feat: Use new generated links within the UI and emails if feature is enabled #23962
Conversation
n8n-assistant
bot
added
core
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
|
E2E Tests: n8n tests passed after 8m 30.8s Run Details
Groups
This message was posted automatically by
currents.dev | Integration Settings
|
BGZStephen
requested review from
a team and
guillaumejacquart
and removed request for
a team
| inviteAcceptUrl = `${domain}/signup?token=${token}`; | ||
| } else { | ||
| // Use legacy invite links when feature flag is disabled | ||
| inviteAcceptUrl = `${domain}/signup?inviterId=${owner.id}&inviteeId=${id}`; |
There was a problem hiding this comment.
so the issue was that previously with brute force you could find a working invite link and add yourself to a random org but now because we sign it with JWT we can validate that the link was actually signed correctly and is therefore safe?
There was a problem hiding this comment.
Exactly, you can no longer just provide an arbitrary inviteeId as you'd need a method of signing the token to spoof that it came from the back-end
There was a problem hiding this comment.
PR LGTM but let's rather wait for someone with more context to approve ;)
guillaumejacquart
left a comment
guillaumejacquart
left a comment
There was a problem hiding this comment.
Approved with minor comments. signup handler will come next, is that right ?
Summary
Adds a feature flag gated implementation of tamper proof invite links for the UI > Settings > Users page where users are invited. Also updates the backend for email configured instances when sending out emails.
PAY-4394
Related Linear tickets, Github issues, and Community forum posts
Review / Merge checklist
release/backport(if the PR is an urgent fix that needs to be backported)