[VPAT-51] fix: update workspace invitation flow to use token for validation #8508

- Modified the invite link to include a token for enhanced security. - Updated the WorkspaceJoinEndpoint to validate the token instead of the email. - Adjusted the workspace invitation task to generate links with the token. - Refactored the frontend to handle token in the invitation process. Co-authored-by: sriram veeraghanta <veeraghanta.sriram@gmail.com>
2026-02-17 00:02:18 +05:30 · 2026-02-17 00:02:18 +05:30 · ef5d481a19
commit ef5d481a19
parent c8a800104c
4 changed files with 15 additions and 16 deletions
--- a/apps/api/plane/app/serializers/workspace.py
+++ b/apps/api/plane/app/serializers/workspace.py
@ -111,7 +111,7 @@ class WorkSpaceMemberInviteSerializer(BaseSerializer):
    invite_link = serializers.SerializerMethodField()

    def get_invite_link(self, obj):
-        return f"/workspace-invitations/?invitation_id={obj.id}&email={obj.email}&slug={obj.workspace.slug}"
+        return f"/workspace-invitations/?invitation_id={obj.id}&slug={obj.workspace.slug}&token={obj.token}"

    class Meta:
        model = WorkspaceMemberInvite
--- a/apps/api/plane/app/views/workspace/invite.py
+++ b/apps/api/plane/app/views/workspace/invite.py
@ -163,10 +163,10 @@ class WorkspaceJoinEndpoint(BaseAPIView):
    def post(self, request, slug, pk):
        workspace_invite = WorkspaceMemberInvite.objects.get(pk=pk, workspace__slug=slug)

-        email = request.data.get("email", "")
+        token = request.data.get("token", "")

-        # Check the email
-        if email == "" or workspace_invite.email != email:
+        # Validate the token to verify the user received the invitation email
+        if not token or workspace_invite.token != token:
            return Response(
                {"error": "You do not have permission to join the workspace"},
                status=status.HTTP_403_FORBIDDEN,
@ -180,7 +180,7 @@ class WorkspaceJoinEndpoint(BaseAPIView):

            if workspace_invite.accepted:
                # Check if the user created account after invitation
-                user = User.objects.filter(email=email).first()
+                user = User.objects.filter(email=workspace_invite.email).first()

                # If the user is present then create the workspace member
                if user is not None:
--- a/apps/api/plane/bgtasks/workspace_invitation_task.py
+++ b/apps/api/plane/bgtasks/workspace_invitation_task.py
@ -29,7 +29,7 @@ def workspace_invitation(email, workspace_id, token, current_site, inviter):

        # Relative link
        relative_link = (
-            f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&email={email}&slug={workspace.slug}"  # noqa: E501
+            f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&slug={workspace.slug}&token={token}"  # noqa: E501
        )

        # The complete url including the domain