ENG-1702 Invite new members in the group (#1027)

* eng-1702-invite-new-member

* Cucumber test for invitations, generated by Claude

* correction to web

* Forgot to add secret_token to supabase/config

* linting

* prettier

* group invitation test

* check token type; filename typo

* add the database tag to the test

* rename test file

* Review corrections

Author: maparent

apps/website/app/utils/supabase/account.ts

@@ -3,11 +3,11 @@ import type { DGSupabaseClient } from "@repo/database/lib/client";
 
 type AgentType = Database["public"]["Enums"]["AgentType"] | "group";
 
-export const getSessionUserData = async (
+export const getSessionBaseUserData = async (
   client: DGSupabaseClient,
 ): Promise<{
   id: string;
-  name: string;
+  name?: string;
   type: AgentType;
   email?: string;
 } | null> => {
@@ -36,16 +36,79 @@ export const getSessionUserData = async (
       return { name, id, email, type: "group" };
     }
   }
-  const accountReq = await client
-    .from("PlatformAccount")
-    .select("name")
-    .eq("dg_account", id)
-    .eq("agent_type", "person")
-    .maybeSingle();
-  if (accountReq.error || !accountReq.data) {
-    return null;
+  return { id, type: "person", email };
+};
+
+export const getSessionUserData = async (
+  client: DGSupabaseClient,
+): Promise<{
+  id: string;
+  name: string;
+  type: AgentType;
+  email?: string;
+} | null> => {
+  const data = await getSessionBaseUserData(client);
+  if (data === null) return null;
+  if (!data.name && data.type === "person") {
+    const accountReq = await client
+      .from("PlatformAccount")
+      .select("name")
+      .eq("dg_account", data.id)
+      .eq("agent_type", "person")
+      .maybeSingle();
+    if (accountReq.error || !accountReq.data?.name) {
+      return null;
+    }
+    return { ...data, name: accountReq.data.name };
   }
-  return { id, name: accountReq.data.name, type: "person", email };
+  const { name } = data;
+  if (name === undefined) return null;
+  if (data.name === undefined) return null;
+  return { ...data, name };
+};
+
+export const createGroupInvitation = async ({
+  client,
+  groupId,
+  admin = false,
+}: {
+  client: DGSupabaseClient;
+  groupId: string;
+  admin?: boolean;
+}): Promise<string | null> => {
+  const userData = await getSessionBaseUserData(client);
+  if (!userData) return null;
+  const membershipReq = await client
+    .from("group_membership")
+    .select("admin")
+    .eq("group_id", groupId)
+    .eq("member_id", userData.id)
+    .maybeSingle();
+  if (membershipReq.data?.admin !== true) return null;
+  /* eslint-disable @typescript-eslint/naming-convention */
+  const { data, error } = await client.rpc("create_secret_token", {
+    /* eslint-disable @typescript-eslint/naming-convention */
+    v_payload: { groupId, type: "groupInvitation", admin },
+    expiry_interval: "60d",
+    /* eslint-enable @typescript-eslint/naming-convention */
+  });
+  /* eslint-enable @typescript-eslint/naming-convention */
+  if (error || !data) return null;
+  return data;
+};
+
+export const acceptGroupInvitation = async (
+  client: DGSupabaseClient,
+  token: string,
+): Promise<string | null> => {
+  const userData = await getSessionBaseUserData(client);
+  if (!userData) return "Not logged in";
+  const { data, error } = await client.rpc("accept_group_invitation", {
+    token,
+  });
+  if (error) return error.message || "Unknown error";
+  if (!data) return "Unable to accept invitation";
+  return null;
 };
 
 export const createGroup = async (

apps/website/test/integration/groupInvitation.test.ts

@@ -0,0 +1,130 @@
+import { describe, it, expect, beforeAll, afterAll } from "vitest";
+import { createClient } from "@supabase/supabase-js";
+import type { Database } from "@repo/database/dbTypes";
+import type { DGSupabaseClient } from "@repo/database/lib/client";
+import {
+  fetchOrCreateSpaceDirect,
+  fetchOrCreatePlatformAccount,
+  spaceAnonUserEmail,
+} from "@repo/database/lib/contextFunctions";
+import {
+  createGroup,
+  createGroupInvitation,
+  acceptGroupInvitation,
+} from "../../app/utils/supabase/account";
+
+const SUPABASE_URL = process.env.SUPABASE_URL!;
+const ANON_KEY = process.env.SUPABASE_PUBLISHABLE_KEY!;
+const SERVICE_KEY = process.env.SUPABASE_SECRET_KEY!;
+const PASSWORD = "abcdefgh";
+
+const freshClient = (): DGSupabaseClient =>
+  createClient<Database, "public">(SUPABASE_URL, ANON_KEY);
+
+const serviceClient = () =>
+  createClient<Database, "public">(SUPABASE_URL, SERVICE_KEY);
+
+const signedInClient = async (spaceId: number): Promise<DGSupabaseClient> => {
+  const client = freshClient();
+  const { error } = await client.auth.signInWithPassword({
+    email: spaceAnonUserEmail("Roam", spaceId),
+    password: PASSWORD,
+  });
+  if (error) throw new Error(`Sign-in failed: ${error.message}`);
+  return client;
+};
+
+describe(
+  "group invitation flow (website functions)",
+  { tags: ["database"] },
+  () => {
+    let spaceId1: number;
+    let spaceId2: number;
+    let client1: DGSupabaseClient;
+    let client2: DGSupabaseClient;
+    let createdGroupId: string | null = null;
+
+    beforeAll(async () => {
+      const s1 = await fetchOrCreateSpaceDirect({
+        name: "vitest-s1",
+        url: "https://roamresearch.com/#/app/vitest-s1",
+        platform: "Roam",
+        password: PASSWORD,
+      });
+      if (!s1.data)
+        throw new Error(`Failed to create space 1: ${s1.error?.message}`);
+      spaceId1 = s1.data.id;
+      await fetchOrCreatePlatformAccount({
+        platform: "Roam",
+        accountLocalId: "vitest-user1",
+        name: "vitest-user1",
+        email: "vitest-user1@example.com",
+        spaceId: spaceId1,
+        password: PASSWORD,
+      });
+
+      const s2 = await fetchOrCreateSpaceDirect({
+        name: "vitest-s2",
+        url: "https://roamresearch.com/#/app/vitest-s2",
+        platform: "Roam",
+        password: PASSWORD,
+      });
+      if (!s2.data)
+        throw new Error(`Failed to create space 2: ${s2.error?.message}`);
+      spaceId2 = s2.data.id;
+      await fetchOrCreatePlatformAccount({
+        platform: "Roam",
+        accountLocalId: "vitest-user2",
+        name: "vitest-user2",
+        email: "vitest-user2@example.com",
+        spaceId: spaceId2,
+        password: PASSWORD,
+      });
+
+      client1 = await signedInClient(spaceId1);
+      client2 = await signedInClient(spaceId2);
+    });
+
+    afterAll(async () => {
+      if (createdGroupId) {
+        await serviceClient().auth.admin.deleteUser(createdGroupId);
+      }
+    });
+
+    it("executes the full invitation flow", async () => {
+      // Step 1: user1 creates a group
+      const groupId = await createGroup(client1, "vitest-invite-group");
+      expect(groupId, "createGroup should return a group ID").toBeTruthy();
+      createdGroupId = groupId;
+
+      // Step 2: user1 creates an invitation token
+      const token = await createGroupInvitation({
+        client: client1,
+        groupId: groupId!,
+        admin: false,
+      });
+      expect(token, "createGroupInvitation should return a token").toBeTruthy();
+
+      // Step 3: user2 accepts the invitation
+      const error = await acceptGroupInvitation(client2, token!);
+      expect(
+        error,
+        "acceptGroupInvitation should return null on success",
+      ).toBeNull();
+
+      // Step 4: verify user2 is in group_membership
+      const { data: user2 } = await client2.auth.getUser();
+      const { data: membership } = await serviceClient()
+        .from("group_membership")
+        .select("admin")
+        .eq("group_id", groupId!)
+        .eq("member_id", user2.user!.id)
+        .maybeSingle();
+      expect(
+        membership,
+        "user2 should appear in group_membership",
+      ).toBeTruthy();
+      expect(membership?.admin).toBe(false);
+    });
+  },
+);

packages/database/features/groupAccess.feature

@@ -14,15 +14,21 @@ Feature: Group content access
     And the user user1 opens the Roam plugin in space s1
     And the user user2 opens the Roam plugin in space s2
 
+  Scenario: Invitation-based group membership
+    When user of space s1 creates group invite_group
+    And user of space s1 creates an invitation for group invite_group
+    And user of space s2 accepts the group invitation
+    Then user of space s2 should be a member of group invite_group
+
   Scenario: Creating content
     When Document are added to the database:
       | $id | source_local_id | created    | last_modified | _author_id | _space_id |
-      | d1  | ld1             | 2025/01/01 |    2025/01/01 | user1      | s1        |
-      | d2  | ld2             | 2025/01/01 |    2025/01/01 | user1      | s1        |
+      | d1  | ld1             | 2025/01/01 | 2025/01/01    | user1      | s1        |
+      | d2  | ld2             | 2025/01/01 | 2025/01/01    | user1      | s1        |
     And Content are added to the database:
       | $id | source_local_id | _document_id | text    | created    | last_modified | scale    | _author_id | _space_id |
-      | ct1 | lct1            | d1           | Claim 1 | 2025/01/01 |    2025/01/01 | document | user1      | s1        |
-      | ct2 | lct2            | d2           | Claim 2 | 2025/01/01 |    2025/01/01 | document | user1      | s1        |
+      | ct1 | lct1            | d1           | Claim 1 | 2025/01/01 | 2025/01/01    | document | user1      | s1        |
+      | ct2 | lct2            | d2           | Claim 2 | 2025/01/01 | 2025/01/01    | document | user1      | s1        |
     Then a user logged in space s1 should see 2 PlatformAccount in the database
     And a user logged in space s1 should see 2 Content in the database
     And a user logged in space s2 should see 2 PlatformAccount in the database

packages/database/features/step-definitions/stepdefs.ts

@@ -67,6 +67,7 @@ Given("the database is blank", async () => {
   assert.equal(r.error, null);
   const r3 = await client.from("group_membership").select("group_id");
   assert.equal(r3.error, null);
+  // eslint-disable-next-line @typescript-eslint/naming-convention
   const groupIds = new Set((r3.data || []).map(({ group_id }) => group_id));
   for (const id of groupIds) {
     const ur = await client.auth.admin.deleteUser(id);
@@ -77,8 +78,9 @@ Given("the database is blank", async () => {
     .select("dg_account")
     .not("dg_account", "is", null);
   assert.equal(r2.error, null);
+  // eslint-disable-next-line @typescript-eslint/naming-convention
   for (const { dg_account } of r2.data || []) {
-    const r = await client.auth.admin.deleteUser(dg_account!);
+    const r = await client.auth.admin.deleteUser(dg_account);
     assert.equal(r.error, null);
   }
   r = await client.from("PlatformAccount").delete().neq("id", -1);
@@ -433,6 +435,78 @@ When(
   },
 );
 
+When(
+  "user of space {word} creates an invitation for group {word}",
+  async (spaceName: string, groupName: string): Promise<void> => {
+    const localRefs = (world.localRefs || {}) as LocalRefsType;
+    const spaceId = localRefs[spaceName];
+    const groupId = localRefs[groupName];
+    if (typeof spaceId !== "number") assert.fail("spaceId not a number");
+    if (typeof groupId !== "string") assert.fail("groupId not a string");
+    const client = await getLoggedinDatabase(spaceId);
+    /* eslint-disable @typescript-eslint/naming-convention */
+    const { data, error } = await client.rpc("create_secret_token", {
+      v_payload: { groupId, type: "groupInvitation", admin: false },
+      expiry_interval: "60d",
+    });
+    /* eslint-enable @typescript-eslint/naming-convention */
+    assert.equal(error, null);
+    assert.ok(data, "create_secret_token returned no token");
+    world.lastInvitationToken = data;
+  },
+);
+
+When(
+  "user of space {word} accepts the group invitation",
+  async (spaceName: string): Promise<void> => {
+    const localRefs = (world.localRefs || {}) as LocalRefsType;
+    const spaceId = localRefs[spaceName];
+    if (typeof spaceId !== "number") assert.fail("spaceId not a number");
+    const token = world.lastInvitationToken as string;
+    assert.ok(
+      token,
+      "No invitation token stored — run 'creates an invitation' first",
+    );
+    const client = await getLoggedinDatabase(spaceId);
+    const { data, error } = await client.rpc("accept_group_invitation", {
+      token,
+    });
+    assert.equal(error, null);
+    assert.strictEqual(data, true, "accept_group_invitation returned false");
+  },
+);
+
+Then(
+  "user of space {word} should be a member of group {word}",
+  async (spaceName: string, groupName: string): Promise<void> => {
+    const localRefs = (world.localRefs || {}) as LocalRefsType;
+    const spaceId = localRefs[spaceName];
+    const groupId = localRefs[groupName];
+    if (typeof spaceId !== "number") assert.fail("spaceId not a number");
+    if (typeof groupId !== "string") assert.fail("groupId not a string");
+    const serviceClient = getServiceClient();
+    const r1 = await serviceClient
+      .from("PlatformAccount")
+      .select("dg_account")
+      .eq("account_local_id", spaceAnonUserEmail("Roam", spaceId))
+      .maybeSingle();
+    assert.equal(r1.error, null);
+    const memberId = r1.data?.dg_account;
+    assert.ok(memberId, "dg_account not found for space");
+    const r2 = await serviceClient
+      .from("group_membership")
+      .select("member_id")
+      .eq("group_id", groupId)
+      .eq("member_id", memberId)
+      .maybeSingle();
+    assert.equal(r2.error, null);
+    assert.ok(
+      r2.data,
+      `user of space ${spaceName} is not a member of group ${groupName}`,
+    );
+  },
+);
+
 When(
   "user of space {word} adds space {word} to group {word}",
   async (

packages/database/src/dbTypes.ts

@@ -1454,6 +1454,7 @@ export type Database = {
           isSetofReturn: false
         }
       }
+      accept_group_invitation: { Args: { token: string }; Returns: boolean }
       account_in_shared_space: {
         Args: {
           access_level?: Database["public"]["Enums"]["SpaceAccessPermissions"]

packages/database/supabase/config.toml

@@ -52,6 +52,7 @@ schema_paths = [
     './schemas/base.sql',
     './schemas/extensions.sql',
     './schemas/space.sql',
+    './schemas/secret_tokens.sql',
     './schemas/account.sql',
     './schemas/content.sql',
     './schemas/embedding.sql',