Team invitations on user (#1200)

Author: N2D4

apps/backend/src/app/api/latest/team-invitations/[id]/accept/route.tsx

@@ -0,0 +1,151 @@
+import { teamMembershipsCrudHandlers } from "@/app/api/latest/team-memberships/crud";
+import { getItemQuantityForCustomer } from "@/lib/payments";
+import { getPrismaClientForTenancy, retryTransaction } from "@/prisma-client";
+import { globalPrismaClient } from "@/prisma-client";
+import { VerificationCodeType } from "@/generated/prisma/client";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { KnownErrors } from "@stackframe/stack-shared";
+import { adaptSchema, clientOrHigherAuthTypeSchema, userIdOrMeSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    summary: "Accept a team invitation by ID",
+    description: "Accepts a team invitation for the specified user. The user must have a verified email matching the invitation's recipient email. This marks the invitation as used and adds the user to the team.",
+    tags: ["Teams"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: clientOrHigherAuthTypeSchema,
+      tenancy: adaptSchema.defined(),
+      user: adaptSchema.optional(),
+    }).defined(),
+    params: yupObject({
+      id: yupString().uuid().defined(),
+    }).defined(),
+    query: yupObject({
+      user_id: userIdOrMeSchema.defined(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: yupObject({}).defined(),
+  }),
+  async handler({ auth, params, query }) {
+    const userId = query.user_id;
+
+    if (auth.type === 'client') {
+      if (!auth.user) {
+        throw new KnownErrors.CannotGetOwnUserWithoutUser();
+      }
+      if (userId !== auth.user.id) {
+        throw new KnownErrors.CannotGetOwnUserWithoutUser();
+      }
+
+      if (auth.user.restricted_reason) {
+        throw new KnownErrors.TeamInvitationRestrictedUserNotAllowed(auth.user.restricted_reason);
+      }
+    }
+
+    // Look up the invitation (verification code) by ID
+    const code = await globalPrismaClient.verificationCode.findUnique({
+      where: {
+        projectId_branchId_id: {
+          projectId: auth.tenancy.project.id,
+          branchId: auth.tenancy.branchId,
+          id: params.id,
+        },
+        type: VerificationCodeType.TEAM_INVITATION,
+        usedAt: null,
+        expiresAt: { gt: new Date() },
+      },
+    });
+
+    if (!code) {
+      throw new KnownErrors.VerificationCodeNotFound();
+    }
+
+    const invitationData = code.data as { team_id: string };
+    const invitationMethod = code.method as { email: string };
+
+    // Verify that the target user has a verified email matching the invitation's recipient
+    const prisma = await getPrismaClientForTenancy(auth.tenancy);
+    const matchingChannel = await prisma.contactChannel.findFirst({
+      where: {
+        tenancyId: auth.tenancy.id,
+        projectUserId: userId,
+        type: 'EMAIL',
+        isVerified: true,
+        value: invitationMethod.email,
+      },
+    });
+
+    if (!matchingChannel) {
+      throw new KnownErrors.VerificationCodeNotFound();
+    }
+
+    await retryTransaction(prisma, async (tx) => {
+      // Internal project payment checks (same as in the verification code handler)
+      if (auth.tenancy.project.id === "internal") {
+        const currentMemberCount = await tx.teamMember.count({
+          where: {
+            tenancyId: auth.tenancy.id,
+            teamId: invitationData.team_id,
+          },
+        });
+        const maxDashboardAdmins = await getItemQuantityForCustomer({
+          prisma: tx,
+          tenancy: auth.tenancy,
+          customerId: invitationData.team_id,
+          itemId: "dashboard_admins",
+          customerType: "team",
+        });
+        if (currentMemberCount + 1 > maxDashboardAdmins) {
+          throw new KnownErrors.ItemQuantityInsufficientAmount("dashboard_admins", invitationData.team_id, -1);
+        }
+      }
+
+      const oldMembership = await tx.teamMember.findUnique({
+        where: {
+          tenancyId_projectUserId_teamId: {
+            tenancyId: auth.tenancy.id,
+            projectUserId: userId,
+            teamId: invitationData.team_id,
+          },
+        },
+      });
+
+      if (!oldMembership) {
+        await teamMembershipsCrudHandlers.adminCreate({
+          tenancy: auth.tenancy,
+          team_id: invitationData.team_id,
+          user_id: userId,
+          data: {},
+        });
+      }
+
+      // Mark the invitation as used inside the transaction to prevent race conditions
+      const updated = await globalPrismaClient.verificationCode.updateMany({
+        where: {
+          projectId: auth.tenancy.project.id,
+          branchId: auth.tenancy.branchId,
+          id: params.id,
+          usedAt: null,
+        },
+        data: {
+          usedAt: new Date(),
+        },
+      });
+
+      if (updated.count === 0) {
+        throw new KnownErrors.VerificationCodeNotFound();
+      }
+    });
+
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: {},
+    };
+  },
+});

apps/backend/src/app/api/latest/team-invitations/crud.tsx

@@ -1,56 +1,156 @@
+import { VerificationCodeType } from "@/generated/prisma/client";
 import { ensureTeamExists, ensureTeamMembershipExists, ensureUserTeamPermissionExists } from "@/lib/request-checks";
-import { getPrismaClientForTenancy, retryTransaction } from "@/prisma-client";
+import { getPrismaClientForTenancy, globalPrismaClient, retryTransaction } from "@/prisma-client";
 import { createCrudHandlers } from "@/route-handlers/crud-handler";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { teamInvitationCrud } from "@stackframe/stack-shared/dist/interface/crud/team-invitation";
-import { yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
-import { throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { userIdOrMeSchema, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { StatusError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { createLazyProxy } from "@stackframe/stack-shared/dist/utils/proxies";
+import { teamsCrudHandlers } from "../teams/crud";
 import { teamInvitationCodeHandler } from "./accept/verification-code-handler";
 
 export const teamInvitationsCrudHandlers = createLazyProxy(() => createCrudHandlers(teamInvitationCrud, {
   querySchema: yupObject({
-    team_id: yupString().uuid().defined().meta({ openapiField: { onlyShowInOperations: ['List'] } }),
+    team_id: yupString().uuid().optional().meta({ openapiField: { onlyShowInOperations: ['List', 'Delete'], description: 'The team ID to list invitations for. Required unless user_id is provided.' } }),
+    user_id: userIdOrMeSchema.optional().meta({ openapiField: { onlyShowInOperations: ['List'], description: 'List invitations sent to this user\'s verified emails. Must be "me" for client access. Cannot be combined with team_id.' } }),
   }),
   paramsSchema: yupObject({
     id: yupString().uuid().defined(),
   }),
   onList: async ({ auth, query }) => {
+    if (query.team_id != null && query.user_id != null) {
+      throw new StatusError(StatusError.BadRequest, "Cannot specify both team_id and user_id");
+    }
+    if (query.team_id == null && query.user_id == null) {
+      throw new StatusError(StatusError.BadRequest, "Must specify either team_id or user_id");
+    }
+
+    if (query.user_id != null) {
+      // List invitations sent to the user's verified emails
+      if (auth.type === 'client') {
+        const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
+        if (query.user_id !== currentUserId) {
+          throw new KnownErrors.CannotGetOwnUserWithoutUser();
+        }
+      }
+
+      const targetUserId = query.user_id;
+
+      const prisma = await getPrismaClientForTenancy(auth.tenancy);
+      const verifiedEmails = await prisma.contactChannel.findMany({
+        where: {
+          tenancyId: auth.tenancy.id,
+          projectUserId: targetUserId,
+          type: 'EMAIL',
+          isVerified: true,
+        },
+        select: { value: true },
+      });
+
+      if (verifiedEmails.length === 0) {
+        return { items: [], is_paginated: false };
+      }
+
+      const codes = await globalPrismaClient.verificationCode.findMany({
+        where: {
+          projectId: auth.tenancy.project.id,
+          branchId: auth.tenancy.branchId,
+          type: VerificationCodeType.TEAM_INVITATION,
+          usedAt: null,
+          expiresAt: { gt: new Date() },
+          OR: verifiedEmails.map(({ value }) => ({
+            method: { path: ['email'], equals: value },
+          })),
+        },
+      });
+
+      const teamIds = [...new Set(codes.map(code => {
+        const data = code.data as { team_id: string };
+        return data.team_id;
+      }))];
+
+      const teamsMap = new Map<string, string>();
+      for (const teamId of teamIds) {
+        try {
+          const team = await teamsCrudHandlers.adminRead({
+            tenancy: auth.tenancy,
+            team_id: teamId,
+            allowedErrorTypes: [KnownErrors.TeamNotFound],
+          });
+          teamsMap.set(teamId, team.display_name);
+        } catch (e) {
+          if (KnownErrors.TeamNotFound.isInstance(e)) {
+            // Team may have been deleted since the invitation was created; skip these invitations
+            continue;
+          }
+          throw e;
+        }
+      }
+
+      return {
+        items: codes
+          .filter(code => {
+            const data = code.data as { team_id: string };
+            return teamsMap.has(data.team_id);
+          })
+          .map(code => {
+            const data = code.data as { team_id: string };
+            const method = code.method as { email: string };
+            return {
+              id: code.id,
+              team_id: data.team_id,
+              team_display_name: teamsMap.get(data.team_id) ?? throwErr("team_display_name should be available after filtering; this should never happen"),
+              expires_at_millis: code.expiresAt.getTime(),
+              recipient_email: method.email,
+            };
+          }),
+        is_paginated: false,
+      };
+    }
+
+    // List invitations for a specific team (existing behavior)
+    const teamId = query.team_id ?? throwErr("team_id is required when user_id is not provided; this should never happen because of the earlier validation");
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
     return await retryTransaction(prisma, async (tx) => {
       if (auth.type === 'client') {
-        // Client can only:
-        // - list invitations in their own team if they have the $read_members AND $invite_members permissions
         const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
 
-        await ensureTeamMembershipExists(tx, { tenancyId: auth.tenancy.id, teamId: query.team_id, userId: currentUserId });
+        await ensureTeamMembershipExists(tx, { tenancyId: auth.tenancy.id, teamId, userId: currentUserId });
 
         for (const permissionId of ['$read_members', '$invite_members']) {
           await ensureUserTeamPermissionExists(tx, {
             tenancy: auth.tenancy,
-            teamId: query.team_id,
+            teamId,
             userId: currentUserId,
             permissionId,
             errorType: 'required',
             recursive: true,
           });
         }
       } else {
-        await ensureTeamExists(tx, { tenancyId: auth.tenancy.id, teamId: query.team_id });
+        await ensureTeamExists(tx, { tenancyId: auth.tenancy.id, teamId });
       }
 
       const allCodes = await teamInvitationCodeHandler.listCodes({
         tenancy: auth.tenancy,
         dataFilter: {
           path: ['team_id'],
-          equals: query.team_id,
+          equals: teamId,
         },
       });
 
+      const team = await teamsCrudHandlers.adminRead({
+        tenancy: auth.tenancy,
+        team_id: teamId,
+      });
+      const teamDisplayName = team.display_name;
+
       return {
         items: allCodes.map(code => ({
           id: code.id,
           team_id: code.data.team_id,
+          team_display_name: teamDisplayName,
           expires_at_millis: code.expiresAt.getTime(),
           recipient_email: code.method.email,
         })),
@@ -59,26 +159,24 @@ export const teamInvitationsCrudHandlers = createLazyProxy(() => createCrudHandl
     });
   },
   onDelete: async ({ auth, query, params }) => {
+    const teamId = query.team_id ?? throwErr(new StatusError(StatusError.BadRequest, "team_id is required for deleting a team invitation"));
     const prisma = await getPrismaClientForTenancy(auth.tenancy);
     await retryTransaction(prisma, async (tx) => {
       if (auth.type === 'client') {
-        // Client can only:
-        // - delete invitations in their own team if they have the $remove_members permissions
-
         const currentUserId = auth.user?.id ?? throwErr(new KnownErrors.CannotGetOwnUserWithoutUser());
 
-        await ensureTeamMembershipExists(tx, { tenancyId: auth.tenancy.id, teamId: query.team_id, userId: currentUserId });
+        await ensureTeamMembershipExists(tx, { tenancyId: auth.tenancy.id, teamId, userId: currentUserId });
 
         await ensureUserTeamPermissionExists(tx, {
           tenancy: auth.tenancy,
-          teamId: query.team_id,
+          teamId,
           userId: currentUserId,
           permissionId: "$remove_members",
           errorType: 'required',
           recursive: true,
         });
       } else {
-        await ensureTeamExists(tx, { tenancyId: auth.tenancy.id, teamId: query.team_id });
+        await ensureTeamExists(tx, { tenancyId: auth.tenancy.id, teamId });
       }
     });