fix: UID cookie isn't accessible/created when in embed as it is third party context.

[codex-maintainers]

What does this PR do?

• Fixes [CAL-5240] Embeds: UID cookie isn't accessible/created when in embed as it is third party context. #19616
• Fixes CAL-5240

We currently use a uid cookie to both mark a reserved slot and gate the “Slot no longer available” rollout. On embeds, however, that cookie never gets set because SameSite=Lax cookies aren’t sent from <iframe>s and other third‑party contexts. This has two side–effects:

• Every slot a user clicks in an embed ends up blocked for everybody else because each reserveSlot call gets a fresh uid and we never “unlink” the previous provisional selection.
• We can’t roll out “Slot no longer available” on embeds because the feature flag requires the visitor to have a cookie.

This patch sets the uid cookie to SameSite=None; Secure in production (WEBAPP_URL starts with https://) and gracefully falls back to SameSite=Lax locally so you can still develop on http://localhost. Safari will still need special handling, but moving to SameSite=None unblocks Chrome and other major browsers.

A small unit test has been added under packages/trpc/server/routers/viewer/slots to exercise that the cookie emitted by reserveSlotHandler picks up the right security flags for both HTTP and HTTPS environments.

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

1. Run under an HTTPS WEBAPP_URL (or point NEXT_PUBLIC_WEBAPP_URL at an HTTPS origin).
2. Embed a booking page in a separate site and select a slot.
3. Open the browser’s cookie inspector inside the iframe: the uid cookie should now be present with SameSite=None and Secure set.
4. Click multiple timeslots – only your last selection should remain blocked for other visitors, and Quick Availability checks can be rolled out to embeds because uid is now visible.

For local development (http://localhost:3000), cookies continue to be SameSite=Lax/non‑secure so you won’t be forced to configure HTTPS.

[vercel]

@gopoto is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

All committers have signed the CLA.

[hariombalhara]

I don't think WEBAPP_URL could be undefined

Suggested change

	const useSecureCookies = WEBAPP_URL?.startsWith("https://");
	const useSecureCookies = WEBAPP_URL.startsWith("https://");

[codex-maintainers]

Dropped the optional chain on WEBAPP_URL — it always has a value so we can safely call startsWith.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (03/11/25)

1 reviewer was added to this PR based on Keith Williams's automation.

"Add community label" took an action on this PR • (03/11/25)

1 label was added to this PR based on Keith Williams's automation.

[github-actions]

E2E results are ready!

• Workflow #52710.2 latest results

[keithwillcode]

These comments are redundant since the code is self-explanatory