From 8cdbfb9519e184edbaf4686d71246c229498714f Mon Sep 17 00:00:00 2001
From: Mel <97147377+MelissaAutumn@users.noreply.github.com>
Date: Wed, 16 Oct 2024 14:05:32 -0700
Subject: [PATCH] CalDAV autodiscovery (#718)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Initial WIP of caldav in FTUE + as an external connection

* Additional changes for caldav on FTUE:
* Renamed ftueStep.GooglePermissions to ftueStep.CalendarProvider
* Add a switch button during the FTUE calendar provider step
* Add modal text
* Refactor LoginView::handleFormError to be generic and now lives in utils
* Allow force fetching of external connections
* Add CalDAV as an external connection option
* Refactor GoogleOauthProvider to be more in-line with how CalDAVProvider works
* Add shortcuts for decrypt/encrypt in Python utils
* Cache dns lookup for the remainder of the ttl

* Add missing i18n

* Adjust how caldav connections are tested, and only pull in supported calendars

* Split the various methods we check caldav urls into separate functions

* Check if service is explicitly not supported

* Add some tests

* 🌐 Update German translation

* Fix handleFormErrors

* Rebase migration down id

* Fix unused imports, add some optional props, and fix secure calendars

* Fix a string lookup issue

---------

Co-authored-by: Andreas Müller <mail@devmount.de>
---
 backend/requirements.txt                      |   1 +
 backend/src/appointment/commands/update_db.py |   1 +
 .../src/appointment/controller/calendar.py    | 163 ++++++++++++++++--
 backend/src/appointment/database/models.py    |   1 +
 .../src/appointment/database/repo/calendar.py |   6 +-
 backend/src/appointment/database/schemas.py   |   6 +
 backend/src/appointment/main.py               |   2 +
 ...cf5d3ee14b_update_external_connections_.py |  32 ++++
 backend/src/appointment/routes/api.py         |  55 ++++--
 backend/src/appointment/routes/caldav.py      | 127 ++++++++++++++
 backend/src/appointment/routes/schedule.py    |   2 +
 backend/src/appointment/utils.py              |   8 +
 backend/test/conftest.py                      |   2 +-
 backend/test/integration/test_auth.py         |  55 +++++-
 backend/test/integration/test_calendar.py     |   2 +-
 backend/test/integration/test_schedule.py     |   6 +-
 backend/test/unit/test_calendar_tools.py      |  18 ++
 .../src/components/FTUE/CalDavProvider.vue    | 147 ++++++++++++++++
 .../src/components/FTUE/CalendarProvider.vue  |  66 +++++++
 ...ermissions.vue => GoogleOauthProvider.vue} |  30 +++-
 .../src/components/SettingsConnections.vue    |  66 ++++++-
 frontend/src/definitions.ts                   |  13 +-
 frontend/src/locales/de.json                  |  36 +++-
 frontend/src/locales/en.json                  |  31 +++-
 frontend/src/models.ts                        |   1 +
 .../src/stores/external-connections-store.ts  |  22 ++-
 frontend/src/stores/ftue-store.ts             |   8 +-
 frontend/src/utils.ts                         |  67 ++++++-
 .../src/views/FirstTimeUserExperienceView.vue |   4 +-
 frontend/src/views/LoginView.vue              |  29 +---
 30 files changed, 894 insertions(+), 113 deletions(-)
 create mode 100644 backend/src/appointment/migrations/versions/2024_10_09_2006-71cf5d3ee14b_update_external_connections_.py
 create mode 100644 backend/src/appointment/routes/caldav.py
 create mode 100644 frontend/src/components/FTUE/CalDavProvider.vue
 create mode 100644 frontend/src/components/FTUE/CalendarProvider.vue
 rename frontend/src/components/FTUE/{GooglePermissions.vue => GoogleOauthProvider.vue} (89%)

diff --git a/backend/requirements.txt b/backend/requirements.txt
index 651f7df58..6e18d2721 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -34,3 +34,4 @@ redis==5.0.7
 hiredis==2.3.2
 posthog==3.5.0
 slowapi==0.1.9
+dnspython==2.7.0
diff --git a/backend/src/appointment/commands/update_db.py b/backend/src/appointment/commands/update_db.py
index 922911625..f4d3fa64f 100644
--- a/backend/src/appointment/commands/update_db.py
+++ b/backend/src/appointment/commands/update_db.py
@@ -37,3 +37,4 @@ def run():
         else:
             print('Database already initialized, running migrations')
             command.upgrade(alembic_cfg, 'head')
+        print('Finished checking database')
diff --git a/backend/src/appointment/controller/calendar.py b/backend/src/appointment/controller/calendar.py
index fe1bbe961..150782e9f 100644
--- a/backend/src/appointment/controller/calendar.py
+++ b/backend/src/appointment/controller/calendar.py
@@ -8,10 +8,13 @@
 import time
 import zoneinfo
 import os
+from socket import getaddrinfo
+from urllib.parse import urlparse, urljoin
 
 import caldav.lib.error
 import requests
 import sentry_sdk
+from dns.exception import DNSException
 from redis import Redis, RedisCluster
 from caldav import DAVClient
 from fastapi import BackgroundTasks
@@ -19,7 +22,10 @@
 from icalendar import Calendar, Event, vCalAddress, vText
 from datetime import datetime, timedelta, timezone, UTC
 
+from sqlalchemy.orm import Session
+
 from .. import utils
+from ..database.schemas import CalendarConnection
 from ..defines import REDIS_REMOTE_EVENTS_KEY, DATEFMT
 from .apis.google_client import GoogleClient
 from ..database.models import CalendarProvider, BookingStatus
@@ -279,40 +285,79 @@ def delete_events(self, start):
 
 
 class CalDavConnector(BaseConnector):
-    def __init__(self, subscriber_id: int, calendar_id: int, redis_instance, url: str, user: str, password: str):
+    def __init__(self, db: Session, subscriber_id: int, calendar_id: int, redis_instance, url: str, user: str, password: str):
         super().__init__(subscriber_id, calendar_id, redis_instance)
 
+        self.db = db
         self.provider = CalendarProvider.caldav
-        self.url = url if url[-1] == '/' else url + '/'
+        self.url = url
         self.password = password
         self.user = user
 
         # connect to the CalDAV server
-        self.client = DAVClient(url=url, username=user, password=password)
+        self.client = DAVClient(url=self.url, username=self.user, password=self.password)
 
     def test_connection(self) -> bool:
         """Ensure the connection information is correct and the calendar connection works"""
 
+        supports_vevent = False
+
         try:
-            cal = self.client.calendar(url=self.url)
-            supported_comps = cal.get_supported_components()
+            cals = self.client.principal()
+            for cal in cals.calendars():
+                supported_comps = cal.get_supported_components()
+                supports_vevent = 'VEVENT' in supported_comps
+                # If one supports it, then that's good enough!
+                if supports_vevent:
+                    break
         except IndexError as ex:  # Library has an issue with top level urls, probably due to caldav spec?
-            logging.error(f'Error testing connection {ex}')
+            logging.error(f'IE: Error testing connection {ex}')
             return False
         except KeyError as ex:
-            logging.error(f'Error testing connection {ex}')
+            logging.error(f'KE: Error testing connection {ex}')
             return False
-        except requests.exceptions.RequestException:  # Max retries exceeded, bad connection, missing schema, etc...
+        except requests.exceptions.RequestException as ex:  # Max retries exceeded, bad connection, missing schema, etc...
             return False
-        except caldav.lib.error.NotFoundError:  # Good server, bad url.
+        except caldav.lib.error.NotFoundError as ex:  # Good server, bad url.
             return False
 
         # They need at least VEVENT support for appointment to work.
-        return 'VEVENT' in supported_comps
+        return supports_vevent
 
     def sync_calendars(self):
-        # We don't sync anything for caldav, but might as well bust event cache.
-        self.bust_cached_events(all_calendars=True)
+        error_occurred = False
+
+        principal = self.client.principal()
+        for cal in principal.calendars():
+            # Does this calendar support vevents?
+            supported_comps = cal.get_supported_components()
+
+            if 'VEVENT' not in supported_comps:
+                continue
+
+            calendar = schemas.CalendarConnection(
+                title=cal.name,
+                url=str(cal.url),
+                user=self.user,
+                password=self.password,
+                provider=CalendarProvider.caldav
+            )
+
+            # add calendar
+            try:
+                repo.calendar.update_or_create(
+                    db=self.db, calendar=calendar, calendar_url=calendar.url, subscriber_id=self.subscriber_id
+                )
+            except Exception as err:
+                logging.warning(
+                    f'[calendar.sync_calendars] Error occurred while creating calendar. Error: {str(err)}'
+                )
+                error_occurred = True
+
+        if not error_occurred:
+            self.bust_cached_events(all_calendars=True)
+
+        return error_occurred
 
     def list_calendars(self):
         """find all calendars on the remote server"""
@@ -647,6 +692,7 @@ def existing_events_for_schedule(
                 )
             else:
                 con = CalDavConnector(
+                    db=db,
                     redis_instance=redis,
                     url=calendar.url,
                     user=calendar.user,
@@ -684,3 +730,96 @@ def existing_events_for_schedule(
             )
 
         return existing_events
+
+    @staticmethod
+    def dns_caldav_lookup(url, secure=True):
+        import dns.resolver
+
+        secure_character = 's' if secure else ''
+        dns_url = f'_caldav{secure_character}._tcp.{url}'
+        path = ''
+
+        # Check if they have a caldav subdomain, on error just return none
+        try:
+            records = dns.resolver.resolve(dns_url, 'SRV')
+        except DNSException:
+            return None, None
+
+        # Check if they have any relative paths setup
+        try:
+            txt_records = dns.resolver.resolve(dns_url, 'TXT')
+
+            for txt_record in txt_records:
+                # Remove any quotes from the txt record
+                txt_record = str(txt_record).replace('"', '')
+                if txt_record.startswith('path='):
+                    path = txt_record[5:]
+        except DNSException:
+            pass
+
+        # Append a slash at the end if it's missing
+        path += '' if path.endswith('/') else '/'
+
+        # Grab the first item or None
+        caldav_host = None
+        port = 443 if secure else 80
+        ttl = records.rrset.ttl or 300
+        if len(records) > 0:
+            port = str(records[0].port)
+            caldav_host = str(records[0].target)[:-1]
+
+            # Service not provided
+            if caldav_host == ".":
+                return None, None
+
+        if '://' in caldav_host:
+            # Remove any protocols first!
+            caldav_host.replace('http://', '').replace('https://', '')
+
+        # We should only be pulling the secure link
+        caldav_host = f'http{secure_character}://{caldav_host}:{port}{path}'
+
+        return caldav_host, ttl
+
+    @staticmethod
+    def well_known_caldav_lookup(url: str) -> str|None:
+        parsed_url = urlparse(url)
+
+        # Do they have a well-known?
+        if parsed_url.path == '' and parsed_url.hostname != '':
+            try:
+                response = requests.get(urljoin(url, '/.well-known/caldav'), allow_redirects=False)
+                if response.is_redirect:
+                    redirect = response.headers.get('Location')
+                    if redirect:
+                        # Fastmail really needs that ending slash
+                        return redirect if redirect.endswith('/') else redirect + '/'
+            except requests.exceptions.ConnectionError:
+                # Ignore connection errors here
+                pass
+        return None
+
+    @staticmethod
+    def fix_caldav_urls(url: str) -> str:
+        """Fix up some common url issues with some caldav providers"""
+        parsed_url = urlparse(url)
+
+        # Handle any fastmail issues
+        if 'fastmail.com' in parsed_url.hostname:
+            if not parsed_url.path.startswith('/dav'):
+                url = f'{url}/dav/'
+
+            # Url needs to end with slash
+            if not url.endswith('/'):
+                url += '/'
+
+        # Google is weird - We also don't support them right now.
+        elif ('api.googlecontent.com' in parsed_url.hostname
+              or 'apidata.googleusercontent.com' in parsed_url.hostname):
+            if len(parsed_url.path) == 0:
+                url += '/caldav/v2/'
+        elif 'calendar.google.com' in parsed_url.hostname or '':
+            # Use the caldav url instead
+            url = 'https://api.googlecontent.com/caldav/v2/'
+
+        return url
diff --git a/backend/src/appointment/database/models.py b/backend/src/appointment/database/models.py
index 29b431d73..6aae28144 100644
--- a/backend/src/appointment/database/models.py
+++ b/backend/src/appointment/database/models.py
@@ -70,6 +70,7 @@ class ExternalConnectionType(enum.Enum):
     zoom = 1
     google = 2
     fxa = 3
+    caldav = 4
 
 
 class MeetingLinkProviderType(enum.StrEnum):
diff --git a/backend/src/appointment/database/repo/calendar.py b/backend/src/appointment/database/repo/calendar.py
index df245a978..16bd7fc18 100644
--- a/backend/src/appointment/database/repo/calendar.py
+++ b/backend/src/appointment/database/repo/calendar.py
@@ -4,6 +4,7 @@
 """
 
 from datetime import datetime
+from typing import Optional
 
 from fastapi import HTTPException
 from sqlalchemy.orm import Session
@@ -135,11 +136,14 @@ def delete_by_subscriber(db: Session, subscriber_id: int):
     return True
 
 
-def delete_by_subscriber_and_provider(db: Session, subscriber_id: int, provider: models.CalendarProvider):
+def delete_by_subscriber_and_provider(db: Session, subscriber_id: int, provider: models.CalendarProvider, user: Optional[str] = None):
     """Delete all subscriber's calendar by a provider"""
     calendars = get_by_subscriber(db, subscriber_id=subscriber_id)
     for calendar in calendars:
         if calendar.provider == provider:
+            # If user is provided and it's not the same as the calendar user then we can skip
+            if user and user != calendar.user:
+                continue
             delete(db, calendar_id=calendar.id)
 
     return True
diff --git a/backend/src/appointment/database/schemas.py b/backend/src/appointment/database/schemas.py
index 2edc82a0e..840e1a0d5 100644
--- a/backend/src/appointment/database/schemas.py
+++ b/backend/src/appointment/database/schemas.py
@@ -257,6 +257,12 @@ class CalendarConnection(CalendarConnectionOut):
     password: str
 
 
+class CalendarConnectionIn(CalendarConnection):
+    url: str = Field(min_length=1)
+    user: str = Field(min_length=1)
+    password: Optional[str]
+
+
 class Calendar(CalendarConnection):
     id: int
     owner_id: int
diff --git a/backend/src/appointment/main.py b/backend/src/appointment/main.py
index a6fd28b9e..54f4fec50 100644
--- a/backend/src/appointment/main.py
+++ b/backend/src/appointment/main.py
@@ -121,6 +121,7 @@ def server():
     from .routes import api
     from .routes import auth
     from .routes import account
+    from .routes import caldav
     from .routes import google
     from .routes import schedule
     from .routes import invite
@@ -217,6 +218,7 @@ async def catch_rate_limit_exceeded_errors(request, exc):
     app.include_router(api.router)
     app.include_router(auth.router)  # Special case!
     app.include_router(account.router, prefix='/account')
+    app.include_router(caldav.router, prefix='/caldav')
     app.include_router(google.router, prefix='/google')
     app.include_router(schedule.router, prefix='/schedule')
     app.include_router(invite.router, prefix='/invite')
diff --git a/backend/src/appointment/migrations/versions/2024_10_09_2006-71cf5d3ee14b_update_external_connections_.py b/backend/src/appointment/migrations/versions/2024_10_09_2006-71cf5d3ee14b_update_external_connections_.py
new file mode 100644
index 000000000..8d5df6f82
--- /dev/null
+++ b/backend/src/appointment/migrations/versions/2024_10_09_2006-71cf5d3ee14b_update_external_connections_.py
@@ -0,0 +1,32 @@
+"""update external connections type enum with caldav
+
+Revision ID: 71cf5d3ee14b
+Revises: 01d80f00243f
+Create Date: 2024-10-09 20:06:47.631534
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '71cf5d3ee14b'
+down_revision = '502d0217a555'
+branch_labels = None
+depends_on = None
+
+
+old_external_connections = ','.join(['"zoom"', '"google"', '"fxa"'])
+new_external_connections = ','.join(['"zoom"', '"google"', '"fxa"', '"caldav"'])
+
+
+def upgrade() -> None:
+    op.execute(
+        f'ALTER TABLE `external_connections` MODIFY COLUMN `type` enum({new_external_connections}) NOT NULL AFTER `name`;'  # noqa: E501
+    )
+
+
+def downgrade() -> None:
+    op.execute(
+        f'ALTER TABLE `external_connections` MODIFY COLUMN `type` enum({old_external_connections}) NOT NULL AFTER `name`;'  # noqa: E501
+    )
diff --git a/backend/src/appointment/routes/api.py b/backend/src/appointment/routes/api.py
index c08084df0..098edcbfe 100644
--- a/backend/src/appointment/routes/api.py
+++ b/backend/src/appointment/routes/api.py
@@ -1,8 +1,10 @@
 import datetime
+import json
 import logging
 import os
 import secrets
 import uuid
+from urllib.parse import urlparse
 
 import requests.exceptions
 import sentry_sdk
@@ -172,6 +174,7 @@ def create_my_calendar(
         )
     else:
         con = CalDavConnector(
+            db=db,
             redis_instance=None,
             url=calendar.url,
             user=calendar.user,
@@ -294,6 +297,7 @@ def read_remote_calendars(
         )
     else:
         con = CalDavConnector(
+            db=None,
             redis_instance=None,
             url=connection.url,
             user=connection.user,
@@ -319,27 +323,43 @@ def sync_remote_calendars(
 ):
     """endpoint to sync calendars from a remote server"""
     # Create a list of connections and loop through them with sync
-    # TODO: Also handle CalDAV connections
-
-    external_connection = utils.list_first(
+    google_ec = utils.list_first(
         repo.external_connection.get_by_type(db, subscriber.id, schemas.ExternalConnectionType.google)
     )
+    caldav_ecs = repo.external_connection.get_by_type(db, subscriber.id, schemas.ExternalConnectionType.caldav)
+
+    # Filter out any nulls
+    ecs = list(filter(lambda ec: ec, [
+        google_ec,
+        *caldav_ecs
+    ]))
 
-    if external_connection is None or external_connection.token is None:
+    if len(ecs) == 0:
         raise RemoteCalendarConnectionError()
 
-    connections = [
-        GoogleConnector(
-            db=db,
-            redis_instance=redis,
-            google_client=google_client,
-            remote_calendar_id=None,
-            calendar_id=None,
-            subscriber_id=subscriber.id,
-            google_tkn=external_connection.token,
-        ),
-    ]
-    for connection in connections:
+    for ec in ecs:
+        if ec.type == schemas.ExternalConnectionType.google:
+            connection = GoogleConnector(
+                db=db,
+                redis_instance=redis,
+                google_client=google_client,
+                remote_calendar_id=None,
+                calendar_id=None,
+                subscriber_id=subscriber.id,
+                google_tkn=ec.token,
+            )
+        else:
+            url, username = json.loads(ec.type_id)
+            connection = CalDavConnector(
+                db=db,
+                subscriber_id=subscriber.id,
+                redis_instance=redis,
+                url=url,
+                user=username,
+                password=ec.token,
+                calendar_id=None,
+            )
+
         error_occurred = connection.sync_calendars()
         # And then redirect back to frontend
         if error_occurred:
@@ -382,6 +402,7 @@ def read_remote_events(
         )
     else:
         con = CalDavConnector(
+            db=db,
             redis_instance=redis_instance,
             url=db_calendar.url,
             user=db_calendar.user,
@@ -464,3 +485,5 @@ def terms():
     with open(f'{os.path.dirname(__file__)}/../templates/legal/en/terms.jinja2') as fh:
         contents = fh.read()
     return HTMLResponse(contents)
+
+
diff --git a/backend/src/appointment/routes/caldav.py b/backend/src/appointment/routes/caldav.py
new file mode 100644
index 000000000..c9627a8a0
--- /dev/null
+++ b/backend/src/appointment/routes/caldav.py
@@ -0,0 +1,127 @@
+import json
+from typing import Optional
+from urllib.parse import urlparse
+
+import requests
+
+from fastapi import APIRouter, Depends, Request
+from redis import Redis
+from sqlalchemy.orm import Session
+
+from appointment import utils
+from appointment.controller.apis.google_client import GoogleClient
+from appointment.controller.calendar import CalDavConnector, Tools, GoogleConnector
+from appointment.database import models, schemas, repo
+from appointment.dependencies.auth import get_subscriber
+from appointment.dependencies.database import get_db, get_redis
+from appointment.dependencies.google import get_google_client
+from appointment.exceptions.validation import RemoteCalendarConnectionError
+
+router = APIRouter()
+
+
+@router.post('/auth')
+def caldav_autodiscover_auth(
+    connection: schemas.CalendarConnectionIn,
+    db: Session = Depends(get_db),
+    subscriber: models.Subscriber = Depends(get_subscriber),
+    redis_client: Redis = Depends(get_redis)
+):
+    """Connects a principal caldav server"""
+
+    # Does url need a protocol?
+    if '://' not in connection.url:
+        connection.url = f'https://{connection.url}'
+
+    secure_protocol = 'https://' in connection.url
+
+    dns_lookup_cache_key = f'dns:{utils.encrypt(connection.url)}'
+
+    lookup_url = None
+    if redis_client:
+        lookup_url = redis_client.get(dns_lookup_cache_key)
+
+    # Do a dns lookup first
+    if lookup_url is None:
+        parsed_url = urlparse(connection.url)
+        lookup_url, ttl = Tools.dns_caldav_lookup(parsed_url.hostname, secure=secure_protocol)
+        # set the cached lookup for the remainder of the dns ttl
+        if redis_client and lookup_url:
+            redis_client.set(dns_lookup_cache_key, utils.encrypt(lookup_url), ex=ttl)
+    else:
+        # Extract the cached value
+        lookup_url = utils.decrypt(lookup_url)
+
+    # Check for well-known
+    if lookup_url is None:
+        lookup_url = Tools.well_known_caldav_lookup(connection.url)
+
+    # If we have a lookup_url then apply it
+    if lookup_url:
+        connection.url = lookup_url
+
+    # Finally perform any final fixups needed
+    connection.url = Tools.fix_caldav_urls(connection.url)
+
+    con = CalDavConnector(
+        db=db,
+        redis_instance=None,
+        url=connection.url,
+        user=connection.user,
+        password=connection.password,
+        subscriber_id=subscriber.id,
+        calendar_id=None,
+    )
+
+    if not con.test_connection():
+        raise RemoteCalendarConnectionError()
+
+    caldav_id = json.dumps([connection.url, connection.user])
+    external_connection = repo.external_connection.get_by_type(
+        db, subscriber.id, models.ExternalConnectionType.caldav, caldav_id
+    )
+
+    # Create or update the external connection
+    if not external_connection:
+        external_connection_schema = schemas.ExternalConnection(
+            name=connection.user,
+            type=models.ExternalConnectionType.caldav,
+            type_id=caldav_id,
+            owner_id=subscriber.id,
+            token=connection.password,
+        )
+
+        repo.external_connection.create(db, external_connection_schema)
+    else:
+        repo.external_connection.update_token(
+            db, connection.password, subscriber.id, models.ExternalConnectionType.caldav, caldav_id
+        )
+
+    con.sync_calendars()
+    return True
+
+
+@router.post('/disconnect')
+def disconnect_account(
+    type_id: Optional[str] = None,
+    db: Session = Depends(get_db),
+    subscriber: models.Subscriber = Depends(get_subscriber),
+):
+    """Disconnects a google account. Removes associated data from our services and deletes the connection details."""
+    ec = utils.list_first(
+        repo.external_connection.get_by_type(db, subscriber_id=subscriber.id, type=models.ExternalConnectionType.caldav, type_id=type_id)
+    )
+
+    if ec is None:
+        return RemoteCalendarConnectionError()
+
+    # Deserialize the url/user
+    _, user = json.loads(ec.type_id)
+
+    # Remove all the caldav calendars associated with this user
+    repo.calendar.delete_by_subscriber_and_provider(db, subscriber.id, provider=models.CalendarProvider.caldav, user=user)
+
+    # Remove their account details
+    repo.external_connection.delete_by_type(db, subscriber.id, ec.type, ec.type_id)
+
+    return True
diff --git a/backend/src/appointment/routes/schedule.py b/backend/src/appointment/routes/schedule.py
index 48e8c5f90..519ff571c 100644
--- a/backend/src/appointment/routes/schedule.py
+++ b/backend/src/appointment/routes/schedule.py
@@ -273,6 +273,7 @@ def request_schedule_availability_slot(
         )
     else:
         con = CalDavConnector(
+            db=db,
             redis_instance=redis,
             subscriber_id=subscriber.id,
             calendar_id=calendar.id,
@@ -556,6 +557,7 @@ def handle_schedule_availability_decision(
         )
     else:
         con = CalDavConnector(
+            db=db,
             redis_instance=redis,
             subscriber_id=subscriber.id,
             calendar_id=calendar.id,
diff --git a/backend/src/appointment/utils.py b/backend/src/appointment/utils.py
index e48b70e6e..7b4ec1744 100644
--- a/backend/src/appointment/utils.py
+++ b/backend/src/appointment/utils.py
@@ -46,6 +46,14 @@ def setup_encryption_engine():
     return engine
 
 
+def encrypt(value):
+    return setup_encryption_engine().encrypt(value)
+
+
+def decrypt(value):
+    return setup_encryption_engine().decrypt(value)
+
+
 def retrieve_user_url_data(url):
     """URL Decodes, and retrieves username, signature, and main url from /<username>/<signature>/"""
     parsed_url = parse.urlparse(url)
diff --git a/backend/test/conftest.py b/backend/test/conftest.py
index 4a6ed7c12..162e7c052 100644
--- a/backend/test/conftest.py
+++ b/backend/test/conftest.py
@@ -43,7 +43,7 @@ def _patch_caldav_connector(monkeypatch):
     # Create a mock caldav connector
     class MockCaldavConnector:
         @staticmethod
-        def __init__(self, redis_instance, url, user, password, subscriber_id, calendar_id):
+        def __init__(self, db, redis_instance, url, user, password, subscriber_id, calendar_id):
             """We don't want to initialize a client"""
             pass
 
diff --git a/backend/test/integration/test_auth.py b/backend/test/integration/test_auth.py
index 05cf07e13..8e729cc56 100644
--- a/backend/test/integration/test_auth.py
+++ b/backend/test/integration/test_auth.py
@@ -1,11 +1,13 @@
+import json
 import os
 import secrets
 from datetime import timedelta
+from unittest.mock import patch
 
 from appointment.dependencies import auth
 from appointment.l10n import l10n
 from appointment.routes.auth import create_access_token
-from defines import FXA_CLIENT_PATCH, auth_headers
+from defines import FXA_CLIENT_PATCH, auth_headers, TEST_USER_ID
 from appointment.database import repo, models
 
 
@@ -444,3 +446,54 @@ def test_fxa_token_failed_due_to_empty_auth(self, make_basic_subscriber, with_cl
         )
 
         assert response.status_code == 401, response.text
+
+
+class TestCalDAV:
+    def test_auth(self, with_db, with_client):
+        """Test authenticating a caldav connection"""
+        # Remove any possibility of caching
+        os.environ['REDIS_URL'] = ''
+
+        with with_db() as db:
+            ecs = repo.external_connection.get_by_type(db, TEST_USER_ID, models.ExternalConnectionType.caldav)
+            assert len(ecs) == 0
+
+        with patch('appointment.controller.calendar.Tools.dns_caldav_lookup') as mock:
+            mock.return_value = "https://example.com", 300
+
+            with patch('appointment.controller.calendar.CalDavConnector.sync_calendars') as sync_mock:
+                sync_mock.return_value = None
+
+                response = with_client.post(
+                    '/caldav/auth', json={'user': 'test@example.com', 'url': 'example.com', 'password': 'test'}, headers=auth_headers
+                )
+
+                mock.assert_called()
+                sync_mock.assert_called()
+
+                assert response.status_code == 200
+
+        with with_db() as db:
+            ecs = repo.external_connection.get_by_type(db, TEST_USER_ID, models.ExternalConnectionType.caldav)
+            assert len(ecs) == 1
+
+    def test_disconnect(self, with_db, with_client, make_external_connections, make_caldav_calendar):
+        """Ensure we remove the external connection and any related calendars"""
+        username = 'username'
+        type_id = json.dumps(['url', username])
+        ec = make_external_connections(TEST_USER_ID, type=models.ExternalConnectionType.caldav, type_id=type_id)
+        calendar = make_caldav_calendar(subscriber_id=TEST_USER_ID, user=username)
+
+        response = with_client.post(
+            '/caldav/disconnect', json={'type_id': ec.type_id},
+            headers=auth_headers
+        )
+
+        assert response.status_code == 200, response.content
+
+        with with_db() as db:
+            ecs = repo.external_connection.get_by_type(db, TEST_USER_ID, models.ExternalConnectionType.caldav, type_id=type_id)
+            assert len(ecs) == 0
+
+            calendar = repo.calendar.get(db, calendar.id)
+            assert calendar is None
diff --git a/backend/test/integration/test_calendar.py b/backend/test/integration/test_calendar.py
index e9cd14af5..6e97470df 100644
--- a/backend/test/integration/test_calendar.py
+++ b/backend/test/integration/test_calendar.py
@@ -30,7 +30,7 @@ def get_mock_connector_class():
 
     class MockCaldavConnector:
         @staticmethod
-        def __init__(self, subscriber_id, calendar_id, redis_instance, url, user, password):
+        def __init__(self, db, subscriber_id, calendar_id, redis_instance, url, user, password):
             """We don't want to initialize a client"""
             pass
 
diff --git a/backend/test/integration/test_schedule.py b/backend/test/integration/test_schedule.py
index 764df9dbe..4c72ad563 100644
--- a/backend/test/integration/test_schedule.py
+++ b/backend/test/integration/test_schedule.py
@@ -289,7 +289,7 @@ def test_public_availability(
     ):
         class MockCaldavConnector:
             @staticmethod
-            def __init__(self, redis_instance, url, user, password, subscriber_id, calendar_id):
+            def __init__(self, db, redis_instance, url, user, password, subscriber_id, calendar_id):
                 """We don't want to initialize a client"""
                 pass
 
@@ -404,7 +404,7 @@ def test_public_availability_with_blockers(
 
         class MockCaldavConnector:
             @staticmethod
-            def __init__(self, redis_instance, url, user, password, subscriber_id, calendar_id):
+            def __init__(self, db, redis_instance, url, user, password, subscriber_id, calendar_id):
                 """We don't want to initialize a client"""
                 pass
 
@@ -471,7 +471,7 @@ class TestRequestScheduleAvailability:
     def mock_connector(self, monkeypatch):
         class MockCaldavConnector:
             @staticmethod
-            def __init__(self, redis_instance, url, user, password, subscriber_id, calendar_id):
+            def __init__(self, db, redis_instance, url, user, password, subscriber_id, calendar_id):
                 """We don't want to initialize a client"""
                 pass
 
diff --git a/backend/test/unit/test_calendar_tools.py b/backend/test/unit/test_calendar_tools.py
index 6ca991ac1..b2e6fa355 100644
--- a/backend/test/unit/test_calendar_tools.py
+++ b/backend/test/unit/test_calendar_tools.py
@@ -70,3 +70,21 @@ def test_meeting_url_in_location(self, with_db, make_google_calendar, make_appoi
         ics = Tools().create_vevent(appointment, slot, subscriber)
         assert ics
         assert ':'.join(['LOCATION', slot.meeting_link_url])
+
+
+class TestDnsCaldavLookup:
+    def test_for_host(self):
+        host, ttl = Tools.dns_caldav_lookup('thunderbird.net')
+        assert host == 'https://apidata.googleusercontent.com:443/'
+        assert ttl
+
+    def test_for_txt_record(self):
+        """This domain is used with permission from the owner (me, melissa autumn!)"""
+        host, ttl = Tools.dns_caldav_lookup('melissaautumn.com')
+        assert host == 'https://caldav.fastmail.com:443/dav/'
+        assert ttl
+
+    def test_no_records(self):
+        host, ttl = Tools.dns_caldav_lookup('appointment.day')
+        assert host is None
+        assert ttl is None
diff --git a/frontend/src/components/FTUE/CalDavProvider.vue b/frontend/src/components/FTUE/CalDavProvider.vue
new file mode 100644
index 000000000..06ac2ec04
--- /dev/null
+++ b/frontend/src/components/FTUE/CalDavProvider.vue
@@ -0,0 +1,147 @@
+<script setup lang="ts">
+import { useI18n } from 'vue-i18n';
+import {
+  computed,
+  inject, ref,
+} from 'vue';
+import { callKey } from '@/keys';
+import PrimaryButton from '@/tbpro/elements/PrimaryButton.vue';
+import TextInput from '@/tbpro/elements/TextInput.vue';
+import { CalendarListResponse, PydanticException } from '@/models';
+import { clearFormErrors, handleFormError } from '@/utils';
+import SecondaryButton from '@/tbpro/elements/SecondaryButton.vue';
+
+const { t } = useI18n();
+const call = inject(callKey);
+const isLoading = ref(false);
+const principal = ref({
+  url: '',
+  user: '',
+  password: '',
+});
+
+/**
+ * Default to the domain of an email address from username
+ */
+const locationPreview = computed(() => {
+  const splitAddress = principal.value.user.split('@');
+  if (splitAddress.length > 1) {
+    return splitAddress[1];
+  }
+  return '';
+});
+
+// component properties
+interface Props {
+  showPrevious?: boolean,
+  showSwitch?: boolean,
+}
+withDefaults(defineProps<Props>(), {
+  showPrevious: false,
+  showSwitch: false,
+});
+const emits = defineEmits(['next', 'error', 'previous', 'switch']);
+const formRef = ref();
+
+/**
+ * Submit the credentials, this will perform a dns check to see if there's any
+ * caldav server specified via SRV, if that fails then it will attempt to
+ * connect to the server listed.
+ */
+const onSubmit = async () => {
+  clearFormErrors(formRef);
+  if (!formRef.value.checkValidity()) {
+    formRef.value.reportValidity();
+    return;
+  }
+
+  isLoading.value = true;
+
+  const requestData = {
+    url: principal.value.url || locationPreview.value,
+    user: principal.value.user,
+    password: principal.value.password,
+  };
+
+  const { error, data }: CalendarListResponse = await call('/caldav/auth').post(requestData).json();
+
+  isLoading.value = false;
+
+  if (!error.value) {
+    emits('next');
+  } else {
+    const err = handleFormError(t, formRef, data?.value as PydanticException);
+    if (err) {
+      // Emit a form-level error event if there's a problem here
+      emits('error', err);
+    }
+  }
+};
+</script>
+<template>
+  <div class="content">
+      <form class="form" ref="formRef" @submit.prevent @keyup.enter="() => onSubmit()">
+        <text-input :disabled="isLoading" name="user" v-model="principal.user" :help="t('calDAVForm.help.user')" :required="true">
+          {{ t('label.username') }}
+        </text-input>
+        <text-input :disabled="isLoading" :placeholder="locationPreview" name="url" :help="t('calDAVForm.help.location')" v-model="principal.url">
+          {{ t('label.location') }}
+        </text-input>
+        <text-input :disabled="isLoading" type="password" name="password" :help="t('calDAVForm.help.password')" v-model="principal.password">
+          {{ t('label.password') }}
+        </text-input>
+      </form>
+      <div class="buttons">
+        <secondary-button class="btn-switch" @click="emits('switch')" v-if="showSwitch">
+        {{ t('calDAVForm.switchToGoogleCalendar') }}
+        </secondary-button>
+        <secondary-button @click="emits('previous')" v-if="showPrevious">
+        {{ t('label.back') }}
+        </secondary-button>
+        <primary-button
+          :label="t('label.connect')"
+          :disabled="isLoading"
+          @click="onSubmit"
+        >{{ t('label.connect') }}</primary-button>
+      </div>
+    </div>
+</template>
+<style scoped>
+@import '@/assets/styles/custom-media.pcss';
+@import '@/assets/styles/mixins.pcss';
+
+.content {
+  display: flex;
+  flex-direction: column;
+  margin: auto;
+  gap: 1rem;
+}
+.form {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  margin: auto;
+}
+.btn-switch {
+  margin-left: 2rem;
+  margin-right: auto;
+}
+.buttons {
+  display: flex;
+  width: 100%;
+  gap: 1rem;
+  justify-content: center;
+  margin-top: 2rem;
+  left: auto;
+  right: auto;
+}
+@media (--md) {
+  .buttons {
+    justify-content: flex-end;
+    position: absolute;
+    right: 2rem;
+    bottom: 5.75rem;
+    margin: 0;
+  }
+}
+</style>
diff --git a/frontend/src/components/FTUE/CalendarProvider.vue b/frontend/src/components/FTUE/CalendarProvider.vue
new file mode 100644
index 000000000..43662d57a
--- /dev/null
+++ b/frontend/src/components/FTUE/CalendarProvider.vue
@@ -0,0 +1,66 @@
+<script setup lang="ts">
+import { useI18n } from 'vue-i18n';
+import {
+  inject, ref,
+} from 'vue';
+import { callKey } from '@/keys';
+import { useFTUEStore } from '@/stores/ftue-store';
+import { storeToRefs } from 'pinia';
+import GoogleOauthProvider from '@/components/FTUE/GoogleOauthProvider.vue';
+import CalDavProvider from '@/components/FTUE/CalDavProvider.vue';
+
+const ftueStore = useFTUEStore();
+const {
+  errorMessage,
+} = storeToRefs(ftueStore);
+const { previousStep, nextStep } = ftueStore;
+const { t } = useI18n();
+const call = inject(callKey);
+const provider = ref('google');
+
+const onNext = async () => {
+  await nextStep(call);
+};
+
+const onPrevious = () => {
+  previousStep();
+};
+
+const onSwitch = () => {
+  if (provider.value === 'google') {
+    provider.value = 'caldav';
+  } else {
+    provider.value = 'google';
+  }
+};
+
+const onError = (err: string) => {
+  errorMessage.value = err;
+};
+
+</script>
+
+<template>
+  <div class="content">
+    <div class="provider-view">
+      <google-oauth-provider @next="onNext" @previous="onPrevious" @switch="onSwitch" :showPrevious="true" :showSwitch="true" v-if="provider === 'google'"></google-oauth-provider>
+      <cal-dav-provider @next="onNext" @previous="onPrevious" @switch="onSwitch" @error="onError" :showPrevious="true" :showSwitch="true" v-else-if="provider === 'caldav'"></cal-dav-provider>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+@import '@/assets/styles/custom-media.pcss';
+@import '@/assets/styles/mixins.pcss';
+
+.content {
+  width: 100%;
+  display: flex;
+  flex-direction: column;
+  gap: 2rem;
+}
+
+.provider-view {
+  width: 100%;
+}
+</style>
diff --git a/frontend/src/components/FTUE/GooglePermissions.vue b/frontend/src/components/FTUE/GoogleOauthProvider.vue
similarity index 89%
rename from frontend/src/components/FTUE/GooglePermissions.vue
rename to frontend/src/components/FTUE/GoogleOauthProvider.vue
index 2f0c5e693..d11ff1496 100644
--- a/frontend/src/components/FTUE/GooglePermissions.vue
+++ b/frontend/src/components/FTUE/GoogleOauthProvider.vue
@@ -16,6 +16,16 @@ const { t } = useI18n();
 const route = useRoute();
 const router = useRouter();
 const call = inject(callKey);
+// component properties
+interface Props {
+  showPrevious?: boolean,
+  showSwitch?: boolean,
+}
+withDefaults(defineProps<Props>(), {
+  showPrevious: false,
+  showSwitch: false,
+});
+const emits = defineEmits(['next', 'previous', 'switch']);
 
 const isLoading = ref(false);
 
@@ -61,7 +71,7 @@ onMounted(async () => {
       return;
     }
 
-    await nextStep(call);
+    emits('next');
   }
 });
 
@@ -109,12 +119,18 @@ const onSubmit = async () => {
     </div>
   </div>
   <div class="buttons">
+    <secondary-button
+      class="btn-switch"
+      @click="emits('switch')"
+      v-if="showSwitch">
+        {{ t('calDAVForm.switchToCalDAV') }}
+    </secondary-button>
     <secondary-button
       class="btn-back"
       :title="t('label.back')"
-      v-if="hasPreviousStep"
+      v-if="showPrevious"
       :disabled="isLoading"
-      @click="previousStep()"
+      @click="emits('previous')"
     >{{ t('label.back') }}
     </secondary-button>
     <secondary-button
@@ -137,6 +153,7 @@ const onSubmit = async () => {
 .content {
   display: flex;
   margin: auto;
+  width: 100%;
 }
 
 .card {
@@ -166,12 +183,19 @@ const onSubmit = async () => {
   height: 1.625rem;
 }
 
+.btn-switch {
+  margin-left: 0;
+  margin-right: auto;
+}
+
 .buttons {
   display: flex;
   width: 100%;
   gap: 1rem;
   justify-content: center;
   margin-top: 2rem;
+  right: auto;
+  left: auto;
 }
 
 @media (--md) {
diff --git a/frontend/src/components/SettingsConnections.vue b/frontend/src/components/SettingsConnections.vue
index be488ab1a..3e304a26d 100644
--- a/frontend/src/components/SettingsConnections.vue
+++ b/frontend/src/components/SettingsConnections.vue
@@ -1,7 +1,5 @@
 <script setup lang="ts">
-import {
-  ref, inject, onMounted,
-} from 'vue';
+import { inject, onMounted, ref } from 'vue';
 import { useI18n } from 'vue-i18n';
 import { useRouter } from 'vue-router';
 import { storeToRefs } from 'pinia';
@@ -17,6 +15,8 @@ import SecondaryButton from '@/elements/SecondaryButton.vue';
 import { useUserStore } from '@/stores/user-store';
 import { useExternalConnectionsStore } from '@/stores/external-connections-store';
 import { useCalendarStore } from '@/stores/calendar-store';
+import GenericModal from '@/components/GenericModal.vue';
+import CalDavProvider from '@/components/FTUE/CalDavProvider.vue';
 
 // component constants
 const { t } = useI18n({ useScope: 'global' });
@@ -31,19 +31,27 @@ const providers = enumToObject(ExternalConnectionProviders);
 
 const fxaEditProfileUrl = inject(fxaEditProfileUrlKey);
 
+const connectCalDavModalOpen = ref(false);
+const disconnectCalDavModalOpen = ref(false);
 const disconnectZoomModalOpen = ref(false);
 const disconnectGoogleModalOpen = ref(false);
+const disconnectTypeId = ref(null);
+
+const calDavErrorMessage = ref();
 
 const closeModals = () => {
+  connectCalDavModalOpen.value = false;
   disconnectZoomModalOpen.value = false;
   disconnectGoogleModalOpen.value = false;
+  disconnectCalDavModalOpen.value = false;
+  disconnectTypeId.value = null;
 };
 
 const refreshData = async () => {
   // Need to reset calendar store first!
   calendarStore.$reset();
   await Promise.all([
-    externalConnectionsStore.fetch(call),
+    externalConnectionsStore.fetch(call, true),
     calendarStore.fetch(call),
     // Need to update userStore in case they used an attached email
     userStore.profile(call),
@@ -54,20 +62,33 @@ onMounted(async () => {
   await refreshData();
 });
 
-const displayModal = async (provider: ExternalConnectionProviders) => {
+const displayModal = async (provider: ExternalConnectionProviders, typeId: string|null = null) => {
+  disconnectTypeId.value = typeId;
+
   if (provider === ExternalConnectionProviders.Zoom) {
     disconnectZoomModalOpen.value = true;
   } else if (provider === ExternalConnectionProviders.Google) {
     disconnectGoogleModalOpen.value = true;
+  } else if (provider === ExternalConnectionProviders.Caldav) {
+    disconnectCalDavModalOpen.value = true;
   }
 };
 
 const connectAccount = async (provider: ExternalConnectionProviders) => {
+  if (provider === ExternalConnectionProviders.Caldav) {
+    connectCalDavModalOpen.value = true;
+    return;
+  }
   await externalConnectionsStore.connect(call, provider, router);
 };
 
-const disconnectAccount = async (provider: ExternalConnectionProviders) => {
-  await externalConnectionsStore.disconnect(call, provider);
+const connectCalDAV = async () => {
+  await refreshData();
+  closeModals();
+};
+
+const disconnectAccount = async (provider: ExternalConnectionProviders, typeId: string|null = null) => {
+  await externalConnectionsStore.disconnect(call, provider, typeId);
   resetConnections();
   await refreshData();
   closeModals();
@@ -119,7 +140,7 @@ const editProfile = async () => {
           v-if="connection[0]"
           :label="t('label.disconnect')"
           class="btn-disconnect"
-          @click="() => displayModal(providers[provider])"
+          @click="() => displayModal(providers[provider], connection[0].type_id)"
           :title="t('label.disconnect')"
         />
         </div>
@@ -145,6 +166,17 @@ const editProfile = async () => {
       @confirm="() => disconnectAccount(ExternalConnectionProviders.Google)"
       @close="closeModals"
   ></confirmation-modal>
+  <!-- Disconnect CalDav Modal -->
+  <confirmation-modal
+      :open="disconnectCalDavModalOpen"
+      :title="t('text.settings.connectedAccounts.disconnect.caldav.title')"
+      :message="t('text.settings.connectedAccounts.disconnect.caldav.message')"
+      :confirm-label="t('text.settings.connectedAccounts.disconnect.caldav.confirm')"
+      :cancel-label="t('text.settings.connectedAccounts.disconnect.caldav.cancel')"
+      :use-caution-button="true"
+      @confirm="() => disconnectAccount(ExternalConnectionProviders.Caldav, disconnectTypeId)"
+      @close="closeModals"
+  ></confirmation-modal>
   <!-- Disconnect Zoom Modal -->
   <confirmation-modal
       :open="disconnectZoomModalOpen"
@@ -156,4 +188,22 @@ const editProfile = async () => {
       @confirm="() => disconnectAccount(ExternalConnectionProviders.Zoom)"
       @close="closeModals"
   ></confirmation-modal>
+  <!-- Bit of a hack until we figure out this ux flow -->
+  <generic-modal v-if="connectCalDavModalOpen" @close="closeModals()" :error-message="calDavErrorMessage">
+    <template v-slot:header>
+      <h2 class="modal-title">
+        {{ t('heading.settings.connectedAccounts.caldav') }}
+      </h2>
+    </template>
+    <cal-dav-provider @next="connectCalDAV()" @error="(err) => calDavErrorMessage = err"></cal-dav-provider>
+  </generic-modal>
 </template>
+<style scoped>
+.modal-title {
+  color: var(--colour-ti-base);
+  font-family: 'Inter', 'sans-serif';
+  font-weight: 400;
+  font-size: 1.375rem;
+  line-height: 1.664rem;
+}
+</style>
diff --git a/frontend/src/definitions.ts b/frontend/src/definitions.ts
index e438b3947..abc24162d 100644
--- a/frontend/src/definitions.ts
+++ b/frontend/src/definitions.ts
@@ -112,7 +112,6 @@ export enum BookingsViewTypes {
   Grid = 2,
 }
 
-
 /**
  * Type for event location.
  * Corresponds to models.LocationType
@@ -164,6 +163,7 @@ export enum ExternalConnectionProviders {
   Fxa = 1,
   Google = 2,
   Zoom = 3,
+  Caldav = 4,
 }
 
 /**
@@ -193,7 +193,7 @@ export enum AlertSchemes {
   Warning = 2, // Alert indicates something important
   Success = 3, // Alert indicates something's gone right
   Info = 4, // Alert indicates some neutral information
-};
+}
 
 /**
  * Used as the session storage key for the location the user wanted to go to before logging in.
@@ -226,13 +226,12 @@ export enum TableDataButtonType {
  */
 export enum FtueStep {
   SetupProfile = 10,
-  // Right now we only support Google calendars during ftue
-  GooglePermissions = 20,
+  CalendarProvider = 20,
   ConnectCalendars = 30,
   SetupSchedule = 40,
   ConnectVideoConferencing = 50,
   Finish = 100,
-};
+}
 
 export enum TooltipPosition {
   None = 'pos-none',
@@ -240,7 +239,7 @@ export enum TooltipPosition {
   Bottom = 'pos-bottom',
   Left = 'pos-left',
   Right = 'pos-right',
-};
+}
 
 /**
  * This should match the enum in routes/waiting_list.py
@@ -248,7 +247,7 @@ export enum TooltipPosition {
 export enum WaitingListAction {
   Confirm = 1,
   Leave = 2,
-};
+}
 
 export enum MetricEvents {
   PageLoaded = 'apmt.page.loaded',
diff --git a/frontend/src/locales/de.json b/frontend/src/locales/de.json
index 19a5e032c..513cc19d0 100644
--- a/frontend/src/locales/de.json
+++ b/frontend/src/locales/de.json
@@ -4,6 +4,15 @@
     "tagline": "Weniger planen, mehr schaffen",
     "title": "Thunderbird Appointment"
   },
+  "calDAVForm": {
+    "help": {
+      "location": "URL oder Hostname, den wir für die Verbindung deiner Kalender verwenden werden.",
+      "password": "Das ist üblicherweise kein E-Mail-Passwort, sondern ein 'App Passwort'.",
+      "user": "Das ist üblicherweise eine E-Mail-Adresse."
+    },
+    "switchToCalDAV": "Zu CalDAV wechseln",
+    "switchToGoogleCalendar": "Zu Google wechseln"
+  },
   "error": {
     "actionNeeded": "Aktion erforderlich!",
     "authenticationRequired": "Entschuldigung, um diese Seite zu sehen ist eine Anmeldung erforderlich.",
@@ -50,6 +59,8 @@
     "setupScheduleInfo": "Der Terminplan kann später angepasst werden",
     "skipConnectVideo": "Diesen Schritt überspringen",
     "steps": {
+      "caldav": "Einrichten der Kalenderverbindung",
+      "calendarProvider": "Wähle deinen Kalenderanbieter",
       "connectCalendars": "Kalender verbinden",
       "connectVideo": "Videokonferenz-Link verbinden",
       "error": "Oh nein!",
@@ -88,7 +99,8 @@
     "scheduleCreated": "Zeitplan erstellt!",
     "settings": {
       "connectedAccounts": {
-        "fxa": "Mozilla-Konten",
+        "caldav": "CalDAV Verbindungen",
+        "fxa": "Mozilla Konten",
         "google": "Google Kalender",
         "zoom": "Zoom"
       }
@@ -336,7 +348,6 @@
     },
     "form": {
       "email": "Gib deine E-Mail-Adresse ein, um dich anzumelden oder ein Konto zu erstellen:",
-      "email-waiting-list": "Gib deine E-Mail-Adresse ein, um der Warteliste beizutreten:",
       "no-invite-code": "Wenn du keinen Einladungscode hast, setze deine E-Mail-Adresse auf unsere Warteliste.",
       "privacy": "Datenschutz ist uns wichtig."
     },
@@ -357,16 +368,16 @@
   "notices": {
     "betaWarning": {
       "heading": "Da wir aktuell in der Beta-Phase sind, hier einige Tips um Probleme zu umgehen:",
-      "list": [
-        "Überprüfe den Spam Ordner, da einige Emails dort landen könnten",
-        "Falls Zoom Meetings nicht in der Kalender-Einladung auftauchen, bitte trenne die Verbindung im {connectedAccounts} Abschnitt der Einstellungen, und stelle sie erneut her",
-        "Sollte es noch weitere Probleme geben, nutze das {contactUs}, oder kommt in unseren {matrixChannel}"
-      ],
       "linkText": {
         "connectedAccounts": "Verbundene Konten",
         "contactUs": "Kontaktformular",
         "matrixChannel": "Matrix Kanal"
-      }
+      },
+      "list": [
+        "Überprüfe den Spam Ordner, da einige Emails dort landen könnten",
+        "Falls Zoom Meetings nicht in der Kalender-Einladung auftauchen, bitte trenne die Verbindung im {connectedAccounts} Abschnitt der Einstellungen, und stelle sie erneut her",
+        "Sollte es noch weitere Probleme geben, nutze das {contactUs}, oder kommt in unseren {matrixChannel}"
+      ]
     }
   },
   "placeholder": {
@@ -438,6 +449,7 @@
     "settings": {
       "connectedAccounts": {
         "connect": {
+          "caldav": "Eine Verbindung zu einem CalDav-Server herstellen und die zugehörigen Kalender abrufen.",
           "fxa": "Dies ist das Benutzerkonto, das mit dem Login verbunden ist. Wenn das Mozilla-Konto gelöscht wird, werden auch alle Daten bei Thunderbird Appointment entfernt.",
           "google": "Ein Google-Konto kann verbunden werden, um auf die Kalender zuzugreifen. Wenn die Verbindung zum Google-Konto getrennt wird, werden die entsprechenden Kalender und die damit verbundenen Daten bei Thunderbird Appointment entfernt.",
           "googleLegal": {
@@ -447,10 +459,16 @@
           "zoom": "Ein Zoom-Konto kann verbunden werden, um Einladungen zu Zoom-Besprechungen an Terminen zu ermöglichen."
         },
         "disconnect": {
+          "caldav": {
+            "cancel": "Zurück",
+            "confirm": "Trennen",
+            "message": "Beim Trennen der Verbindung zum CalDAV-Server werden alle zugehörigen Kalender und Daten vom Thunderbird Appointment Konto entfernt. Wenn ein Terminplan mit einem CalDAV-Kalender eingerichtet ist, wird er deaktiviert, bis er auf einen neuen Kalender umgestellt wurde.",
+            "title": "CalDAV Verbindung trennen"
+          },
           "google": {
             "cancel": "Abbrechen",
             "confirm": "Trennen",
-            "message": "Beim Trennen der Verbindung zu Google-Kalendern werden alle verfügbaren Google-Kalender und die zugehörigen Daten vom Thunderbird Appointment Konto entfernt. Wenn ein Terminplan mit einem Google-Kalender eingerichtet ist, wird er deaktiviert, bis der Terminplan auf einen neuen Kalender eingestellt wurde.",
+            "message": "Beim Trennen der Verbindung zu Google-Kalendern werden alle verfügbaren Google-Kalender und die zugehörigen Daten vom Thunderbird Appointment Konto entfernt. Wenn ein Terminplan mit einem Google-Kalender eingerichtet ist, wird er deaktiviert, bis er auf einen neuen Kalender umgestellt wurde.",
             "title": "Google Kalender trennen"
           },
           "zoom": {
diff --git a/frontend/src/locales/en.json b/frontend/src/locales/en.json
index fefa01a9f..a80640afb 100644
--- a/frontend/src/locales/en.json
+++ b/frontend/src/locales/en.json
@@ -4,6 +4,15 @@
     "tagline": "Plan less, do more",
     "title": "Thunderbird Appointment"
   },
+  "calDAVForm": {
+    "help": {
+      "location": "The URL or hostname we will use to connect to your calendars.",
+      "password": "This is usually not your email address password, but an 'App Password'.",
+      "user": "This is usually an email address."
+    },
+    "switchToCalDAV": "Switch to CalDAV",
+    "switchToGoogleCalendar": "Switch to Google Calendar"
+  },
   "error": {
     "actionNeeded": "Action needed",
     "authenticationRequired": "Sorry, this page requires you to be logged in.",
@@ -50,6 +59,8 @@
     "setupScheduleInfo": "You can edit this schedule later",
     "skipConnectVideo": "Skip connect video",
     "steps": {
+      "caldav": "Setup your calendar connection",
+      "calendarProvider": "Select your calendar provider",
       "connectCalendars": "Connect calendars",
       "connectVideo": "Connect your video meeting link",
       "error": "Uh-oh!",
@@ -88,6 +99,7 @@
     "scheduleCreated": "Schedule created!",
     "settings": {
       "connectedAccounts": {
+        "caldav": "CalDAV Connection",
         "fxa": "Mozilla Accounts",
         "google": "Google Calendar",
         "zoom": "Zoom"
@@ -356,16 +368,16 @@
   "notices": {
     "betaWarning": {
       "heading": "As we're currently in beta, we do have some issues we're dealing with:",
-      "list": [
-        "Please check your spam folder as some emails might end up there",
-        "If Zoom meetings don't appear in your appointment invite, please disconnect and reconnect your zoom account in the {connectedAccounts} section of the settings",
-        "If you experience other issues, please use the {contactUs} form, or join us on our {matrixChannel}"
-      ],
       "linkText": {
         "connectedAccounts": "Connected Accounts",
         "contactUs": "contact us",
         "matrixChannel": "Matrix Channel"
-      }
+      },
+      "list": [
+        "Please check your spam folder as some emails might end up there",
+        "If Zoom meetings don't appear in your appointment invite, please disconnect and reconnect your zoom account in the {connectedAccounts} section of the settings",
+        "If you experience other issues, please use the {contactUs} form, or join us on our {matrixChannel}"
+      ]
     }
   },
   "placeholder": {
@@ -437,6 +449,7 @@
     "settings": {
       "connectedAccounts": {
         "connect": {
+          "caldav": "You can connect to a CalDav server and pull its associated calendars.",
           "fxa": "This is the account associated with your login. If you delete your Mozilla Account your data with Thunderbird Appointment will also be removed.",
           "google": "You can connect your Google account to access your calendars. Disconnecting your account will remove your calendars, and associated data.",
           "googleLegal": {
@@ -446,6 +459,12 @@
           "zoom": "You can connect your Zoom account to enable instant meeting invites with your appointments."
         },
         "disconnect": {
+          "caldav": {
+            "cancel": "Back",
+            "confirm": "Disconnect",
+            "message": "Disconnecting from your CalDAV server will remove all associated calendars and data from your Thunderbird Appointment account. If your schedule is setup with a CalDAV calendar then it will be turned off until you set it to a new calendar.",
+            "title": "Disconnect CalDAV"
+          },
           "google": {
             "cancel": "Back",
             "confirm": "Disconnect",
diff --git a/frontend/src/models.ts b/frontend/src/models.ts
index 2eff13e66..84d985dbe 100644
--- a/frontend/src/models.ts
+++ b/frontend/src/models.ts
@@ -173,6 +173,7 @@ export type ExternalConnectionCollection = {
   fxa?: ExternalConnection[];
   google?: ExternalConnection[];
   zoom?: ExternalConnection[];
+  caldav?: ExternalConnection[];
 };
 
 // The type `Availability` will be used later if we provide custom availabilities
diff --git a/frontend/src/stores/external-connections-store.ts b/frontend/src/stores/external-connections-store.ts
index 6fcd1c8d3..e51b4050e 100644
--- a/frontend/src/stores/external-connections-store.ts
+++ b/frontend/src/stores/external-connections-store.ts
@@ -1,9 +1,9 @@
 import {
-  ExternalConnection, ExternalConnectionCollection, Fetch, ExternalConnectionCollectionResponse,
+  ExternalConnection, ExternalConnectionCollection, ExternalConnectionCollectionResponse, Fetch,
 } from '@/models';
-import { ExternalConnectionProviders } from "@/definitions";
+import { ExternalConnectionProviders } from '@/definitions';
 import { defineStore } from 'pinia';
-import { ref, computed } from 'vue';
+import { computed, ref } from 'vue';
 
 // eslint-disable-next-line import/prefer-default-export
 export const useExternalConnectionsStore = defineStore('externalConnections', () => {
@@ -14,19 +14,22 @@ export const useExternalConnectionsStore = defineStore('externalConnections', ()
   const zoom = ref<ExternalConnection[]>([]);
   const fxa = ref<ExternalConnection[]>([]);
   const google = ref<ExternalConnection[]>([]);
+  const caldav = ref<ExternalConnection[]>([]);
   const connections = computed((): ExternalConnectionCollection => ({
     // FXA should be at the top since it represents the Appointment subscriber.
     fxa: fxa.value,
     google: google.value,
     zoom: zoom.value,
+    caldav: caldav.value,
   }));
 
   /**
    * Get all external connections for current user
    * @param call preconfigured API fetch function
+   * @param force
    */
-  const fetch = async (call: Fetch) => {
-    if (isLoaded.value) {
+  const fetch = async (call: Fetch, force = false) => {
+    if (isLoaded.value && !force) {
       return;
     }
 
@@ -34,6 +37,7 @@ export const useExternalConnectionsStore = defineStore('externalConnections', ()
     zoom.value = data.value?.zoom ?? [];
     fxa.value = data.value?.fxa ?? [];
     google.value = data.value?.google ?? [];
+    caldav.value = data.value?.caldav ?? [];
     isLoaded.value = true;
   };
 
@@ -44,6 +48,7 @@ export const useExternalConnectionsStore = defineStore('externalConnections', ()
     zoom.value = [];
     fxa.value = [];
     google.value = [];
+    caldav.value = [];
     isLoaded.value = false;
   };
 
@@ -55,13 +60,18 @@ export const useExternalConnectionsStore = defineStore('externalConnections', ()
     } else if (provider === ExternalConnectionProviders.Google) {
       await router.push('/settings/calendar');
     }
+    // CalDAV is handled in the modal
   };
 
-  const disconnect = async (call: Fetch, provider: ExternalConnectionProviders) => {
+  const disconnect = async (call: Fetch, provider: ExternalConnectionProviders, typeId: string|null = null) => {
     if (provider === ExternalConnectionProviders.Zoom) {
       return call('zoom/disconnect').post();
     } if (provider === ExternalConnectionProviders.Google) {
       return call('google/disconnect').post();
+    } if (provider === ExternalConnectionProviders.Caldav) {
+      return call('caldav/disconnect').post({
+        type_id: typeId,
+      });
     }
 
     return null;
diff --git a/frontend/src/stores/ftue-store.ts b/frontend/src/stores/ftue-store.ts
index 0872632f1..115e393bc 100644
--- a/frontend/src/stores/ftue-store.ts
+++ b/frontend/src/stores/ftue-store.ts
@@ -23,16 +23,16 @@ export const useFTUEStore = defineStore('FTUE', () => {
   const stepList: Record<FtueStep, FtueState> = {
     [FtueStep.SetupProfile]: {
       previous: null,
-      next: FtueStep.GooglePermissions,
+      next: FtueStep.CalendarProvider,
       title: 'ftue.steps.setupProfile',
     },
-    [FtueStep.GooglePermissions]: {
+    [FtueStep.CalendarProvider]: {
       previous: FtueStep.SetupProfile,
       next: FtueStep.ConnectCalendars,
-      title: 'ftue.steps.googlePermissions',
+      title: 'ftue.steps.calendarProvider',
     },
     [FtueStep.ConnectCalendars]: {
-      previous: FtueStep.GooglePermissions,
+      previous: FtueStep.CalendarProvider,
       next: FtueStep.SetupSchedule,
       title: 'ftue.steps.connectCalendars',
     },
diff --git a/frontend/src/utils.ts b/frontend/src/utils.ts
index 7cd654534..3b67cd043 100644
--- a/frontend/src/utils.ts
+++ b/frontend/src/utils.ts
@@ -1,17 +1,20 @@
 // get the first key of given object that points to given value
 import { ColorSchemes } from '@/definitions';
-import { CustomEventData, Coloring, EventPopup, HTMLElementEvent, CalendarEvent } from './models';
+import { Ref } from 'vue';
+import {
+  CustomEventData, Coloring, EventPopup, HTMLElementEvent, CalendarEvent, PydanticException,
+} from './models';
 
 /**
 * Lowercases the first character of a string
 */
-export const lcFirst = (s: string): string => {  
-  if (typeof s !== 'string' || !s) { 
+export const lcFirst = (s: string): string => {
+  if (typeof s !== 'string' || !s) {
     return '';
   }
- 
-  return s[0].toLowerCase() + s.slice(1)
-}
+
+  return s[0].toLowerCase() + s.slice(1);
+};
 
 // Convert a numeric enum to an object for key-value iteration
 export const enumToObject = (e: Object): { [key in string]: number } => {
@@ -24,10 +27,10 @@ export const enumToObject = (e: Object): { [key in string]: number } => {
 export const keyByValue = (o: Object, v: number|string, isEnum = false): number|string => {
   const e = isEnum ? enumToObject(o) : o;
   return Object.keys(e).find((k) => e[k] === v);
-}
+};
 
 // create event color for border and background, inherited from calendar color attribute
-export const eventColor = (event: CustomEventData, placeholder: Boolean): Coloring => {
+export const eventColor = (event: CustomEventData, placeholder: boolean): Coloring => {
   const color = {
     border: null,
     background: null,
@@ -156,6 +159,53 @@ export const getAccessibleColor = (hexcolor: string): string => {
   return (yiq >= 160) ? 'black' : 'white';
 };
 
+/**
+ * Handles Pydantic errors, returns a form-level error message
+ * or null if the error has to do with individual fields
+ * @param i18n - i18n instance
+ * @param formRef
+ * @param errObj
+ */
+export const handleFormError = (i18n: any, formRef: Ref, errObj: PydanticException) => {
+  if (!errObj) {
+    return i18n('error.somethingWentWrong');
+  }
+
+  const fields = formRef.value.elements;
+  const { detail } = errObj;
+
+  if (Array.isArray(detail)) {
+    detail.forEach((err) => {
+      const name = err?.loc[1];
+      if (name) {
+        // Could either be in the context, or as a general message
+        const msg = err?.ctx?.reason ?? err.msg;
+        fields[name].setCustomValidity(msg);
+      }
+    });
+  } else if (typeof detail === 'string') { // HttpException errors are just strings
+    return detail;
+  } else {
+    return detail.message;
+  }
+
+  // Finally report it!
+  formRef.value.reportValidity();
+  return null;
+};
+
+/**
+ * Clears any existing form errors
+ * @param formRef
+ */
+export const clearFormErrors = (formRef: Ref) => {
+  const { elements } = formRef.value;
+  // HTMLCollection doesn't support .forEach lol
+  for (const element of elements) {
+    element.setCustomValidity('');
+  }
+};
+
 export default {
   keyByValue,
   eventColor,
@@ -166,4 +216,5 @@ export default {
   showEventPopup,
   getAccessibleColor,
   getLocale,
+  handleFormError,
 };
diff --git a/frontend/src/views/FirstTimeUserExperienceView.vue b/frontend/src/views/FirstTimeUserExperienceView.vue
index 0ab94863d..83866be43 100644
--- a/frontend/src/views/FirstTimeUserExperienceView.vue
+++ b/frontend/src/views/FirstTimeUserExperienceView.vue
@@ -6,7 +6,7 @@ import { useI18n } from 'vue-i18n';
 import { FtueStep } from '@/definitions';
 import { refreshKey } from '@/keys';
 import WordMark from '@/elements/WordMark.vue';
-import GooglePermissions from '@/components/FTUE/GooglePermissions.vue';
+import GooglePermissions from '@/components/FTUE/CalendarProvider.vue';
 import SetupProfile from '@/components/FTUE/SetupProfile.vue';
 import ConnectCalendars from '@/components/FTUE/ConnectCalendars.vue';
 import SetupSchedule from '@/components/FTUE/SetupSchedule.vue';
@@ -52,7 +52,7 @@ onMounted(async () => {
         </div>
         <div class="modal-body flex w-full flex-col items-center justify-center">
           <setup-profile v-if="currentStep === FtueStep.SetupProfile"/>
-          <google-permissions v-else-if="currentStep === FtueStep.GooglePermissions"/>
+          <google-permissions v-else-if="currentStep === FtueStep.CalendarProvider"/>
           <connect-calendars v-else-if="currentStep === FtueStep.ConnectCalendars"/>
           <setup-schedule v-else-if="currentStep === FtueStep.SetupSchedule"/>
           <connect-video v-else-if="currentStep === FtueStep.ConnectVideoConferencing"/>
diff --git a/frontend/src/views/LoginView.vue b/frontend/src/views/LoginView.vue
index 72b304285..cbfa24053 100644
--- a/frontend/src/views/LoginView.vue
+++ b/frontend/src/views/LoginView.vue
@@ -20,6 +20,7 @@ import HomeView from '@/views/HomeView.vue';
 import TextInput from '@/tbpro/elements/TextInput.vue';
 import PrimaryButton from '@/tbpro/elements/PrimaryButton.vue';
 import WordMark from '@/elements/WordMark.vue';
+import { handleFormError } from '@/utils';
 
 // component constants
 const user = useUserStore();
@@ -58,27 +59,6 @@ onMounted(() => {
   }
 });
 
-const handleFormError = (errObj: PydanticException) => {
-  const { detail } = errObj;
-  const fields = formRef.value.elements;
-
-  if (Array.isArray(detail)) { // Pydantic errors
-    detail.forEach((err) => {
-      const name = err?.loc[1];
-      if (name) {
-        fields[name].setCustomValidity(err.ctx.reason);
-      }
-    });
-  } else if (typeof detail === 'string') { // HttpException errors are just strings
-    loginError.value = detail;
-  } else {
-    loginError.value = detail.message;
-  }
-
-  // Finally report it!
-  formRef.value.reportValidity();
-};
-
 /**
  * Sign up for the beta / waiting list
  */
@@ -95,7 +75,7 @@ const signUp = async () => {
 
   if (error?.value) {
     // Handle error
-    handleFormError(data.value as PydanticException);
+    loginError.value = handleFormError(t, formRef, data.value as PydanticException);
     isLoading.value = false;
     return;
   }
@@ -136,8 +116,7 @@ const login = async () => {
 
     if (error?.value) {
       // Handle error
-
-      handleFormError(canLogin.value as PydanticException);
+      loginError.value = handleFormError(t, formRef, canLogin.value as PydanticException);
       isLoading.value = false;
       return;
     }
@@ -163,7 +142,7 @@ const login = async () => {
     const { error, data }: AuthUrlResponse = await call(`fxa_login?${params}`).get().json();
 
     if (error.value) {
-      handleFormError(data.value as PydanticException);
+      loginError.value = handleFormError(t, formRef, data.value as PydanticException);
       isLoading.value = false;
       return;
     }