At the moment, weave cloud doesn't have a proper organization
entity. Therefore, I've not synced weave cloud's teams/organizations
to auth0. So when you get invited by another user to join your team,
it's not a "proper invite", it's literally just an email login
attempt.
Because an invite is inherently sent from a different user than clicks
on the link, and because the email login is effectively using OIDC on
our side, the state we're returned after signup doesn't match our
expected state, so the code generates CSRF errors.
This workaround makes the invite email link to the login verification
page. That page now has a special case for logged-out & signed up, so it can
send you back to auth0 to get you signed in to weave cloud. Since you
literally just signed up/in to auth0, they just send you straight
back, and now you pass all CSRF protection.
At the moment, weave cloud doesn't have a proper organization entity. Therefore, I've not synced weave cloud's teams/organizations to auth0. So when you get invited by another user to join your team, it's not a "proper invite", it's literally just an email login attempt.
Because an invite is inherently sent from a different user than clicks on the link, and because the email login is effectively using OIDC on our side, the state we're returned after signup doesn't match our expected state, so the code generates CSRF errors.
This workaround makes the invite email link to the login verification page. That page now has a special case for logged-out & signed up, so it can send you back to auth0 to get you signed in to weave cloud. Since you literally just signed up/in to auth0, they just send you straight back, and now you pass all CSRF protection.
Neat? No.
Works? Actually, yeah.