refactor(invitation): streamline invitation validation logic (#9699)

Replaced `validateInvitation` with `validatePersonalInvitation` across
services for consistent and specific validation handling. Removed
outdated public invitation validation and improved error handling for
workspace invitations. Updated tests to align with the refactored logic
and added checks for edge cases.

packages/twenty-server/src/engine/core-modules/auth/auth.resolver.ts

@@ -176,10 +176,14 @@ export class AuthResolver {
       workspaceId: signUpInput.workspaceId,
     });
 
-    const invitation = await this.authService.findInvitationForSignInUp({
+    const invitation =
+      currentWorkspace && signUpInput.workspacePersonalInviteToken
+        ? await this.authService.findInvitationForSignInUp({
             currentWorkspace,
-      workspacePersonalInviteToken: signUpInput.workspacePersonalInviteToken,
+            workspacePersonalInviteToken:
-    });
+              signUpInput.workspacePersonalInviteToken,
+          })
+        : undefined;
 
     const existingUser = await this.userRepository.findOne({
       where: {

packages/twenty-server/src/engine/core-modules/auth/controllers/google-auth.controller.ts

@@ -66,11 +66,14 @@ export class GoogleAuthController {
     });
 
     try {
-      const invitation = await this.authService.findInvitationForSignInUp({
+      const invitation =
+        currentWorkspace && workspacePersonalInviteToken && email
+          ? await this.authService.findInvitationForSignInUp({
               currentWorkspace,
               workspacePersonalInviteToken,
               email,
-      });
+            })
+          : undefined;
 
       const existingUser = await this.userRepository.findOne({
         where: { email },

packages/twenty-server/src/engine/core-modules/auth/controllers/microsoft-auth.controller.ts

@@ -64,11 +64,14 @@ export class MicrosoftAuthController {
     });
 
     try {
-      const invitation = await this.authService.findInvitationForSignInUp({
+      const invitation =
+        currentWorkspace && workspacePersonalInviteToken && email
+          ? await this.authService.findInvitationForSignInUp({
               currentWorkspace,
               workspacePersonalInviteToken,
               email,
-      });
+            })
+          : undefined;
 
       const existingUser = await this.userRepository.findOne({
         where: { email },

packages/twenty-server/src/engine/core-modules/auth/controllers/sso-auth.controller.ts

@@ -153,10 +153,13 @@ export class SSOAuthController {
       );
     }
 
-    const invitation = await this.authService.findInvitationForSignInUp({
+    const invitation =
+      payload.email && identityProvider.workspace
+        ? await this.authService.findInvitationForSignInUp({
             currentWorkspace: identityProvider.workspace,
             email: payload.email,
-    });
+          })
+        : undefined;
 
     const existingUser = await this.userRepository.findOne({
       where: {

packages/twenty-server/src/engine/core-modules/auth/services/auth.service.spec.ts

@@ -19,6 +19,10 @@ import { WorkspaceInvitationService } from 'src/engine/core-modules/workspace-in
 import { SocialSsoService } from 'src/engine/core-modules/auth/services/social-sso.service';
 import { Workspace } from 'src/engine/core-modules/workspace/workspace.entity';
 import { ExistingUserOrNewUser } from 'src/engine/core-modules/auth/types/signInUp.type';
+import {
+  AuthException,
+  AuthExceptionCode,
+} from 'src/engine/core-modules/auth/auth.exception';
 
 import { AuthService } from './auth.service';
 
@@ -29,7 +33,7 @@ const UserWorkspaceFindOneByMock = jest.fn();
 
 const userWorkspaceServiceCheckUserWorkspaceExistsMock = jest.fn();
 const workspaceInvitationGetOneWorkspaceInvitationMock = jest.fn();
-const workspaceInvitationValidateInvitationMock = jest.fn();
+const workspaceInvitationValidatePersonalInvitationMock = jest.fn();
 const userWorkspaceAddUserToWorkspaceMock = jest.fn();
 
 const environmentServiceGetMock = jest.fn();
@@ -112,7 +116,8 @@ describe('AuthService', () => {
           useValue: {
             getOneWorkspaceInvitation:
               workspaceInvitationGetOneWorkspaceInvitationMock,
-            validateInvitation: workspaceInvitationValidateInvitationMock,
+            validatePersonalInvitation:
+              workspaceInvitationValidatePersonalInvitationMock,
           },
         },
         {
@@ -193,7 +198,7 @@ describe('AuthService', () => {
     userWorkspaceServiceCheckUserWorkspaceExistsMock.mockReturnValueOnce(false);
 
     workspaceInvitationGetOneWorkspaceInvitationMock.mockReturnValueOnce({});
-    workspaceInvitationValidateInvitationMock.mockReturnValueOnce({});
+    workspaceInvitationValidatePersonalInvitationMock.mockReturnValueOnce({});
     userWorkspaceAddUserToWorkspaceMock.mockReturnValueOnce({});
 
     const response = await service.challenge(
@@ -216,11 +221,14 @@ describe('AuthService', () => {
     expect(
       workspaceInvitationGetOneWorkspaceInvitationMock,
     ).toHaveBeenCalledTimes(1);
-    expect(workspaceInvitationValidateInvitationMock).toHaveBeenCalledTimes(1);
+    expect(
+      workspaceInvitationValidatePersonalInvitationMock,
+    ).toHaveBeenCalledTimes(1);
     expect(userWorkspaceAddUserToWorkspaceMock).toHaveBeenCalledTimes(1);
     expect(UserFindOneMock).toHaveBeenCalledTimes(1);
   });
 
+  describe('checkAccessForSignIn', () => {
     it('checkAccessForSignIn - allow signin for existing user who target a workspace with right access', async () => {
       const spy = jest
         .spyOn(userService, 'hasUserAccessToWorkspaceOrThrow')
@@ -237,6 +245,7 @@ describe('AuthService', () => {
         workspaceInviteHash: undefined,
         workspace: {
           id: 'workspace-id',
+          isPublicInviteLinkEnabled: true,
         } as Workspace,
       });
 
@@ -260,6 +269,7 @@ describe('AuthService', () => {
           workspaceInviteHash: undefined,
           workspace: {
             id: 'workspace-id',
+            isPublicInviteLinkEnabled: true,
           } as Workspace,
         }),
       ).rejects.toThrow(new Error('Access denied'));
@@ -267,6 +277,34 @@ describe('AuthService', () => {
       expect(spy).toHaveBeenCalledTimes(1);
     });
 
+    it('checkAccessForSignIn - trigger an error when a user attempts to sign up using a public link in a workspace where public links are disabled', async () => {
+      const spy = jest.spyOn(userService, 'hasUserAccessToWorkspaceOrThrow');
+
+      await expect(
+        service.checkAccessForSignIn({
+          userData: {
+            type: 'existingUser',
+            existingUser: {
+              id: 'user-id',
+            },
+          } as ExistingUserOrNewUser['userData'],
+          invitation: undefined,
+          workspaceInviteHash: 'workspaceInviteHash',
+          workspace: {
+            id: 'workspace-id',
+            isPublicInviteLinkEnabled: false,
+          } as Workspace,
+        }),
+      ).rejects.toThrow(
+        new AuthException(
+          'Public invite link is disabled for this workspace',
+          AuthExceptionCode.FORBIDDEN_EXCEPTION,
+        ),
+      );
+
+      expect(spy).toHaveBeenCalledTimes(0);
+    });
+
     it("checkAccessForSignIn - allow signup for new user who don't target a workspace", async () => {
       const spy = jest
         .spyOn(userService, 'hasUserAccessToWorkspaceOrThrow')
@@ -325,7 +363,7 @@ describe('AuthService', () => {
       expect(spy).toHaveBeenCalledTimes(0);
     });
 
-  it('checkAccessForSignIn - allow signup for new user who target a workspace with workspaceInviteHash', async () => {
+    it('checkAccessForSignIn - allow signup for new user who target a workspace with public invitation', async () => {
       const spy = jest
         .spyOn(userService, 'hasUserAccessToWorkspaceOrThrow')
         .mockResolvedValue();
@@ -337,11 +375,14 @@ describe('AuthService', () => {
         } as ExistingUserOrNewUser['userData'],
         invitation: undefined,
         workspaceInviteHash: 'workspaceInviteHash',
-      workspace: {} as Workspace,
+        workspace: {
+          isPublicInviteLinkEnabled: true,
+        } as Workspace,
       });
 
       expect(spy).toHaveBeenCalledTimes(0);
     });
+  });
 
   it('findWorkspaceForSignInUp - signup password auth', async () => {
     const spyWorkspaceRepository = jest.spyOn(workspaceRepository, 'findOneBy');

packages/twenty-server/src/engine/core-modules/auth/services/auth.service.ts

@@ -98,7 +98,7 @@ export class AuthService {
       );
 
     if (invitation) {
-      await this.workspaceInvitationService.validateInvitation({
+      await this.workspaceInvitationService.validatePersonalInvitation({
         workspacePersonalInviteToken: invitation.value,
         email: user.email,
       });
@@ -480,32 +480,33 @@ export class AuthService {
     workspacePersonalInviteToken,
     email,
   }: {
-    currentWorkspace?: Workspace | null;
+    currentWorkspace: Workspace | null;
     workspacePersonalInviteToken?: string;
     email?: string;
   }) {
-    if (!currentWorkspace) return undefined;
+    if (!currentWorkspace || !workspacePersonalInviteToken) return undefined;
 
-    const qr = this.appTokenRepository.createQueryBuilder('appToken');
+    const qr = this.appTokenRepository
-
+      .createQueryBuilder('appToken')
-    qr.where('"appToken"."workspaceId" = :workspaceId', {
+      .where('"appToken"."workspaceId" = :workspaceId', {
         workspaceId: currentWorkspace.id,
-    }).andWhere('"appToken".type = :type', {
+      })
+      .andWhere('"appToken".type = :type', {
         type: AppTokenType.InvitationToken,
       });
 
-    if (email) {
-      qr.andWhere('"appToken".context->>\'email\' = :email', {
-        email,
-      });
-    }
-
     if (workspacePersonalInviteToken) {
       qr.andWhere('"appToken".value = :personalInviteToken', {
         personalInviteToken: workspacePersonalInviteToken,
       });
     }
 
+    if (email) {
+      qr.andWhere('"appToken".context->>\'email\' = :email', {
+        email,
+      });
+    }
+
     return (await qr.getOne()) ?? undefined;
   }
 
@@ -567,18 +568,40 @@ export class AuthService {
     workspaceInviteHash?: string;
   } & ExistingUserOrNewUser &
     SignInUpBaseParams) {
-    const hasInvitation = invitation || workspaceInviteHash;
+    const hasPublicInviteLink = !!workspaceInviteHash;
+    const hasPersonalInvitation = !!invitation;
+    const isInvitedToWorkspace = hasPersonalInvitation || hasPublicInviteLink;
     const isTargetAnExistingWorkspace = !!workspace;
     const isAnExistingUser = userData.type === 'existingUser';
 
-    if (!hasInvitation && isTargetAnExistingWorkspace && isAnExistingUser) {
+    if (
+      hasPublicInviteLink &&
+      !hasPersonalInvitation &&
+      workspace &&
+      !workspace.isPublicInviteLinkEnabled
+    ) {
+      throw new AuthException(
+        'Public invite link is disabled for this workspace',
+        AuthExceptionCode.FORBIDDEN_EXCEPTION,
+      );
+    }
+
+    if (
+      !isInvitedToWorkspace &&
+      isTargetAnExistingWorkspace &&
+      isAnExistingUser
+    ) {
       return await this.userService.hasUserAccessToWorkspaceOrThrow(
         userData.existingUser.id,
         workspace.id,
       );
     }
 
-    if (!hasInvitation && isTargetAnExistingWorkspace && !isAnExistingUser) {
+    if (
+      !isInvitedToWorkspace &&
+      isTargetAnExistingWorkspace &&
+      !isAnExistingUser
+    ) {
       throw new AuthException(
         'User does not have access to this workspace',
         AuthExceptionCode.FORBIDDEN_EXCEPTION,

packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.spec.ts

@@ -67,7 +67,7 @@ describe('SignInUpService', () => {
         {
           provide: WorkspaceInvitationService,
           useValue: {
-            validateInvitation: jest.fn(),
+            validatePersonalInvitation: jest.fn(),
             invalidateWorkspaceInvitation: jest.fn(),
           },
         },
@@ -145,7 +145,7 @@ describe('SignInUpService', () => {
     };
 
     jest
-      .spyOn(workspaceInvitationService, 'validateInvitation')
+      .spyOn(workspaceInvitationService, 'validatePersonalInvitation')
       .mockResolvedValue({
         isValid: true,
         workspace: params.workspace as Workspace,
@@ -163,7 +163,9 @@ describe('SignInUpService', () => {
 
     expect(result.workspace).toEqual(params.workspace);
     expect(result.user).toBeDefined();
-    expect(workspaceInvitationService.validateInvitation).toHaveBeenCalledWith({
+    expect(
+      workspaceInvitationService.validatePersonalInvitation,
+    ).toHaveBeenCalledWith({
       workspacePersonalInviteToken: 'invitationToken',
       email: 'test@example.com',
     });

packages/twenty-server/src/engine/core-modules/auth/services/sign-in-up.service.ts

@@ -173,7 +173,7 @@ export class SignInUpService {
     }
 
     const invitationValidation =
-      await this.workspaceInvitationService.validateInvitation({
+      await this.workspaceInvitationService.validatePersonalInvitation({
         workspacePersonalInviteToken: params.invitation.value,
         email,
       });

packages/twenty-server/src/engine/core-modules/user-workspace/user-workspace.service.ts

@@ -125,7 +125,8 @@ export class UserWorkspaceService extends TypeOrmQueryService<UserWorkspace> {
   }
 
   async addUserToWorkspaceByInviteToken(inviteToken: string, user: User) {
-    const appToken = await this.workspaceInvitationService.validateInvitation({
+    const appToken =
+      await this.workspaceInvitationService.validatePersonalInvitation({
         workspacePersonalInviteToken: inviteToken,
         email: user.email,
       });

packages/twenty-server/src/engine/core-modules/workspace-invitation/services/workspace-invitation.service.ts

@@ -37,8 +37,6 @@ export class WorkspaceInvitationService {
   constructor(
     @InjectRepository(AppToken, 'core')
     private readonly appTokenRepository: Repository<AppToken>,
-    @InjectRepository(Workspace, 'core')
-    private readonly workspaceRepository: Repository<Workspace>,
     @InjectRepository(UserWorkspace, 'core')
     private readonly userWorkspaceRepository: Repository<UserWorkspace>,
     private readonly environmentService: EnvironmentService,
@@ -47,32 +45,7 @@ export class WorkspaceInvitationService {
     private readonly domainManagerService: DomainManagerService,
   ) {}
 
-  // VALIDATIONS METHODS
+  async validatePersonalInvitation({
-  private async validatePublicInvitation(workspaceInviteHash: string) {
-    const workspace = await this.workspaceRepository.findOne({
-      where: {
-        inviteHash: workspaceInviteHash,
-      },
-    });
-
-    if (!workspace) {
-      throw new AuthException(
-        'Workspace not found',
-        AuthExceptionCode.WORKSPACE_NOT_FOUND,
-      );
-    }
-
-    if (!workspace.isPublicInviteLinkEnabled) {
-      throw new AuthException(
-        'Workspace does not allow public invites',
-        AuthExceptionCode.FORBIDDEN_EXCEPTION,
-      );
-    }
-
-    return { isValid: true, workspace };
-  }
-
-  private async validatePersonalInvitation({
     workspacePersonalInviteToken,
     email,
   }: {
@@ -109,32 +82,6 @@ export class WorkspaceInvitationService {
     }
   }
 
-  async validateInvitation({
-    workspacePersonalInviteToken,
-    workspaceInviteHash,
-    email,
-  }: {
-    workspacePersonalInviteToken?: string;
-    workspaceInviteHash?: string;
-    email: string;
-  }) {
-    if (workspacePersonalInviteToken) {
-      return await this.validatePersonalInvitation({
-        workspacePersonalInviteToken,
-        email,
-      });
-    }
-
-    if (workspaceInviteHash) {
-      return await this.validatePublicInvitation(workspaceInviteHash);
-    }
-
-    throw new AuthException(
-      'Invitation invalid',
-      AuthExceptionCode.FORBIDDEN_EXCEPTION,
-    );
-  }
-
   async findInvitationByWorkspaceSubdomainAndUserEmail({
     subdomain,
     email,