Skip to content

feat: api v2 team invite link endpoint#6

Open
tomerqodo wants to merge 2 commits into
codex_full_base_feat_api_v2_team_invite_link_endpoint_pr6from
codex_full_head_feat_api_v2_team_invite_link_endpoint_pr6
Open

feat: api v2 team invite link endpoint#6
tomerqodo wants to merge 2 commits into
codex_full_base_feat_api_v2_team_invite_link_endpoint_pr6from
codex_full_head_feat_api_v2_team_invite_link_endpoint_pr6

Conversation

@tomerqodo

Copy link
Copy Markdown

Benchmark PR from agentic-review-benchmarks#6

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 505197c405

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +31 to +33
@Post("/invite")
@Roles("TEAM_MEMBER")
@ApiOperation({ summary: "Create team invite link" })

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Require admin role for invite creation

RolesGuard treats TEAM_MEMBER as the minimum allowed role, so this endpoint allows any team member to create invite links. That bypasses the admin/owner permission checks enforced elsewhere for team invites (e.g., the TRPC createInvite handler), and means non-admin members can generate invites even though the API tests expect a 403 for members.

Useful? React with 👍 / 👎.

Comment on lines 98 to 100
return {
token,
token: newToken.identifier,
inviteLink: await TeamService.buildInviteLink(token, isOrganizationOrATeamInOrganization),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Return the actual invite token in response

The response now returns newToken.identifier (e.g., invite-link-for-teamId-123) instead of the generated verification token. Clients will receive a token that cannot be used to accept the invite and will not match the token embedded in inviteLink, making the response data inconsistent and unusable.

Useful? React with 👍 / 👎.

Comment on lines 104 to 107
private static async buildInviteLink(token: string, isOrgContext: boolean): Promise<string> {
const teamInviteLink = `${WEBAPP_URL}/teams?token=${token}`;
if (!isOrgContext) {
if (isOrgContext) {
return teamInviteLink;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep org-context invites on the signup flow

The org-context branch now returns /teams?token=..., which is the logged-in teams page, while the signup + callback flow (used elsewhere for org invites) is pushed to the non-org branch. This flips behavior so org/team-in-org invites won’t send new users to signup/onboarding, which breaks acceptance for users who don’t already have a session.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant