: true,
           },
         },
-        hosts: true,
-        team: true,
-        webhooks: true,
+        hosts: {
+          select: {
+            userId: true,
+            isFixed: true,
+            priority: true,
+            weight: true,
+            eventTypeId: true,
+            scheduleId: true,
+            groupId: true,
+            memberId: true,
+          },
+        },
+        team: {
+          select: {
+            id: true,
+          },
+        },
+        webhooks: {
+          select: {
+            id: true,
+          },
+        },
         hashedLink: true,
         destinationCalendar: true,
         calVideoSettings: {
diff --git a/packages/trpc/server/routers/viewer/eventTypes/heavy/update.handler.ts b/packages/trpc/server/routers/viewer/eventTypes/heavy/update.handler.ts
@@ -608,11 +608,11 @@ export const updateHandler = async ({ ctx, input }: UpdateOptions) => {
       break;
     }
   }
-  console.log("multiplePrivateLinks", multiplePrivateLinks);
+
   // Handle multiple private links using the service
   const privateLinksRepo = HashedLinkRepository.create();
   const connectedLinks = await privateLinksRepo.findLinksByEventTypeId(input.id);
-  console.log("connectedLinks", connectedLinks);
+
   const connectedMultiplePrivateLinks = connectedLinks.map((link) => link.link);
 
   const privateLinksService = new HashedLinkService();
@@ -724,9 +724,8 @@ export const updateHandler = async ({ ctx, input }: UpdateOptions) => {
     });
   }
 
-  const updatedValues = Object.entries(data).reduce((acc, [key, value]) => {
+  const updatedValues = Object.entries(data).reduce<Record<string, unknown>>((acc, [key, value]) => {
     if (value !== undefined) {
-      // @ts-expect-error Element implicitly has any type
       acc[key] = value;
     }
     return acc;

Original file line number	Diff line number	Diff line change
`@@ -608,11 +608,11 @@ export const updateHandler = async ({ ctx, input }: UpdateOptions) => {`
`608`	`608`	`break;`
`609`	`609`	`}`
`610`	`610`	`}`
`611`		`- console.log("multiplePrivateLinks", multiplePrivateLinks);`
	`611`	`+`
`612`	`612`	`// Handle multiple private links using the service`
`613`	`613`	`const privateLinksRepo = HashedLinkRepository.create();`
`614`	`614`	`const connectedLinks = await privateLinksRepo.findLinksByEventTypeId(input.id);`
`615`		`- console.log("connectedLinks", connectedLinks);`
	`615`	`+`
`616`	`616`	`const connectedMultiplePrivateLinks = connectedLinks.map((link) => link.link);`
`617`	`617`
`618`	`618`	`const privateLinksService = new HashedLinkService();`
`@@ -724,9 +724,8 @@ export const updateHandler = async ({ ctx, input }: UpdateOptions) => {`
`724`	`724`	`});`
`725`	`725`	`}`
`726`	`726`
`727`		`- const updatedValues = Object.entries(data).reduce((acc, [key, value]) => {`
	`727`	`+ const updatedValues = Object.entries(data).reduce<Record<string, unknown>>((acc, [key, value]) => {`
`728`	`728`	`if (value !== undefined) {`
`729`		`- // @ts-expect-error Element implicitly has any type`
`730`	`729`	`acc[key] = value;`
`731`	`730`	`}`
`732`	`731`	`return acc;`