Check expiry of invitation link

dragonpoo · dragonpoo · commit 46d2c4727432 · 2025-01-30T10:33:43.000-05:00
diff --git a/server/api-service/lowcoder-sdk/src/main/java/org/lowcoder/sdk/exception/BizError.java b/server/api-service/lowcoder-sdk/src/main/java/org/lowcoder/sdk/exception/BizError.java
@@ -105,6 +105,7 @@ public enum BizError {
     ID_NOT_EXIST(500, 5620),
     DUPLICATE_AUTH_CONFIG_ADDITION(400, 5621),
     EMAIL_PROVIDER_DISABLED(403, 5622),
+    LINK_EXPIRED(401, 5623),
 
 
     // asset related, code range 5700 - 5799
diff --git a/server/api-service/lowcoder-sdk/src/main/resources/locale_en.properties b/server/api-service/lowcoder-sdk/src/main/resources/locale_en.properties
@@ -19,6 +19,7 @@ UNABLE_TO_FIND_VALID_ORG=Cannot find a valid workspace for current user.
 USER_BANNED=Current account is frozen.
 SENDING_EMAIL_FAILED=Email could not be sent. Please check the smtp settings for the org.
 TOKEN_EXPIRED=Token to reset the password has expired
+LINK_EXPIRED=Link has expired
 INVALID_TOKEN=Invalid token received for password reset request
 # invitation
 INVALID_INVITATION_CODE=Invitation code not found.
diff --git a/server/api-service/lowcoder-server/src/main/java/org/lowcoder/api/authentication/service/AuthenticationApiServiceImpl.java b/server/api-service/lowcoder-server/src/main/java/org/lowcoder/api/authentication/service/AuthenticationApiServiceImpl.java
@@ -23,6 +23,7 @@
 import org.lowcoder.domain.authentication.FindAuthConfig;
 import org.lowcoder.domain.authentication.context.AuthRequestContext;
 import org.lowcoder.domain.authentication.context.FormAuthRequestContext;
+import org.lowcoder.domain.invitation.service.InvitationService;
 import org.lowcoder.domain.organization.model.OrgMember;
 import org.lowcoder.domain.organization.model.Organization;
 import org.lowcoder.domain.organization.model.OrganizationDomain;
@@ -41,6 +42,8 @@
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 
+import java.time.Duration;
+import java.time.Instant;
 import java.util.*;
 import java.util.function.Function;
 import java.util.function.Predicate;
@@ -69,6 +72,7 @@ public class AuthenticationApiServiceImpl implements AuthenticationApiService {
     private final OrgMemberService orgMemberService;
     private final JWTUtils jwtUtils;
     private final AuthProperties authProperties;
+    private final InvitationService invitationService;
 
     @Override
     public Mono<AuthUser> authenticateByForm(String loginId, String password, String source, boolean register, String authId, String orgId) {
@@ -120,7 +124,18 @@ protected Mono<AuthUser> authenticate(String authId, @Deprecated String source,
     @Override
     public Mono<Void> loginOrRegister(AuthUser authUser, ServerWebExchange exchange,
                                       String invitationId, boolean linKExistingUser) {
-        return updateOrCreateUser(authUser, linKExistingUser, false)
+        Mono<Boolean> expiryCheckMono;
+        if(invitationId != null && !invitationId.trim().isEmpty()) {
+            expiryCheckMono = invitationService.getById(invitationId)
+                    .handle((invitation, sink) -> {
+                        boolean expired = Instant.now().isAfter(invitation.getCreatedAt().plus(Duration.ofHours(12)));
+                        if(expired) sink.error(new BizException(LINK_EXPIRED, "LINK_EXPIRED"));
+                        sink.next(true);
+                    });
+        } else {
+            expiryCheckMono = Mono.just(true);
+        }
+        return expiryCheckMono.then(updateOrCreateUser(authUser, linKExistingUser, false)
                 .delayUntil(user -> ReactiveSecurityContextHolder.getContext()
                         .doOnNext(securityContext -> securityContext.setAuthentication(AuthenticationUtils.toAuthentication(user))))
                 // save token and set cookie
@@ -148,7 +163,7 @@ public Mono<Void> loginOrRegister(AuthUser authUser, ServerWebExchange exchange,
                     return invitationApiService.inviteUser(invitationId);
                 })
                 // publish event
-                .then(businessEventPublisher.publishUserLoginEvent(authUser.getSource()));
+                .then(businessEventPublisher.publishUserLoginEvent(authUser.getSource())));
     }
 
     public Mono<User> updateOrCreateUser(AuthUser authUser, boolean linkExistingUser, boolean isSuperAdmin) {
