Fixes

N2D4 · N2D4 · commit 053af3777451 · 2026-02-17T16:17:23.000-08:00
diff --git a/apps/backend/src/app/api/latest/team-invitations/[id]/accept/route.tsx b/apps/backend/src/app/api/latest/team-invitations/[id]/accept/route.tsx
@@ -6,7 +6,6 @@ import { VerificationCodeType } from "@/generated/prisma/client";
 import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { adaptSchema, clientOrHigherAuthTypeSchema, userIdOrMeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
-import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 
 export const POST = createSmartRouteHandler({
   metadata: {
@@ -82,9 +81,7 @@ export const POST = createSmartRouteHandler({
     });
 
     if (!matchingChannel) {
-      throw new StackAssertionError(
-        "Cannot accept this invitation: no verified email matching the invitation's recipient email was found on the target user",
-      );
+      throw new KnownErrors.VerificationCodeNotFound();
     }
 
     await retryTransaction(prisma, async (tx) => {
@@ -126,20 +123,23 @@ export const POST = createSmartRouteHandler({
           data: {},
         });
       }
-    });
 
-    // Mark the invitation as used
-    await globalPrismaClient.verificationCode.update({
-      where: {
-        projectId_branchId_id: {
+      // Mark the invitation as used inside the transaction to prevent race conditions
+      const updated = await globalPrismaClient.verificationCode.updateMany({
+        where: {
           projectId: auth.tenancy.project.id,
           branchId: auth.tenancy.branchId,
           id: params.id,
+          usedAt: null,
         },
-      },
-      data: {
-        usedAt: new Date(),
-      },
+        data: {
+          usedAt: new Date(),
+        },
+      });
+
+      if (updated.count === 0) {
+        throw new KnownErrors.VerificationCodeNotFound();
+      }
     });
 
     return {
diff --git a/apps/backend/src/app/api/latest/team-invitations/crud.tsx b/apps/backend/src/app/api/latest/team-invitations/crud.tsx
@@ -1,11 +1,11 @@
+import { VerificationCodeType } from "@/generated/prisma/client";
 import { ensureTeamExists, ensureTeamMembershipExists, ensureUserTeamPermissionExists } from "@/lib/request-checks";
-import { globalPrismaClient, getPrismaClientForTenancy, retryTransaction } from "@/prisma-client";
+import { getPrismaClientForTenancy, globalPrismaClient, retryTransaction } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
-import { VerificationCodeType } from "@/generated/prisma/client";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { teamInvitationCrud } from "@stackframe/stack-shared/dist/interface/crud/team-invitation";
 import { userIdOrMeSchema, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
-import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { StatusError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
 import { teamsCrudHandlers } from "../teams/crud";
 import { teamInvitationCodeHandler } from "./accept/verification-code-handler";
@@ -20,17 +20,19 @@ export const teamInvitationsCrudHandlers = createLazyProxy(() => createCrudHandl
   }),
   onList: async ({ auth, query }) => {
     if (query.team_id != null && query.user_id != null) {
-      throw new StackAssertionError("Cannot specify both team_id and user_id");
+      throw new StatusError(StatusError.BadRequest, "Cannot specify both team_id and user_id");
     }
     if (query.team_id == null && query.user_id == null) {
-      throw new StackAssertionError("Must specify either team_id or user_id");
+      throw new StatusError(StatusError.BadRequest, "Must specify either team_id or user_id");
     }
 
     if (query.user_id != null) {
-      // List invitations sent to the current user's verified emails
-      const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
-      if (auth.type === 'client' && query.user_id !== currentUserId) {
-        throw new KnownErrors.CannotGetOwnUserWithoutUser();
+      // List invitations sent to the user's verified emails
+      if (auth.type === 'client') {
+        const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
+        if (query.user_id !== currentUserId) {
+          throw new KnownErrors.CannotGetOwnUserWithoutUser();
+        }
       }
 
       const targetUserId = query.user_id;
@@ -74,10 +76,15 @@ export const teamInvitationsCrudHandlers = createLazyProxy(() => createCrudHandl
           const team = await teamsCrudHandlers.adminRead({
             tenancy: auth.tenancy,
             team_id: teamId,
+            allowedErrorTypes: [KnownErrors.TeamNotFound],
           });
           teamsMap.set(teamId, team.display_name);
-        } catch {
-          // Team may have been deleted since the invitation was created; skip these invitations
+        } catch (e) {
+          if (KnownErrors.TeamNotFound.isInstance(e)) {
+            // Team may have been deleted since the invitation was created; skip these invitations
+            continue;
+          }
+          throw e;
         }
       }
 
@@ -133,16 +140,11 @@ export const teamInvitationsCrudHandlers = createLazyProxy(() => createCrudHandl
         },
       });
 
-      let teamDisplayName: string;
-      try {
-        const team = await teamsCrudHandlers.adminRead({
-          tenancy: auth.tenancy,
-          team_id: teamId,
-        });
-        teamDisplayName = team.display_name;
-      } catch {
-        teamDisplayName = "";
-      }
+      const team = await teamsCrudHandlers.adminRead({
+        tenancy: auth.tenancy,
+        team_id: teamId,
+      });
+      const teamDisplayName = team.display_name;
 
       return {
         items: allCodes.map(code => ({
@@ -157,7 +159,7 @@ export const teamInvitationsCrudHandlers = createLazyProxy(() => createCrudHandl
     });
   },
   onDelete: async ({ auth, query, params }) => {
-    const teamId = query.team_id ?? throwErr(new StackAssertionError("team_id is required for deleting a team invitation"));
+    const teamId = query.team_id ?? throwErr(new StatusError(StatusError.BadRequest, "team_id is required for deleting a team invitation"));
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
     await retryTransaction(prisma, async (tx) => {
       if (auth.type === 'client') {
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/team-invitations.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/team-invitations.test.ts
@@ -184,7 +184,7 @@ it("can't list invitations without team_id or user_id", async ({ expect }) => {
     accessType: "server",
     method: "GET",
   });
-  expect(listInvitationsResponse.status).toBe(500);
+  expect(listInvitationsResponse.status).toBe(400);
 });
 
 
@@ -1000,7 +1000,7 @@ it("cannot specify both team_id and user_id", async ({ expect }) => {
     accessType: "server",
     method: "GET",
   });
-  expect(listResponse.status).toBe(500);
+  expect(listResponse.status).toBe(400);
 });
 
 
@@ -1011,7 +1011,7 @@ it("must specify either team_id or user_id", async ({ expect }) => {
     accessType: "server",
     method: "GET",
   });
-  expect(listResponse.status).toBe(500);
+  expect(listResponse.status).toBe(400);
 });
 
 
diff --git a/packages/stack-shared/src/interface/client-interface.ts b/packages/stack-shared/src/interface/client-interface.ts
@@ -1214,7 +1214,7 @@ export class StackClientInterface {
     session: InternalSession,
   ) {
     await this.sendClientRequest(
-      `/team-invitations/${invitationId}/accept?` + new URLSearchParams({ user_id: 'me' }),
+      urlString`/team-invitations/${invitationId}/accept?` + new URLSearchParams({ user_id: 'me' }),
       { method: "POST" },
       session,
     );
diff --git a/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
@@ -1007,8 +1007,11 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
       expiresAt: new Date(crud.expires_at_millis),
       accept: async () => {
         await app._interface.acceptTeamInvitationById(crud.id, session);
-        await app._currentUserTeamInvitationsCache.refresh([session]);
-        await app._currentUserTeamsCache.refresh([session]);
+        await Promise.all([
+          app._currentUserTeamInvitationsCache.refresh([session]),
+          app._currentUserTeamsCache.refresh([session]),
+          app._teamInvitationsCache.refresh([session, crud.team_id]),
+        ]);
       },
     };
   }
diff --git a/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/server-app-impl.ts
@@ -826,8 +826,11 @@ export class _StackServerAppImplIncomplete<HasTokenStore extends boolean, Projec
       expiresAt: new Date(crud.expires_at_millis),
       accept: async () => {
         await app._interface.acceptServerTeamInvitationById(crud.id, userId);
-        await app._serverUserTeamInvitationsCache.refresh([userId]);
-        await app._serverTeamsCache.refresh([userId]);
+        await Promise.all([
+          app._serverUserTeamInvitationsCache.refresh([userId]),
+          app._serverTeamsCache.refresh([userId]),
+          app._serverTeamInvitationsCache.refresh([crud.team_id]),
+        ]);
       },
     };
   }
