[VPAT-51] fix: update workspace invitation flow to use token for validation #8508

- Modified the invite link to include a token for enhanced security. - Updated the WorkspaceJoinEndpoint to validate the token instead of the email. - Adjusted the workspace invitation task to generate links with the token. - Refactored the frontend to handle token in the invitation process. Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
2026-02-24 04:00:14 +01:00 · 2026-02-17 00:02:18 +05:30
parent c8a800104c
commit ef5d481a19
4 changed files with 15 additions and 16 deletions
--- a/apps/api/plane/app/serializers/workspace.py
+++ b/apps/api/plane/app/serializers/workspace.py
@@ -111,7 +111,7 @@ class WorkSpaceMemberInviteSerializer(BaseSerializer):
    invite_link = serializers.SerializerMethodField()

    def get_invite_link(self, obj):
-        return f"/workspace-invitations/?invitation_id={obj.id}&email={obj.email}&slug={obj.workspace.slug}"
+        return f"/workspace-invitations/?invitation_id={obj.id}&slug={obj.workspace.slug}&token={obj.token}"

    class Meta:
        model = WorkspaceMemberInvite
--- a/apps/api/plane/app/views/workspace/invite.py
+++ b/apps/api/plane/app/views/workspace/invite.py
@@ -163,10 +163,10 @@ class WorkspaceJoinEndpoint(BaseAPIView):
    def post(self, request, slug, pk):
        workspace_invite = WorkspaceMemberInvite.objects.get(pk=pk, workspace__slug=slug)

-        email = request.data.get("email", "")
+        token = request.data.get("token", "")

-        # Check the email
-        if email == "" or workspace_invite.email != email:
+        # Validate the token to verify the user received the invitation email
+        if not token or workspace_invite.token != token:
            return Response(
                {"error": "You do not have permission to join the workspace"},
                status=status.HTTP_403_FORBIDDEN,
@@ -180,7 +180,7 @@ class WorkspaceJoinEndpoint(BaseAPIView):

            if workspace_invite.accepted:
                # Check if the user created account after invitation
-                user = User.objects.filter(email=email).first()
+                user = User.objects.filter(email=workspace_invite.email).first()

                # If the user is present then create the workspace member
                if user is not None:
--- a/apps/api/plane/bgtasks/workspace_invitation_task.py
+++ b/apps/api/plane/bgtasks/workspace_invitation_task.py
@@ -29,7 +29,7 @@ def workspace_invitation(email, workspace_id, token, current_site, inviter):

        # Relative link
        relative_link = (
-            f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&email={email}&slug={workspace.slug}"  # noqa: E501
+            f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&slug={workspace.slug}&token={token}"  # noqa: E501
        )

        # The complete url including the domain
--- a/apps/web/app/(all)/workspace-invitations/page.tsx
+++ b/apps/web/app/(all)/workspace-invitations/page.tsx
@@ -4,7 +4,6 @@
 * See the LICENSE file for details.
 */

-import React from "react";
 import { observer } from "mobx-react";
 import { useSearchParams } from "next/navigation";
 import useSWR from "swr";
@@ -34,8 +33,8 @@ function WorkspaceInvitationPage() {
  // query params
  const searchParams = useSearchParams();
  const invitation_id = searchParams.get("invitation_id");
-  const email = searchParams.get("email");
  const slug = searchParams.get("slug");
+  const token = searchParams.get("token");
  // store hooks
  const { data: currentUser } = useUser();

@@ -51,29 +50,29 @@ function WorkspaceInvitationPage() {
    workspaceService
      .joinWorkspace(invitationDetail.workspace.slug, invitationDetail.id, {
        accepted: true,
-        email: invitationDetail.email,
+        token: token,
      })
      .then(() => {
-        if (email === currentUser?.email) {
+        if (invitationDetail.email === currentUser?.email) {
          router.push(`/${invitationDetail.workspace.slug}`);
        } else {
-          router.push(`/?${searchParams.toString()}`);
+          router.push("/");
        }
      })
-      .catch((err) => console.error(err));
+      .catch((err: unknown) => console.error(err));
  };

  const handleReject = () => {
-    if (!invitationDetail) return;
-    workspaceService
+    if (!invitationDetail || !token) return;
+    void workspaceService
      .joinWorkspace(invitationDetail.workspace.slug, invitationDetail.id, {
        accepted: false,
-        email: invitationDetail.email,
+        token: token,
      })
      .then(() => {
        router.push("/");
      })
-      .catch((err) => console.error(err));
+      .catch((err: unknown) => console.error(err));
  };

  return (