[FEAT]: Deactivate Invitation Link - Backend

[SamixYasuke]

Description

Create an API endpoint to handle the deactivation of invitation links. This endpoint will validate the invitation link and deactivate it to prevent any further use, ensuring the user deactivating the link has proper authorization.

Endpoint Feature

• This endpoint enables the temporary deactivation of an invitation link.
• Limited to only invitation link deactivation.

Acceptance Criteria

API Endpoint Implementation:

• The endpoint should be accessible at /api/v1/invite/deactivate.
• The endpoint should accept HTTP PATCH requests.
• User deactivating the invite link must be authenticated with a JWT Auth token and authorized to do so.

Data Validation and Sanitization:

• The API should validate the request payload to ensure the invitation link is present and valid.
• The invitation link should be checked for correctness and validity (e.g., it hasn't already been deactivated and belongs to a valid organization).

Authorization:

• Ensure the user deactivating the invitation link has the proper authorization to do so.

Deactivating the Invitation Link:

• Upon successful validation and authorization, the invitation link should be deactivated to prevent further use.

Response:

• On success, the API should return a 200 OK status code with a success message.
• On failure, the API should return a 400 Bad Request status code with appropriate error messages.
• If the user is not authorized, the API should return a 403 Forbidden status code with an appropriate error message.

Request Example

[PATCH] /api/v1/invite/deactivate

{
  "invitation_link": "string"
}

Successful Response:

{
  "message": "Invitation link has been deactivated",
  "status_code": 200
}

Error Response:

{
  "error":  "Invitation Not Found" ,
  "status_code": 404
}

{
  "error":  "Invitation Link wasn't provided" ,
  "status_code": 400
}

{
  "error":  "Invalid Invitation Link format" ,
  "status_code": 400
}

{
  "error": "User is not authorized to deactivate this invitation link" ,
  "status_code": 403
}

{
  "error": "Invitation link is already deactivated" ,
  "status_code": 403
}

{
  "error": "Invitation link is expired" ,
  "status_code": 400
}

Authentication and Authorization

Authentication Verify that the user is authenticated before allowing access to the endpoint. Example: Use middleware to check for a valid authentication token.

Authorization Ensure that only authorized users can deactivate the invitation link (i.e. the user that created it).

Purpose

Provides a backend service to handle the deactivation of invitation links, ensuring the link cannot be used again once deactivated and that only authorized users can perform this action.

Requirements

• Develop server-side logic to handle invitation link deactivation.
• Validate and sanitize incoming invitation link data.
• Ensure proper authorization for deactivating the invitation link.
• Deactivate the invitation link upon successful validation and authorization.

Expected Outcome

The API endpoint allows authorized users to deactivate invitation links via the provided link and ensures they cannot be used again.

Status Codes

• 200: Invitation link was successfully deactivated.
• 400:
  • Invalid invitation link format
  • Expired invitation link
  • Organization not found
• 403: User is not authorized to deactivate the invitation link.
• 500: A server error occurred

Performance and Security

• Ensure that only authenticated users with valid JWT tokens can access the endpoint.
• Implement role-based access control (RBAC) to restrict actions to authorized users only. Validate the user_id from the JWT against the database to confirm user permissions.
• Implement robust error handling to capture and log errors without exposing sensitive information to the client.

Documentation

Ensure that API documentation is updated to include information for the endpoint, request/response formats, error handling, and authentication requirements, swagger would be used for the documentation using OpenAPI 3.1.0 standard.

Testing

• [ ] Write unit tests to ensure the invitation link deactivation endpoint validates input correctly, checks authorization, and deactivates the link.
• [ ] Perform load testing to ensure the endpoint can handle multiple requests.
• [ ] Test various scenarios for deactivating the invitation link (i.e. valid link, expired link, unauthorized user).

Dependencies and Impact

Dependencies:

• Relies on user registration and invitation link creation processes.

Impact Analysis:

• Ensure changes do not disrupt user authentication or invitation management functionalities.

[SamixYasuke]

This ticket is referred from the main Boilerplate repo Issue #193