Skip to content

fix(invitations): preserve tokens after error in invitation flow #2806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
waleedlatif1 merged 1 commit into from
Jan 14, 2026
Merged

fix(invitations): preserve tokens after error in invitation flow #2806

waleedlatif1 merged 1 commit into from
Jan 14, 2026

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Jan 14, 2026

Summary

  • preserve tokens after error in invitation flow
  • previously, we fallback to the intiation id as the token and it complicated the flow when they changed accounts
  • added tests

Type of Change

  • Bug fix

Testing

Tested manually, added tests

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Jan 14, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Review Updated (UTC)
docs Skipped Skipped Jan 14, 2026 4:03am

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 14, 2026

Greptile Summary

This PR fixes a critical bug in the workspace invitation flow where tokens were lost during error scenarios. Previously, when users encountered errors (expired invitation, email mismatch, etc.), the token was not preserved in the redirect URL, causing the frontend to fall back to using the invitation ID as the token. This complicated the flow significantly when users needed to switch accounts.

The fix ensures that:

  • All error redirects in the API route now preserve the token as a query parameter with proper URL encoding
  • The frontend retrieves tokens from sessionStorage when not present in URL params, maintaining state across auth flows
  • Users can successfully retry invitation acceptance after switching to the correct account

The implementation includes comprehensive test coverage for all error paths, URL encoding edge cases, and end-to-end flow validation.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The changes are well-scoped, thoroughly tested, and fix a clear bug without introducing new complexity. All error paths include token preservation with proper URL encoding. Test coverage includes edge cases like special characters and the full retry flow.
  • No files require special attention

Important Files Changed

Filename Overview
apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts Added token preservation to all error redirect paths in the invitation acceptance flow. Token is properly URL-encoded when appended to error redirects.
apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts Added comprehensive test coverage for token preservation in error scenarios. Includes tests for URL encoding and end-to-end flow with account switching.
apps/sim/app/invite/[id]/invite.tsx Updated token retrieval logic to check sessionStorage when token not in query params. Token is now retrieved from sessionStorage in getCallbackUrl to ensure it persists through auth flows.

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant InvitePage as /invite/[id]
    participant API as /api/invitations/[id]
    participant SessionStorage
    
    Note over User,SessionStorage: Scenario: Email Mismatch with Token Preservation
    
    User->>Browser: Click invitation link with token param
    Browser->>InvitePage: Load page with token in query
    InvitePage->>SessionStorage: Store invitation token
    InvitePage->>API: GET with token param
    
    Note over API: User logged in with wrongEmail
    Note over API: Invitation sent to correctEmail
    
    API->>API: Detect email mismatch
    API->>Browser: Redirect with error and token preserved
    
    Browser->>InvitePage: Load error page with token
    InvitePage->>SessionStorage: Token already stored
    InvitePage->>User: Show "Wrong Account" error
    
    User->>InvitePage: Click "Sign in with different account"
    InvitePage->>SessionStorage: Read stored token
    InvitePage->>Browser: Redirect to login with callback
    
    Note over User,Browser: User signs in with correctEmail
    
    Browser->>InvitePage: Return with token in URL
    InvitePage->>SessionStorage: Token persists
    InvitePage->>API: GET with token param
    
    Note over API: User now logged in with correctEmail
    
    API->>API: Email matches successfully
    API->>API: Accept invitation
    API->>Browser: Redirect to workspace
Loading

@waleedlatif1 waleedlatif1 merged commit d6e4c91 into staging Jan 14, 2026
10 checks passed
@waleedlatif1 waleedlatif1 deleted the improvement/invite-flow branch January 14, 2026 04:10
@waleedlatif1 waleedlatif1 mentioned this pull request Jan 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waleedlatif1