ibnezzoubayr/L-Ami-Fiduciaire
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add team invitation acceptance flow with email link routing

Browse Source 
Implement end-to-end invitation acceptance: neutral entry route validates
token and routes to register (new users), login (existing users), or
auto-accepts (authenticated users). Handles 2FA token survival via
session, email case-insensitive matching, and dedicated error pages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Saad Ibn-Ezzoubayr
2026-03-27 15:16:45 +01:00
parent 8f39bd9b73
commit 88e5803061
13 changed files with 422 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
app/Actions/Fortify/CreateNewUser.php
View File

@@ -4,7 +4,9 @@ namespace App\Actions\Fortify;
use App\Concerns\PasswordValidationRules;
use App\Concerns\ProfileValidationRules;
use App\Models\TeamInvitation;
use App\Models\User;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Validator;
use Laravel\Fortify\Contracts\CreatesNewUsers;
@@ -24,10 +26,30 @@ class CreateNewUser implements CreatesNewUsers
'password' => $this->passwordRules(),
])->validate();
return User::create([
$user = User::create([
'name' => $input['name'],
'email' => $input['email'],
'password' => $input['password'],
]);
if (! empty($input['invitation'])) {
$invitation = TeamInvitation::where('token', $input['invitation'])->first();
if ($invitation && $invitation->isValid() && strtolower($user->email) === strtolower($invitation->email)) {
DB::transaction(function () use ($user, $invitation) {
$user->workspaces()->attach($invitation->workspace_id, [
'role' => $invitation->role,
'permissions' => json_encode(config("permissions.defaults.{$invitation->role}", [])),
]);
$invitation->update(['accepted_at' => now()]);
});
session(['current_workspace_id' => $invitation->workspace_id]);
session(['invitation_accepted' => true]);
}
}
return $user;
}
}

103
app/Http/Controllers/TeamInvitationAcceptController.php Normal file
View File

@@ -0,0 +1,103 @@
<?php
namespace App\Http\Controllers;
use App\Models\TeamInvitation;
use App\Models\User;
use App\Models\WorkspaceUser;
use Illuminate\Http\RedirectResponse;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\DB;
use Inertia\Inertia;
use Inertia\Response;
class TeamInvitationAcceptController extends Controller
{
/**
* Handle team invitation acceptance.
*/
public function __invoke(string $token): Response|RedirectResponse
{
$invitation = TeamInvitation::where('token', $token)->first();
if (! $invitation) {
return Inertia::render('auth/InvitationError', [
'title' => 'Invitation introuvable',
'message' => 'Ce lien d\'invitation est invalide ou n\'existe pas.',
'homeUrl' => url('/'),
]);
}
if (! $invitation->isValid()) {
$message = $invitation->accepted_at !== null
? 'Cette invitation a déjà été acceptée.'
: 'Cette invitation a expiré.';
return Inertia::render('auth/InvitationError', [
'title' => 'Invitation invalide',
'message' => $message,
'homeUrl' => url('/'),
]);
}
if (Auth::check()) {
return $this->handleAuthenticatedUser($invitation);
}
return $this->handleUnauthenticatedUser($invitation);
}
/**
* Handle invitation acceptance for authenticated users.
*/
protected function handleAuthenticatedUser(TeamInvitation $invitation): Response|RedirectResponse
{
/** @var User $user */
$user = Auth::user();
if (strtolower($user->email) !== strtolower($invitation->email)) {
return Inertia::render('auth/InvitationError', [
'title' => 'Adresse email incorrecte',
'message' => 'Cette invitation est destinée à une autre adresse email.',
'homeUrl' => url('/'),
]);
}
$alreadyMember = WorkspaceUser::where('workspace_id', $invitation->workspace_id)
->where('user_id', $user->id)
->exists();
if ($alreadyMember) {
return redirect()->route('dashboard')->with('info', 'Vous êtes déjà membre de cet espace de travail.');
}
DB::transaction(function () use ($user, $invitation) {
$user->workspaces()->attach($invitation->workspace_id, [
'role' => $invitation->role,
'permissions' => json_encode(config("permissions.defaults.{$invitation->role}", [])),
]);
$invitation->update(['accepted_at' => now()]);
});
session(['current_workspace_id' => $invitation->workspace_id]);
return redirect()->route('dashboard')->with('success', 'Vous avez rejoint l\'espace de travail avec succès.');
}
/**
* Handle invitation acceptance for unauthenticated users.
*/
protected function handleUnauthenticatedUser(TeamInvitation $invitation): RedirectResponse
{
$existingUser = User::where('email', $invitation->email)->first();
if ($existingUser) {
return redirect()
->to(route('login', ['invitation' => $invitation->token]))
->with('status', 'Connectez-vous pour rejoindre l\'espace de travail');
}
return redirect()->to(route('register', ['invitation' => $invitation->token]));
}
}

61
app/Http/Responses/LoginResponse.php Normal file
View File

@@ -0,0 +1,61 @@
<?php
namespace App\Http\Responses;
use App\Models\TeamInvitation;
use App\Models\WorkspaceUser;
use Illuminate\Http\JsonResponse;
use Illuminate\Support\Facades\DB;
use Laravel\Fortify\Contracts\LoginResponse as LoginResponseContract;
class LoginResponse implements LoginResponseContract
{
/**
* Create an HTTP response that represents the object.
*
* @param \Illuminate\Http\Request $request
* @return \Symfony\Component\HttpFoundation\Response
*/
public function toResponse($request)
{
$token = $request->input('invitation')
?? $request->session()->pull('pending_invitation_token');
if ($token) {
$invitation = TeamInvitation::where('token', $token)->first();
$user = $request->user();
if ($invitation && $invitation->isValid() && strtolower($invitation->email) === strtolower($user->email)) {
$alreadyMember = WorkspaceUser::where('workspace_id', $invitation->workspace_id)
->where('user_id', $user->id)
->exists();
if (! $alreadyMember) {
DB::transaction(function () use ($user, $invitation) {
$user->workspaces()->attach($invitation->workspace_id, [
'role' => $invitation->role,
'permissions' => json_encode(config("permissions.defaults.{$invitation->role}", [])),
]);
$invitation->update(['accepted_at' => now()]);
});
} else {
session(['current_workspace_id' => $invitation->workspace_id]);
return redirect()->intended('/dashboard');
}
session(['current_workspace_id' => $invitation->workspace_id]);
return redirect()->intended('/dashboard');
}
}
// Clean up session token if present but not used
$request->session()->forget('pending_invitation_token');
return $request->wantsJson()
? new JsonResponse('', 204)
: redirect()->intended(config('fortify.home'));
}
}

26
app/Http/Responses/RegisterResponse.php Normal file
View File

@@ -0,0 +1,26 @@
<?php
namespace App\Http\Responses;
use Illuminate\Http\JsonResponse;
use Laravel\Fortify\Contracts\RegisterResponse as RegisterResponseContract;
class RegisterResponse implements RegisterResponseContract
{
/**
* Create an HTTP response that represents the object.
*
* @param \Illuminate\Http\Request $request
* @return \Symfony\Component\HttpFoundation\Response
*/
public function toResponse($request)
{
if ($request->session()->pull('invitation_accepted')) {
return redirect()->intended('/dashboard');
}
return $request->wantsJson()
? new JsonResponse('', 201)
: redirect()->intended(config('fortify.home'));
}
}

2
app/Mail/TeamInvitationMail.php
View File

@@ -48,7 +48,7 @@ class TeamInvitationMail extends Mailable implements ShouldQueue
with: [
'workspaceName' => $this->workspace->name,
'roleLabel' => $roleLabels[$this->invitation->role] ?? $this->invitation->role,
'registerUrl' => route('register', ['invitation' => $this->invitation->token]),
'acceptUrl' => route('team.invitation.accept', $this->invitation->token),
'expiresAt' => $this->invitation->expires_at->format('d/m/Y à H:i'),
]
);

45
app/Providers/FortifyServiceProvider.php
View File

@@ -20,7 +20,15 @@ class FortifyServiceProvider extends ServiceProvider
*/
public function register(): void
{
//
$this->app->singleton(
\Laravel\Fortify\Contracts\RegisterResponse::class,
\App\Http\Responses\RegisterResponse::class
);
$this->app->singleton(
\Laravel\Fortify\Contracts\LoginResponse::class,
\App\Http\Responses\LoginResponse::class
);
}
/**
@@ -47,11 +55,21 @@ class FortifyServiceProvider extends ServiceProvider
*/
private function configureViews(): void
{
Fortify::loginView(fn (Request $request) => Inertia::render('auth/Login', [
'canResetPassword' => Features::enabled(Features::resetPasswords()),
'canRegister' => Features::enabled(Features::registration()),
'status' => $request->session()->get('status'),
]));
Fortify::loginView(function (Request $request) {
$props = [
'canResetPassword' => Features::enabled(Features::resetPasswords()),
'canRegister' => Features::enabled(Features::registration()),
'status' => $request->session()->get('status'),
];
$token = $request->query('invitation');
if ($token) {
$props['invitation'] = $token;
$request->session()->put('pending_invitation_token', $token);
}
return Inertia::render('auth/Login', $props);
});
Fortify::resetPasswordView(fn (Request $request) => Inertia::render('auth/ResetPassword', [
'email' => $request->email,
@@ -66,7 +84,20 @@ class FortifyServiceProvider extends ServiceProvider
'status' => $request->session()->get('status'),
]));
Fortify::registerView(fn () => Inertia::render('auth/Register'));
Fortify::registerView(function (Request $request) {
$props = [];
$token = $request->query('invitation');
if ($token) {
$invitation = \App\Models\TeamInvitation::where('token', $token)->first();
if ($invitation && $invitation->isValid()) {
$props['invitation'] = $token;
$props['invitationEmail'] = $invitation->email;
}
}
return Inertia::render('auth/Register', $props);
});
Fortify::twoFactorChallengeView(fn () => Inertia::render('auth/TwoFactorChallenge'));