✨ Add tests and improve impl of registration with invitation

2025-05-21 05:36:11 +02:00 · 2022-03-10 12:37:55 +01:00 · 2022-03-10 12:37:55 +01:00 · 33c3e86e66
commit 33c3e86e66
parent a7e77c3ea6
3 changed files with 69 additions and 8 deletions
--- a/backend/src/app/rpc/mutations/profile.clj
+++ b/backend/src/app/rpc/mutations/profile.clj
@ -19,7 +19,6 @@
   [app.rpc.queries.profile :as profile]
   [app.rpc.rlimit :as rlimit]
   [app.storage :as sto]
-   [app.util.async :as async]
   [app.util.services :as sv]
   [app.util.time :as dt]
   [buddy.hashers :as hashers]
@ -100,10 +99,15 @@

 (sv/defmethod ::prepare-register-profile {:auth false}
  [{:keys [pool tokens] :as cfg} params]
-  (when-not (or (contains? :invitation-token params)
-                (contains? cf/flags :registration))
-    (ex/raise :type :restriction
-              :code :registration-disabled))
+  (when-not (contains? cf/flags :registration)
+    (if-not (contains? params :invitation-token)
+      (ex/raise :type :restriction
+                :code :registration-disabled)
+      (let [invitation (tokens :verify {:token (:invitation-token params) :iss :team-invitation})]
+        (when-not (= (:email params) (:member-email invitation))
+          (ex/raise :type :restriction
+                    :code :email-does-not-match-invitation
+                    :hint "email should match the invitation")))))

  (when-let [domains (cf/get :registration-domain-whitelist)]
    (when-not (email-domain-in-whitelist? domains (:email params))
@ -130,6 +134,7 @@
                :backend "penpot"
                :iss :prepared-register
                :exp (dt/in-future "48h")}
+
        token  (tokens :generate params)]
    {:token token}))

@ -150,7 +155,6 @@
  [{:keys [conn tokens session] :as cfg} {:keys [token] :as params}]
  (let [claims    (tokens :verify {:token token :iss :prepared-register})
        params    (merge params claims)]
-
    (check-profile-existence! conn params)

    (let [is-active  (or (:is-active params)
@ -159,10 +163,8 @@
                          (create-profile conn)
                          (create-profile-relations conn)
                          (decode-profile-row))
-
          invitation (when-let [token (:invitation-token params)]
                       (tokens :verify {:token token :iss :team-invitation}))]
-
      (cond
        ;; If invitation token comes in params, this is because the user comes from team-invitation process;
        ;; in this case, regenerate token and send back to the user a new invitation token (and mark current