Skip to content

feat: Change resolveSignupToken to use new JWT for invite urls #23995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BGZStephen wants to merge 9 commits into
base: master
Choose a base branch
from
Open

feat: Change resolveSignupToken to use new JWT for invite urls #23995

BGZStephen wants to merge 9 commits into from
+0 −0

Conversation

@BGZStephen
Copy link
Contributor

@BGZStephen BGZStephen commented Jan 7, 2026

Summary

This PR updates resolveSignupToken to use the new JWT for validating invite urls IF the feature is enabled

Related Linear tickets, Github issues, and Community forum posts

PAY-4392

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Jan 7, 2026
@codecov
Copy link

codecov bot commented Jan 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 80.55556% with 7 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
packages/cli/src/services/user.service.ts 78.78% 7 Missing ⚠️

📢 Thoughts on this report? Let us know!

@blacksmith-sh

This comment has been minimized.

Sign in to view
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 5 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/cli/src/controllers/__tests__/auth.controller.test.ts">

<violation number="1" location="packages/cli/src/controllers/__tests__/auth.controller.test.ts:576">
P2: Test title doesn't match what's being tested. The title says "neither token nor inviterId/inviteeId are provided" but the payload actually contains `inviterId`. Consider either:
1. Renaming to "throws BadRequestError if only inviterId is provided without inviteeId", or
2. Changing the payload to `{} as ResolveSignupTokenQueryDto` to match the current title</violation>
</file>

<file name="packages/cli/src/services/user.service.ts">

<violation number="1" location="packages/cli/src/services/user.service.ts:454">
P1: `getInvitationIdsFromPayload()` gates JWT vs legacy parsing using the **instance owner’s** feature flags, but `sendEmails()` chooses JWT vs legacy based on the **inviter’s** feature flags. This mismatch can cause valid invite URLs to be rejected (and invalid formats accepted) depending on who created the invite link. Consider determining the flag based on the inviter (token.inviterId after verification, or payload.inviterId for legacy) rather than the global owner.</violation>

<violation number="2" location="packages/cli/src/services/user.service.ts:464">
P2: `getInvitationIdsFromPayload()` calls `postHog.getFeatureFlags()` without a timeout, even though this file already documents PostHog can block ~10s (plus retries). Consider applying the same `Promise.race` timeout pattern (or other bounded timeout) here to avoid slow invite resolution when PostHog is degraded.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@currents-bot
Copy link

currents-bot bot commented Jan 7, 2026
edited
Loading

E2E Tests: n8n tests passed after 4m 17.7s

🟢 45 · 🔴 0 · ⚪️ 1

View Run Details

Run Details

  • Project: n8n

  • Groups: 1

  • Framework: Playwright

  • Run Status: Passed

  • Commit: 768be08

  • Spec files: 10

  • Overall tests: 46

  • Duration: 4m 17.7s

  • Parallelization: 1

This message was posted automatically by currents.dev | Integration Settings

Base automatically changed from PAY-4394-use-tamper-proof-links-in-invites-ui to master January 8, 2026 09:20
@BGZStephen BGZStephen requested review from a team, afitzek and cstuncsik and removed request for a team January 8, 2026 09:25
BGZStephen
BGZStephen commented Jan 8, 2026
View reviewed changes
guillaumejacquart
guillaumejacquart reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@guillaumejacquart guillaumejacquart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 comment, otherwise LGTM

@BGZStephen BGZStephen changed the title feat: resolveSignupToken to use new JWT for invite urls feat: Change resolveSignupToken to use new JWT for invite urls Jan 8, 2026
@blacksmith-sh

This comment has been minimized.

Sign in to view
@BGZStephen BGZStephen enabled auto-merge January 8, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@cstuncsik cstuncsik Awaiting requested review from cstuncsik cstuncsik was automatically assigned from n8n-io/payday

@afitzek afitzek Awaiting requested review from afitzek

@guillaumejacquart guillaumejacquart Awaiting requested review from guillaumejacquart

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BGZStephen @guillaumejacquart