better invite system

[byteplow]

current

The current invite system creates a new account and provides a recovery link.
This creates a lot of accounts on accident. How ever has access to the link also has access to the account for a short time.

goal

Use registration flow/api for invites. But guard it with an registration token. Which is invalidated after one use.

tasks

• guard self registration with an static invite token
• allow users to create an invite toke
• invalidate invite token after success full registration
• allow users to revoke invite tokens
• remove wellkown invite token or make it configurable for development #9
• fix: set inviting user user after successful registration #10
• fix: invite creation is probable vulnerable to xsrf attacks #11

design

• checking invites
  • proxy for POST /self-service/registration (this is the endpoint responsible for registering the account)
  • the proxy checks if the invite is valid
  • the proxy invalidates the invite if the registration was successful
• invites
  • invites could be stored in keto, my app already uses keto and than there is no extra db requirement
  • invites should be persisted
  • invites should be linked to created and user

[byteplow]

keto rules

namespace: invites
oldUser#invited_by@newUser
oldUser#invited_by@(newUser#invited_by)
invite#created_by@user
endpoint#access@invite

endpoint <= full url

on creation

• set: invite#created@user
• set: "registration"#access@invite

on registration

check: "registration"#access@invite

on successful registration

• delete: invite#created@user
• delete: "registration"#access@invite
• get invite#created_by => oldUser
• set: oldUser#invited_by@newUser

pros

• this setup makes it easy to show a user all its unused invites
• this setup makes it easy, to find all accounts directly or indirectly invited by a user

[byteplow]

#8 did not resole all task