feat: api v2 team invite link endpoint#6
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 505197c405
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @Post("/invite") | ||
| @Roles("TEAM_MEMBER") | ||
| @ApiOperation({ summary: "Create team invite link" }) |
There was a problem hiding this comment.
Require admin role for invite creation
RolesGuard treats TEAM_MEMBER as the minimum allowed role, so this endpoint allows any team member to create invite links. That bypasses the admin/owner permission checks enforced elsewhere for team invites (e.g., the TRPC createInvite handler), and means non-admin members can generate invites even though the API tests expect a 403 for members.
Useful? React with 👍 / 👎.
| return { | ||
| token, | ||
| token: newToken.identifier, | ||
| inviteLink: await TeamService.buildInviteLink(token, isOrganizationOrATeamInOrganization), |
There was a problem hiding this comment.
Return the actual invite token in response
The response now returns newToken.identifier (e.g., invite-link-for-teamId-123) instead of the generated verification token. Clients will receive a token that cannot be used to accept the invite and will not match the token embedded in inviteLink, making the response data inconsistent and unusable.
Useful? React with 👍 / 👎.
| private static async buildInviteLink(token: string, isOrgContext: boolean): Promise<string> { | ||
| const teamInviteLink = `${WEBAPP_URL}/teams?token=${token}`; | ||
| if (!isOrgContext) { | ||
| if (isOrgContext) { | ||
| return teamInviteLink; |
There was a problem hiding this comment.
Keep org-context invites on the signup flow
The org-context branch now returns /teams?token=..., which is the logged-in teams page, while the signup + callback flow (used elsewhere for org invites) is pushed to the non-org branch. This flips behavior so org/team-in-org invites won’t send new users to signup/onboarding, which breaks acceptance for users who don’t already have a session.
Useful? React with 👍 / 👎.
Benchmark PR from agentic-review-benchmarks#6