Start creating v3 of the product

[ShashankFC]

---

EntelligenceAI PR Summary

This PR enhances API v2 services with performance optimizations, improved error handling, and OAuth compliance fixes.

• Implemented Redis caching for team billing statistics with 1-hour TTL to reduce dashboard load times
• Added user metadata fetching to booking responses (introduces N+1 query pattern)
• Enhanced API key service with error logging and documented key rotation flow
• Fixed Zoom OAuth integration by adding proper Content-Type header to token exchange requests
• Added closing acknowledgment section to README documentation

[entelligence-ai-pr-reviews]

Entelligence AI Vulnerability Scanner

Status: No security vulnerabilities found

Your code passed our comprehensive security analysis.

Analyzed 4 files in total

[entelligence-ai-pr-reviews]

Review Summary

❌ Rejected Comments (5)

This section lists 5 comments that were identified as fundamentally incorrect and filtered out during review validation. It is only visible on our internal repositories.

apps/api/v2/src/ee/bookings/2024-08-13/services/bookings.service.ts (1)

666-667: await is missing before this.usersRepository.findById(booking.userId) in the loop, causing userMetadata to be a Promise instead of the actual metadata, which will break downstream consumers expecting an object.

📊 Impact Scores:

• Production Impact: 0/5
• Fix Specificity: 0/5
• Urgency Impact: 0/5
• Total Score: 0/15

Reason for rejection: The comment claims that 'await' is missing before 'this.usersRepository.findById(booking.userId)', but examining the actual code at lines 664-666 shows that 'await' is already present on line 665. The bug description is factually incorrect - the code is already properly implemented with the await keyword.

Analysis: This is a false positive where the reviewer has incorrectly identified a missing 'await' keyword that is actually present in the code. The comment should be removed as it would waste developer time investigating a non-existent issue.

---

apps/api/v2/src/modules/api-keys/services/api-keys.service.ts (1)

28-29: getRequestApiKey logs the full Authorization header (potentially including sensitive API keys) to the console on authentication failure, risking sensitive data exposure in logs.

📊 Impact Scores:

• Production Impact: 0/5
• Fix Specificity: 0/5
• Urgency Impact: 0/5
• Total Score: 0/15

Reason for rejection: Based on learning #1, the user wants to avoid comments about logging sensitive information in plaintext when they have controlled access to logs. This security concern about logging Authorization headers falls into that category and should be removed per user preferences.

Analysis: While the comment is technically accurate about logging sensitive Authorization header data, the established learning indicates the user doesn't want these types of logging security comments, likely due to controlled log access. The suggestion is technically sound but goes against user preferences for this type of security concern.

---

apps/api/v2/src/modules/billing/services/billing-service-caching-proxy.ts (1)

139-153: getTeamBillingStats caches and returns the raw result of this.billingService.getBillingData, which may include sensitive or user-specific data not intended for stats caching, risking data leakage or incorrect dashboard stats.

📊 Impact Scores:

• Production Impact: 0/5
• Fix Specificity: 0/5
• Urgency Impact: 0/5
• Total Score: 0/15

Reason for rejection: The comment assumes that this.billingService.getTeamBillingStats(teamId, orgId) exists, but there's no evidence in the structured context that this method is available on the billing service. The suggestion would likely cause a runtime error by calling a non-existent method. While the concern about caching raw billing data vs stats is conceptually valid, the fix is not implementable without first ensuring the target method exists.

Analysis: The bug description correctly identifies that the method calls getBillingData instead of a stats-specific method, and the line numbers are accurate. However, the suggested fix assumes the existence of getTeamBillingStats method on the billing service without verification. This would break the code if applied, making it a technically inaccurate suggestion that should be removed.

---

apps/api/v2/src/modules/conferencing/services/zoom-video.service.ts (2)

95-95: expiry_date is set as Date.now() + responseBody.expires_in * 1000, but Date.now() returns ms and expires_in is in seconds, so the expiry is set too far in the future.

📊 Impact Scores:

• Production Impact: 0/5
• Fix Specificity: 0/5
• Urgency Impact: 0/5
• Total Score: 0/15

Reason for rejection: The comment is technically incorrect. The original code correctly calculates expiry_date by adding Date.now() (milliseconds) to expires_in * 1000 (seconds converted to milliseconds), resulting in a proper future timestamp in milliseconds. The suggested fix would incorrectly change the timestamp format from milliseconds to seconds, potentially breaking downstream code that expects milliseconds.

Analysis: The review comment misunderstands the timestamp calculation. The original code correctly handles the conversion from seconds (expires_in) to milliseconds by multiplying by 1000, then adds to Date.now() (already in milliseconds). The suggested fix would break the code by changing the expected data format from milliseconds to seconds.

---

102-104: findAllCredentialsByTypeAndTeamId and findAllCredentialsByTypeAndUserId are always called, even if no credentials exist, causing unnecessary DB queries for users/teams with no Zoom credentials (scalability impact for large user base).

📊 Impact Scores:

• Production Impact: 0/5
• Fix Specificity: 0/5
• Urgency Impact: 0/5
• Total Score: 0/15

Reason for rejection: The comment is based on incorrect understanding of the code flow. The userId parameter is required and validated earlier (lines 98-100), so the query will always execute with valid parameters. The suggestion to add conditional checks for userId/teamId existence is unnecessary since userId is guaranteed to exist at this point in the execution.

Analysis: The comment misunderstands the method's parameter requirements and validation flow. Since userId is a required parameter and validated before this code executes, the database queries are appropriately scoped and not unnecessarily called. The suggested optimization would add complexity without providing actual performance benefits.

---

🏷️ Draft Comments (3)

Skipped posting 3 draft comments that were valid but scored below your review threshold (>=13/15). Feel free to update them here.

apps/api/v2/src/ee/bookings/2024-08-13/services/bookings.service.ts (2)

663-667: await this.usersRepository.findById(booking.userId) is called inside a for-loop for every booking, causing N+1 database queries and major performance degradation for large result sets.

📊 Impact Scores:

• Production Impact: 4/5
• Fix Specificity: 3/5
• Urgency Impact: 3/5
• Total Score: 10/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In apps/api/v2/src/ee/bookings/2024-08-13/services/bookings.service.ts, lines 663-667, the code performs an N+1 query by calling `await this.usersRepository.findById(booking.userId)` inside a loop for each booking. Refactor this to batch-fetch all needed users in a single query before the loop (e.g., `findByIds`), build a map of userId to user, and use that map inside the loop. This will significantly improve performance for large booking result sets.

---

675-675: userMetadata: bookingUser?.metadata exposes the entire user metadata object for each booking, which may contain sensitive information (PII, tokens, internal flags) not intended for API consumers.

📊 Impact Scores:

• Production Impact: 4/5
• Fix Specificity: 2/5
• Urgency Impact: 3/5
• Total Score: 9/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In apps/api/v2/src/ee/bookings/2024-08-13/services/bookings.service.ts, lines 675-675, the code exposes the entire `userMetadata` object for each booking, which may include sensitive information such as PII, tokens, or internal flags. Restrict the exposed fields to only safe, non-sensitive properties (e.g., displayName, avatarUrl) and ensure no sensitive data is included in the API response.

---

apps/api/v2/src/modules/api-keys/services/api-keys.service.ts (1)

48-52: createApiKey always sets an expiration date even if apiKeyNeverExpires is true, causing keys meant to never expire to have an expiry.

📊 Impact Scores:

• Production Impact: 2/5
• Fix Specificity: 3/5
• Urgency Impact: 2/5
• Total Score: 7/15

🤖 AI Agent Prompt (Copy & Paste Ready):

In apps/api/v2/src/modules/api-keys/services/api-keys.service.ts, lines 48-52, the code always sets an expiration date for API keys, even when `apiKeyNeverExpires` is true. This causes keys that should never expire to have an expiry. Update the logic so that `apiKeyExpiresAt` is only set if `apiKeyNeverExpires` is not true, and is left undefined otherwise.

---

🔍 Comments beyond diff scope (1)

apps/api/v2/src/modules/conferencing/services/zoom-video.service.ts (1)

46-59: state parameter in generateZoomAuthUrl is used directly in the OAuth URL, allowing open redirect or CSRF attacks if not validated, potentially letting attackers hijack OAuth flows.
Category: security

---

[entelligence-ai-pr-reviews]

Walkthrough

This PR introduces several service-level improvements across the API v2 codebase. Key enhancements include adding a caching layer for team billing statistics to optimize dashboard performance, implementing user metadata fetching in booking responses, and improving the Zoom OAuth integration with proper content-type headers. Error logging capabilities were enhanced in the API key service with better debugging information and documentation for key rotation flows. Additionally, a minor documentation update adds a closing acknowledgment to the README.

Changes

File(s)	Summary
README.md	Added a closing acknowledgment section with '## Thanks for reading' heading at the end of the documentation.
apps/api/v2/src/ee/bookings/2024-08-13/services/bookings.service.ts	Added user profile fetching logic within booking iteration loop to retrieve and include user metadata in booking responses, introducing an N+1 query pattern.
apps/api/v2/src/modules/api-keys/services/api-keys.service.ts	Enhanced error logging with private logger object, added Authorization header logging on validation failures, and documented API key rotation operation ordering.
apps/api/v2/src/modules/billing/services/billing-service-caching-proxy.ts	Implemented getTeamBillingStats method with Redis caching layer using cache-aside pattern, 1-hour TTL, and team-specific cache keys to optimize dashboard performance.
apps/api/v2/src/modules/conferencing/services/zoom-video.service.ts	Added 'Content-Type: application/x-www-form-urlencoded' header to OAuth token exchange request and clarifying comment for Zoom API integration.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant BookingService
    participant UsersRepository
    participant Database

    Note over BookingService: Processing bookings in loop
    
    loop For each booking
        BookingService->>BookingService: Check if booking.userId exists
        
        alt booking.userId exists
            BookingService->>UsersRepository: findById(booking.userId)
            activate UsersRepository
            UsersRepository->>Database: Query user by ID
            Database-->>UsersRepository: User data
            UsersRepository-->>BookingService: bookingUser with metadata
            deactivate UsersRepository
        else no userId
            BookingService->>BookingService: Set bookingUser = null
        end
        
        BookingService->>BookingService: Format booking object
        Note over BookingService: Includes eventType, startTime,<br/>endTime, absentHost, and<br/>NEW: userMetadata
        
        BookingService->>BookingService: Add userMetadata from bookingUser
        Note right of BookingService: Enriches booking with<br/>latest user metadata
    end

Loading

---

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

• Automatically identifies repositories that depend on this code
• Analyzes potential breaking changes across your entire codebase
• Provides risk assessment before merging to prevent cross-repo issues

How to Enable

1. Visit Settings → Code Management
2. Configure repository dependencies
3. Future PRs will automatically include cross-repo impact analysis!

Benefits

• 🛡️ Prevent breaking changes across repositories
• 🔍 Catch integration issues before they reach production
• 📊 Better visibility into your multi-repo architecture

---

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[entelligence-ai-pr-reviews]

security: code parameter in connectZoomApp is used directly in the Zoom OAuth token request URL without validation, allowing an attacker to inject malicious values or perform SSRF if code is attacker-controlled.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In apps/api/v2/src/modules/conferencing/services/zoom-video.service.ts, lines 61-76, the `code` parameter is used directly in the OAuth token request URL without validation, which could allow SSRF or injection if attacker-controlled. Add strict validation to ensure `code` only contains safe characters (e.g., alphanumeric, dash, underscore) and reject any invalid input before using it in the URL.

📝 Committable Code Suggestion

‼️ Ensure you review the code suggestion before committing it to the branch. Make sure it replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	const { client_id, client_secret } = await this.getZoomAppKeys();
	const redirectUri = encodeURI(this.redirectUri);
	const authHeader = `Basic ${Buffer.from(`${client_id}:${client_secret}`).toString("base64")}`;
	// Exchange authorization code for access token
	const result = await fetch(
	`https://zoom.us/oauth/token?grant_type=authorization_code&code=${code}&redirect_uri=${redirectUri}`,
	{
	method: "POST",
	headers: {
	Authorization: authHeader,
	"Content-Type": "application/x-www-form-urlencoded",
	},
	}
	);
	if (!/^[A-Za-z0-9\-_]+$/.test(code)) {
	throw new BadRequestException("Invalid authorization code format.");
	}
	const result = await fetch(
	`https://zoom.us/oauth/token?grant_type=authorization_code&code=${code}&redirect_uri=${redirectUri}`,
	{
	method: "POST",
	headers: {
	Authorization: authHeader,
	"Content-Type": "application/x-www-form-urlencoded",
	},
	}
	);