-
-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow multiple project invites for one user #1043
Commits on Sep 27, 2024
-
Allow users to accept multiple invitations
Now that we use invitation links for both projects and orgs, it will start to become rather common for someone to receive an org invitation and a project invitation within the same few minutes. So we need to allow users to click on invitation links even if they already have a Lexbox account.
Configuration menu - View commit details
-
Copy full SHA for c6defcc - Browse repository at this point
Copy the full SHA c6defccView commit details -
Add check to prevent request forgery
Without this check, it would be possible for someone who manages to intercept someone else's email (by social engineering or other means) to forge a project invitation request, reusing the still-valid JWT from the genuine user.
Configuration menu - View commit details
-
Copy full SHA for e330e2b - Browse repository at this point
Copy the full SHA e330e2bView commit details -
Forbid changing email when accepting invite
No backend checks yet, this is just frontend for now.
Configuration menu - View commit details
-
Copy full SHA for 2c4a369 - Browse repository at this point
Copy the full SHA 2c4a369View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2f50e02 - Browse repository at this point
Copy the full SHA 2f50e02View commit details -
Attempt to add GQL query for looking up user
This fails: despite the AllowAnonymous, the GraphQL query is being rejected because the RegisterAccount audience is not allowed to use GQL queries. I'll need to find some other way to do this.
Configuration menu - View commit details
-
Copy full SHA for 367ef4e - Browse repository at this point
Copy the full SHA 367ef4eView commit details -
Don't use GQL queries, use alternate page
Instead of GQL queries to check if the user already exists, we put the logic into LoginController. This works: users can now receive multiple invitation links, and only see the registration page if they have not registered yet. If they have registered before, they're taken to an alternate URL that logs them in immediately. Still to do: ensure that the acceptInvitation backend doesn't throw an error if the user is already a member of the project, but just silently returns success if we're already in the desired state.
Configuration menu - View commit details
-
Copy full SHA for 90c844b - Browse repository at this point
Copy the full SHA 90c844bView commit details -
Don't error if same invite accepted twice
If a user clicks the same invitation link twice, he should not get an error message, he should just be taken to his home page. He's already a member of the project, so trying to join the project should not error but just succeed silently.
Configuration menu - View commit details
-
Copy full SHA for dac00ce - Browse repository at this point
Copy the full SHA dac00ceView commit details -
Configuration menu - View commit details
-
Copy full SHA for c332eeb - Browse repository at this point
Copy the full SHA c332eebView commit details -
Center turnstile component in accept-quickly page
This allows the turnstile component to double as a visual indicator to the user that things are progressing.
Configuration menu - View commit details
-
Copy full SHA for 5d7705b - Browse repository at this point
Copy the full SHA 5d7705bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 6845e94 - Browse repository at this point
Copy the full SHA 6845e94View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3fe27a9 - Browse repository at this point
Copy the full SHA 3fe27a9View commit details -
Address CodeQL security concern
Ensure that LoginRedirect can never be used to redirect to a different site. In the future we may whitelist certain domains such as lexbox.org, but for now we just strip off the hostname and make sure it has to be a relative URL.
Configuration menu - View commit details
-
Copy full SHA for f956a60 - Browse repository at this point
Copy the full SHA f956a60View commit details -
First draft of redirecting server-side
WIP. Not yet tested, probably not yet functional.
Configuration menu - View commit details
-
Copy full SHA for d64f87a - Browse repository at this point
Copy the full SHA d64f87aView commit details -
Better approach than changing LoginRedirect
Rather than redirect to the frontend and then query the backend to find out if the user already exists, let's redirect to a backend endpoint, which will then decide which frontend page to redirect to. A double redirect may not be ideal, but it's better than special-case code in the LoginRedirect method.
Configuration menu - View commit details
-
Copy full SHA for ebdc6a3 - Browse repository at this point
Copy the full SHA ebdc6a3View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9d293ca - Browse repository at this point
Copy the full SHA 9d293caView commit details -
Delete no-longer-needed frontend page
Back to just a single frontend page for accepting invites — great.
Configuration menu - View commit details
-
Copy full SHA for 7fa7a3b - Browse repository at this point
Copy the full SHA 7fa7a3bView commit details -
Configuration menu - View commit details
-
Copy full SHA for 23120bc - Browse repository at this point
Copy the full SHA 23120bcView commit details -
Handle edge case of registering existing email
This can only happen if an admin creates the account while the user was filling out the registration page, so this probably will never happen.
Configuration menu - View commit details
-
Copy full SHA for f431e9f - Browse repository at this point
Copy the full SHA f431e9fView commit details -
Remove unneeded method parameters
These services are already injected in the constructor
Configuration menu - View commit details
-
Copy full SHA for 8b939a1 - Browse repository at this point
Copy the full SHA 8b939a1View commit details -
Configuration menu - View commit details
-
Copy full SHA for 208556f - Browse repository at this point
Copy the full SHA 208556fView commit details