better invite system

[byteplow]

current

The current invite system creates a new account and provides a recovery link. This creates a lot of accounts on accident. How ever has access to the link also has access to the account for a short time.

goal

Use registration flow/api for invites. But guard it with an registration token. Which is invalidated after one use.

tasks

• [x] guard self registration with an static invite token
• [x] allow users to create an invite toke
• [x] invalidate invite token after success full registration
• [x] allow users to revoke invite tokens
• [ ] #9
• [ ] #10
• [ ] #11

design

• checking invites
  • proxy for POST /self-service/registration (this is the endpoint responsible for registering the account)
  • the proxy checks if the invite is valid
  • the proxy invalidates the invite if the registration was successful
• invites
  • invites could be stored in keto, my app already uses keto and than there is no extra db requirement
  • invites should be persisted
  • invites should be linked to created and user

[byteplow]

keto rules

namespace: invites oldUser#invited_by@newUser oldUser#invited_by@(newUser#invited_by) invite#created_by@user endpoint#access@invite

endpoint <= full url

on creation

• set: invite#created@user
• set: "registration"#access@invite

  on registration

  check: "registration"#access@invite

  on successful registration

• delete: invite#created@user
• delete: "registration"#access@invite
• get invite#created_by => oldUser
• set: oldUser#invited_by@newUser

pros

• this setup makes it easy to show a user all its unused invites
• this setup makes it easy, to find all accounts directly or indirectly invited by a user

[byteplow]

8 did not resole all task