Merge pull request #2715 from rommapp/invite-token-invalidation

Invalidate invite token before creating user
2026-02-18 23:42:07 +01:00 · 2025-11-22 18:40:11 -05:00
parent 65a9622bb6 615e3132e4
commit cf53ac7b8b
2 changed files with 9 additions and 14 deletions
--- a/backend/endpoints/user.py
+++ b/backend/endpoints/user.py
@@ -158,8 +158,6 @@ def create_user_from_invite(
        UserSchema: Newly created user
    """

-    jti, role = auth_handler.verify_invite_link_token(token)
-
    try:
        validate_username(username)
        validate_password(password)
@@ -186,6 +184,7 @@ def create_user_from_invite(
            detail=msg,
        )

+    role = auth_handler.consume_invite_link_token(token)
    user = User(
        username=username.lower(),
        hashed_password=auth_handler.get_password_hash(password),
@@ -195,8 +194,6 @@ def create_user_from_invite(

    created_user = db_user_handler.add_user(user)

-    auth_handler.invalidate_invite_link_token(jti)
-
    return UserSchema.model_validate(created_user)


--- a/backend/handler/auth/base_handler.py
+++ b/backend/handler/auth/base_handler.py
@@ -203,13 +203,15 @@ class AuthHandler:
        )
        return token

-    def verify_invite_link_token(self, token: str) -> tuple[str, str]:
+    def consume_invite_link_token(self, token: str) -> str:
        """
-        Verify the invite link token.
+        Verify and consume the invite link token, which invalidates the token to prevent reuse.
+
        Args:
            token (str): The token to verify.
+
        Returns:
-            str: The JTI (JWT ID) of the token.
+            str: The role associated with the token.
        """
        try:
            payload = jwt.decode(
@@ -231,16 +233,12 @@ class AuthHandler:
                status_code=status.HTTP_400_BAD_REQUEST,
                detail="Invite token has already been used or is invalid.",
            )
-        return jti, role

-    def invalidate_invite_link_token(self, jti: str) -> None:
-        """
-        Invalidate the invite link token.
-        Args:
-            jti (str): The JTI (JWT ID) of the token to invalidate.
-        """
+        # Invalidate the token as soon as it's read
        redis_client.delete(f"invite-jti:{jti}")

+        return role
+

 class OAuthHandler:
    def __init__(self) -> None: