feat: add team invitation acceptance flow with email link routing

Implement end-to-end invitation acceptance: neutral entry route validates token and routes to register (new users), login (existing users), or auto-accepts (authenticated users). Handles 2FA token survival via session, email case-insensitive matching, and dedicated error pages. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 15:16:45 +01:00
parent 8f39bd9b73
commit 88e5803061
13 changed files with 422 additions and 19 deletions
--- a/app/Http/Responses/LoginResponse.php
+++ b/app/Http/Responses/LoginResponse.php
@@ -0,0 +1,61 @@
+<?php
+
+namespace App\Http\Responses;
+
+use App\Models\TeamInvitation;
+use App\Models\WorkspaceUser;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\DB;
+use Laravel\Fortify\Contracts\LoginResponse as LoginResponseContract;
+
+class LoginResponse implements LoginResponseContract
+{
+    /**
+     * Create an HTTP response that represents the object.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @return \Symfony\Component\HttpFoundation\Response
+     */
+    public function toResponse($request)
+    {
+        $token = $request->input('invitation')
+            ?? $request->session()->pull('pending_invitation_token');
+
+        if ($token) {
+            $invitation = TeamInvitation::where('token', $token)->first();
+            $user = $request->user();
+
+            if ($invitation && $invitation->isValid() && strtolower($invitation->email) === strtolower($user->email)) {
+                $alreadyMember = WorkspaceUser::where('workspace_id', $invitation->workspace_id)
+                    ->where('user_id', $user->id)
+                    ->exists();
+
+                if (! $alreadyMember) {
+                    DB::transaction(function () use ($user, $invitation) {
+                        $user->workspaces()->attach($invitation->workspace_id, [
+                            'role' => $invitation->role,
+                            'permissions' => json_encode(config("permissions.defaults.{$invitation->role}", [])),
+                        ]);
+
+                        $invitation->update(['accepted_at' => now()]);
+                    });
+                } else {
+                    session(['current_workspace_id' => $invitation->workspace_id]);
+
+                    return redirect()->intended('/dashboard');
+                }
+
+                session(['current_workspace_id' => $invitation->workspace_id]);
+
+                return redirect()->intended('/dashboard');
+            }
+        }
+
+        // Clean up session token if present but not used
+        $request->session()->forget('pending_invitation_token');
+
+        return $request->wantsJson()
+            ? new JsonResponse('', 204)
+            : redirect()->intended(config('fortify.home'));
+    }
+}