fix: address review security feedback — use security definer RPCs for invite flow

Replace overly permissive RLS policies with security definer functions:

- get_invite_by_token: bypasses RLS for token lookup, works for anon+authenticated
- accept_invite: atomically marks invite accepted and inserts member with the
  invite's role, preventing role escalation and column tampering

Remove unused props (token, workspaceId, role) from InviteAccept component.

Co-authored-by: Ona <no-reply@ona.com>

Author: zacharias-ona

src/app/(auth)/invite/[token]/page.tsx

@@ -16,12 +16,13 @@ export default async function InviteAcceptPage({
   const { token } = await params;
   const supabase = await createClient();
 
-  // Look up the invite by token
-  const { data: invite } = await supabase
-    .from("workspace_invites")
-    .select("*, workspaces(name, slug)")
-    .eq("token", token)
-    .maybeSingle();
+  // Look up the invite by token via security definer function.
+  // Works for both anon and authenticated users.
+  const { data: invites } = await supabase.rpc("get_invite_by_token", {
+    invite_token: token,
+  });
+
+  const invite = invites?.[0] ?? null;
 
   if (!invite) {
     return (
@@ -39,16 +40,14 @@ export default async function InviteAcceptPage({
   }
 
   if (invite.accepted_at) {
-    // Supabase join returns the relation as an opaque type; cast is unavoidable
-    const ws = invite.workspaces as unknown as { name: string; slug: string };
     return (
       <Card>
         <CardHeader>
           <CardTitle className="text-2xl font-semibold">
             Already accepted
           </CardTitle>
           <CardDescription>
-            This invite to {ws?.name} has already been accepted.
+            This invite to {invite.workspace_name} has already been accepted.
           </CardDescription>
         </CardHeader>
       </Card>
@@ -70,9 +69,6 @@ export default async function InviteAcceptPage({
     );
   }
 
-  // Supabase join returns the relation as an opaque type; cast is unavoidable
-  const ws = invite.workspaces as unknown as { name: string; slug: string };
-
   // Check if the current user is authenticated
   const {
     data: { user },
@@ -82,7 +78,7 @@ export default async function InviteAcceptPage({
     <Card>
       <CardHeader>
         <CardTitle className="text-2xl font-semibold">
-          Join {ws?.name}
+          Join {invite.workspace_name}
         </CardTitle>
         <CardDescription>
           You&apos;ve been invited to join as {invite.role === "admin" ? "an" : "a"}{" "}
@@ -91,12 +87,9 @@ export default async function InviteAcceptPage({
       </CardHeader>
       <CardContent>
         <InviteAccept
-          token={token}
           inviteId={invite.id}
-          workspaceId={invite.workspace_id}
-          workspaceSlug={ws?.slug ?? ""}
+          workspaceSlug={invite.workspace_slug ?? ""}
           email={invite.email}
-          role={invite.role}
           isAuthenticated={!!user}
           userEmail={user?.email ?? null}
         />

src/components/members/invite-accept.tsx

@@ -5,25 +5,19 @@ import { useRouter } from "next/navigation";
 import Link from "next/link";
 import { createClient } from "@/lib/supabase/client";
 import { Button } from "@/components/ui/button";
-import type { InviteRole } from "@/lib/types";
 
 interface InviteAcceptProps {
-  token: string;
   inviteId: string;
-  workspaceId: string;
   workspaceSlug: string;
   email: string;
-  role: InviteRole;
   isAuthenticated: boolean;
   userEmail: string | null;
 }
 
 export function InviteAccept({
   inviteId,
-  workspaceId,
   workspaceSlug,
   email,
-  role,
   isAuthenticated,
   userEmail,
 }: InviteAcceptProps) {
@@ -76,52 +70,23 @@ export function InviteAccept({
 
     const supabase = createClient();
 
-    const {
-      data: { user },
-    } = await supabase.auth.getUser();
-
-    if (!user) {
-      setError("You must be signed in to accept this invite.");
-      setAccepting(false);
-      return;
-    }
-
-    // Insert the member row
-    const { error: memberError } = await supabase.from("members").insert({
-      workspace_id: workspaceId,
-      user_id: user.id,
-      role,
-      joined_at: new Date().toISOString(),
+    // Use the security definer RPC which atomically marks the invite as
+    // accepted and inserts the member with the correct role from the invite.
+    const { error: acceptError } = await supabase.rpc("accept_invite", {
+      invite_id: inviteId,
     });
 
-    if (memberError) {
-      // If already a member, treat as success
-      if (memberError.message.includes("duplicate key")) {
-        // Mark invite as accepted anyway
-        await supabase
-          .from("workspace_invites")
-          .update({ accepted_at: new Date().toISOString() })
-          .eq("id", inviteId);
-
+    if (acceptError) {
+      // Duplicate key means already a member — treat as success
+      if (acceptError.message.includes("duplicate key")) {
         router.push(`/${workspaceSlug}`);
         return;
       }
-      setError(memberError.message);
+      setError(acceptError.message);
       setAccepting(false);
       return;
     }
 
-    // Mark the invite as accepted
-    const { error: acceptError } = await supabase
-      .from("workspace_invites")
-      .update({ accepted_at: new Date().toISOString() })
-      .eq("id", inviteId);
-
-    if (acceptError) {
-      // Member was already created, so redirect anyway
-      console.error("Failed to mark invite as accepted:", acceptError.message);
-    }
-
     router.push(`/${workspaceSlug}`);
   }
 

supabase/migrations/20260415110850_workspace_members_invite_accept.sql

@@ -1,39 +1,83 @@
--- Additional RLS policies for the workspace members invite/accept flow.
+-- Additional RLS policies and functions for the workspace members invite/accept flow.
 -- The base tables and core policies exist in 20260415092907_create_schema.sql.
 
--- Allow any authenticated user to read an invite by its token.
--- Needed for the /invite/[token] accept page where the user
--- may not be the admin but is the invitee.
-create policy "authenticated users can read invite by token"
-  on workspace_invites for select
-  to authenticated
-  using (true);
+-- Lookup an invite by token. Uses security definer to bypass RLS so both
+-- anon (unauthenticated) and authenticated users can view the invite page.
+-- Tokens are unguessable UUIDs, so exposing a single row by exact match is safe.
+create or replace function get_invite_by_token(invite_token text)
+returns table (
+  id uuid,
+  workspace_id uuid,
+  email text,
+  role invite_role,
+  invited_by uuid,
+  token text,
+  expires_at timestamptz,
+  accepted_at timestamptz,
+  created_at timestamptz,
+  workspace_name text,
+  workspace_slug text
+)
+language sql
+stable
+security definer
+set search_path = ''
+as $$
+  select
+    wi.id,
+    wi.workspace_id,
+    wi.email,
+    wi.role,
+    wi.invited_by,
+    wi.token,
+    wi.expires_at,
+    wi.accepted_at,
+    wi.created_at,
+    w.name as workspace_name,
+    w.slug as workspace_slug
+  from public.workspace_invites wi
+  join public.workspaces w on w.id = wi.workspace_id
+  where wi.token = invite_token;
+$$;
 
--- Allow invited users to mark their own invite as accepted.
--- Matches on email (case-insensitive) and only allows updating unaccepted invites.
-create policy "invited users can accept their invite"
-  on workspace_invites for update
-  to authenticated
-  using (lower(email) = lower(auth.jwt() ->> 'email') and accepted_at is null)
-  with check (lower(email) = lower(auth.jwt() ->> 'email'));
+-- Accept an invite: marks the invite as accepted and inserts the member row.
+-- Uses security definer to enforce that only accepted_at is set on the invite
+-- and the member role matches the invite role (preventing escalation).
+create or replace function accept_invite(invite_id uuid)
+returns void
+language plpgsql
+security definer
+set search_path = ''
+as $$
+declare
+  v_invite record;
+begin
+  -- Lock and validate the invite
+  select * into v_invite
+  from public.workspace_invites
+  where id = invite_id
+    and lower(email) = lower(auth.jwt() ->> 'email')
+    and accepted_at is null
+    and expires_at > now()
+  for update;
 
--- Allow users to insert themselves as a member when accepting an invite.
--- Verifies a valid, unexpired, unaccepted invite exists for their email.
-create policy "invited users can join via invite"
-  on members for insert
-  to authenticated
-  with check (
-    user_id = auth.uid()
-    and exists (
-      select 1 from workspace_invites
-      where workspace_invites.workspace_id = members.workspace_id
-        and lower(workspace_invites.email) = lower(auth.jwt() ->> 'email')
-        and workspace_invites.accepted_at is null
-        and workspace_invites.expires_at > now()
-    )
-  );
+  if not found then
+    raise exception 'Invalid, expired, or already accepted invite';
+  end if;
+
+  -- Mark invite as accepted
+  update public.workspace_invites
+  set accepted_at = now()
+  where id = invite_id;
+
+  -- Insert member with the role from the invite (prevents role escalation)
+  insert into public.members (workspace_id, user_id, role, joined_at)
+  values (v_invite.workspace_id, auth.uid(), v_invite.role::text::public.member_role, now())
+  on conflict (workspace_id, user_id) do nothing;
+end;
+$$;
 
 -- Allow members to remove themselves from a workspace (leave).
 create policy "members can remove themselves"
   on members for delete
-  using (user_id = auth.uid());
+  using (user_id = auth.uid());