use invite token instead of id for invitation url

2018-10-29 09:59:34 -04:00
parent b81a831c85
commit 151d5be5ea
7 changed files with 53 additions and 20 deletions
--- a/atst/domain/invitations.py
+++ b/atst/domain/invitations.py
@@ -21,9 +21,9 @@ class Invitations(object):
    EXPIRATION_LIMIT_MINUTES = 360

    @classmethod
-    def _get(cls, invite_id):
+    def _get(cls, token):
        try:
-            invite = db.session.query(Invitation).filter_by(id=invite_id).one()
+            invite = db.session.query(Invitation).filter_by(token=token).one()
        except NoResultFound:
            raise NotFoundError("invite")

@@ -58,8 +58,8 @@ class Invitations(object):
        return invite

    @classmethod
-    def accept(cls, invite_id):
-        invite = Invitations._get(invite_id)
+    def accept(cls, token):
+        invite = Invitations._get(token)

        if invite.is_expired:
            invite.status = InvitationStatus.REJECTED
--- a/atst/models/invitation.py
+++ b/atst/models/invitation.py
@@ -1,7 +1,8 @@
 import datetime
 from enum import Enum
+import secrets

-from sqlalchemy import Column, ForeignKey, Enum as SQLAEnum, TIMESTAMP
+from sqlalchemy import Column, ForeignKey, Enum as SQLAEnum, TIMESTAMP, String
 from sqlalchemy.dialects.postgresql import UUID
 from sqlalchemy.orm import relationship

@@ -34,6 +35,8 @@ class Invitation(Base, TimestampsMixin):

    expiration_time = Column(TIMESTAMP(timezone=True))

+    token = Column(String(), index=True, default=lambda: secrets.token_urlsafe())
+
    def __repr__(self):
        return "<Invitation(user='{}', workspace='{}', id='{}')>".format(
            self.user.id, self.workspace.id, self.id
--- a/atst/routes/workspaces.py
+++ b/atst/routes/workspaces.py
@@ -220,10 +220,8 @@ def new_member(workspace_id):
    )


-def send_invite_email(owner_name, invite_id, new_member_email):
-    body = render_template(
-        "emails/invitation.txt", owner=owner_name, invite_id=invite_id
-    )
+def send_invite_email(owner_name, token, new_member_email):
+    body = render_template("emails/invitation.txt", owner=owner_name, token=token)
    queue.send_mail(
        [new_member_email],
        "{} has invited you to a JEDI Cloud Workspace".format(owner_name),
@@ -241,7 +239,7 @@ def create_member(workspace_id):
            new_member = Workspaces.create_member(g.current_user, workspace, form.data)
            invite = Invitations.create(workspace, g.current_user, new_member.user)
            send_invite_email(
-                g.current_user.full_name, invite.id, new_member.user.email
+                g.current_user.full_name, invite.token, new_member.user.email
            )

            return redirect(
@@ -338,11 +336,11 @@ def update_member(workspace_id, member_id):
        )


-@bp.route("/workspaces/invitation/<invite_id>", methods=["GET"])
-def accept_invitation(invite_id):
+@bp.route("/workspaces/invitation/<token>", methods=["GET"])
+def accept_invitation(token):
    # TODO: check that the current_user DOD ID matches the user associated with
    # the invitation
-    invite = Invitations.accept(invite_id)
+    invite = Invitations.accept(token)

    return redirect(
        url_for("workspaces.show_workspace", workspace_id=invite.workspace.id)