Invite code api

[drunkplato]

Details

We need a simple system for managing non-hosted accounts and invite codes. It can be fairly simple.

• admin route to generate codes (single or multiuse)
• create a non-hosted account with an invite code (must have remaining uses)
  • send a verification email
• verify non-hosted account email route, on non-hosted verification, return a unique long term token associated with that account.
• change email for non-hosted email route.
• Let users who've already entered a code load their non-hosted account token on a new computer so they can access Realm.

routes

• POST /invite-code/generate: admin route to generate invite codes
• POST /non-hosted: takes in an invite code and email, returns an UUID, and sends a verification email
• POST /non-hosted/<id>/resend-email-verification: resends a verification email to the account with the id.
• POST /non-hosted/<id>/verify-email: takes in the email code and returns a long term token.
• POST /non-hosted/<id>/change-email: token passed in and sends a change verification email to the new email.
• POST /non-hosted/<id>/verify-change-email: verify code passed in and sets temp new email as the email
• POST /non-host/get-account: takes in the email address and sends a verification email if the email exists in the system. the email verification code than then be used with the verify-email route to get the long term token. This is be used to let a self-hosted user get into Realm on a spare computer or if they delete and reinstall Realm.
• POST /non-host/check-token: empty body but bearer token in header, server signs a response with a private key that Realm can verify with a public key. If invalid signature, we won't let them login.

tables

nonhosted_account

    id                         text       not null    primary key,
    email                      text,
    "emailVerificationCode"    text,
    "newEmail"                 text,
    "newEmailVerificationCode" text,
    "previousEmails"           text[],
    token                      text,
    "inviteCode"               text,
    "createdAt"                timestamp(3) default CURRENT_TIMESTAMP not null

nonhosted_invitecode

    "inviteCode"               text       not null    primary key,
    remainingUses              integer,
    timesRedeemed              integer,
    "givenOut"                 boolean default false not null,
    "expiresAt"                timestamp(3)
    "createdAt"                timestamp(3) default CURRENT_TIMESTAMP not null

Postman example spec

Feel free to change the route path to something that makes sense to you.

Currently using: POST /non-hosted as a template.

Should be under the holium.network collection in the Invite codes folder.
https://holium.postman.co/workspace/Holium~6c78df5f-f036-4f38-8c02-9bb2d0db9918/collection/13287692-74f37554-e3c5-4b25-9846-2540d765f6c9?action=share&creator=13287692

[Tenari]

https://github.com/tloncorp/lure

[Tenari]

make sure to test that this sort of problem is handled by the new api #1244

[drunkplato]

test this case: #1153