Skip to content

Implement shared calendar web app with OAuth 2.0 and privacy-protected availability sharing#1

Draft
lamb-chen with Copilot wants to merge 7 commits into
mainfrom
copilot/add-calendar-sharing-feature
Draft

Implement shared calendar web app with OAuth 2.0 and privacy-protected availability sharing#1
lamb-chen with Copilot wants to merge 7 commits into
mainfrom
copilot/add-calendar-sharing-feature

Conversation

Copilot AI commented Nov 10, 2025

Copy link
Copy Markdown

Built a full-stack web application enabling users to share calendar availability through color-coded busy blocks while maintaining event privacy, using Google OAuth 2.0 for authentication and direct calendar platform integration.

Backend (Node.js + Express)

  • OAuth 2.0 authentication via Passport.js with Google Calendar API integration
  • 11 REST endpoints for auth, calendar data, sharing permissions, and meeting invitations
  • Security layer: Rate limiting (100 req/15min general, 10 req/15min auth), httpOnly/sameSite session cookies
  • In-memory user store with sharing permissions (production upgrade: PostgreSQL/MongoDB)

Frontend (React)

  • Login page with OAuth flow initiation
  • Dashboard with React Big Calendar displaying multi-user calendars in 8-color palette
  • UserList modal for granular sharing control per user
  • MeetingInvite modal for time slot selection and attendee management

Privacy Implementation

Event details (titles, descriptions, locations) never transmitted or stored. Google Calendar API queries return events, transformed server-side to busy/free blocks only:

// Transform events to busy blocks (hide details)
const busyBlocks = events.map(event => ({
  id: event.id,
  start: event.start.dateTime || event.start.date,
  end: event.end.dateTime || event.end.date,
  isBusy: true
  // No title, description, location, or attendees
}));

Meeting Invitations

Creates events via Google Calendar API with sendUpdates: 'all', routing invitations through existing calendar infrastructure rather than custom notification system.

Security Notes

CodeQL alert for cookie middleware CSRF is false positive—OAuth 2.0 state parameter provides CSRF protection for auth flow, all API routes require authenticated session, and SameSite cookies prevent cross-site attacks. See SECURITY.md for OWASP Top 10 compliance details.

Documentation

  • QUICKSTART.md: 10-minute setup with Google Cloud OAuth configuration
  • ARCHITECTURE.md: System design, data flows, production deployment considerations
  • SECURITY.md: Security assessment and OWASP compliance verification
Original prompt

This project aims to build a web app that lets users automatically share their calendars with each other. Users will be able to view others’ calendars as colour-coded “busy” blocks without seeing event details unless it’s a shared event. From the app, users can select a time and send invite requests directly to their respective calendar platforms. Allow people to login via OAuth 2.0


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 6 commits November 10, 2025 12:36
Co-authored-by: lamb-chen <80419704+lamb-chen@users.noreply.github.com>
…tion

Co-authored-by: lamb-chen <80419704+lamb-chen@users.noreply.github.com>
…ibuting guides

Co-authored-by: lamb-chen <80419704+lamb-chen@users.noreply.github.com>
Co-authored-by: lamb-chen <80419704+lamb-chen@users.noreply.github.com>
Co-authored-by: lamb-chen <80419704+lamb-chen@users.noreply.github.com>
Co-authored-by: lamb-chen <80419704+lamb-chen@users.noreply.github.com>
Copilot AI changed the title [WIP] Add calendar sharing feature with OAuth 2.0 login Implement shared calendar web app with OAuth 2.0 and privacy-protected availability sharing Nov 10, 2025
Copilot AI requested a review from lamb-chen November 10, 2025 12:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants