Properly implement a guest confirmation flow for new impersonation prevention setting #24505
Description
We recently merged in a feature that allows users to enable a setting to prevent impersonation. More details here.
While working on it, it was noticed that when someone that had this setting enabled (or was part of the env variable) was added as guest, they were just filtered out and nothing else happened. They never knew about the invitation at all.
In a quick chat with @keith and further approval from @carina we agreed that this needed to change. A session with Devin was started for this here.
An excerpt from the session request:
(…) a few things need to happen:
- A guest that is currently filtered out needs to be placed on some sort of pending state.
- An email needs to be sent to this guest in order to confirm them being added as guests.
- The email should contain a button (and link) that routes to a new api route for this.
- The link should contain an OTP similar to the current OTP verification mechanism that are in place.
- The API route should verify the OTP, then route depending on the result:
- Invalid OTP -> Client side error page that shows "Unable to verify OTP, you've not been added to the meeting.": For now nothing else.
- Valid OTP -> Client side success page that shows "You've been added to the meeting as a guest".
- The API route should work whether someone is signed in or not since the OTP already takes care of ownership of the mail.
- The API route should promote the guest from pending state to the normal flow of guests when the OTP was valid and do nothing other than routing stated in point 6. when invalid.