updated invitation log

waleedlatif1 · waleedlatif1 · commit 0263d1e8413e · 2025-09-01T20:31:43.000-07:00
diff --git a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts
@@ -27,7 +27,10 @@ export async function GET(
     // For token-based acceptance flows, redirect to login
     if (isAcceptFlow) {
       return NextResponse.redirect(
-        new URL(`/invite/${token}?token=${token}`, env.NEXT_PUBLIC_APP_URL || 'https://sim.ai')
+        new URL(
+          `/invite/${invitationId}?token=${token}`,
+          env.NEXT_PUBLIC_APP_URL || 'https://sim.ai'
+        )
       )
     }
     return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
@@ -51,7 +54,10 @@ export async function GET(
     if (new Date() > new Date(invitation.expiresAt)) {
       if (isAcceptFlow) {
         return NextResponse.redirect(
-          new URL(`/invite/${token}?error=expired`, env.NEXT_PUBLIC_APP_URL || 'https://sim.ai')
+          new URL(
+            `/invite/${invitation.id}?error=expired`,
+            env.NEXT_PUBLIC_APP_URL || 'https://sim.ai'
+          )
         )
       }
       return NextResponse.json({ error: 'Invitation has expired' }, { status: 400 })
@@ -67,7 +73,7 @@ export async function GET(
       if (isAcceptFlow) {
         return NextResponse.redirect(
           new URL(
-            `/invite/${token}?error=workspace-not-found`,
+            `/invite/${invitation.id}?error=workspace-not-found`,
             env.NEXT_PUBLIC_APP_URL || 'https://sim.ai'
           )
         )
@@ -79,7 +85,7 @@ export async function GET(
       if (invitation.status !== ('pending' as WorkspaceInvitationStatus)) {
         return NextResponse.redirect(
           new URL(
-            `/invite/${token}?error=already-processed`,
+            `/invite/${invitation.id}?error=already-processed`,
             env.NEXT_PUBLIC_APP_URL || 'https://sim.ai'
           )
         )
@@ -97,7 +103,7 @@ export async function GET(
       if (!userData) {
         return NextResponse.redirect(
           new URL(
-            `/invite/${token}?error=user-not-found`,
+            `/invite/${invitation.id}?error=user-not-found`,
             env.NEXT_PUBLIC_APP_URL || 'https://sim.ai'
           )
         )
@@ -108,7 +114,7 @@ export async function GET(
       if (!isValidMatch) {
         return NextResponse.redirect(
           new URL(
-            `/invite/${token}?error=email-mismatch`,
+            `/invite/${invitation.id}?error=email-mismatch`,
             env.NEXT_PUBLIC_APP_URL || 'https://sim.ai'
           )
         )
diff --git a/apps/sim/app/api/workspaces/invitations/route.ts b/apps/sim/app/api/workspaces/invitations/route.ts
@@ -206,6 +206,7 @@ export async function POST(req: NextRequest) {
       to: email,
       inviterName: session.user.name || session.user.email || 'A user',
       workspaceName: workspaceDetails.name,
+      invitationId: invitationData.id,
       token: token,
     })
 
@@ -221,17 +222,19 @@ async function sendInvitationEmail({
   to,
   inviterName,
   workspaceName,
+  invitationId,
   token,
 }: {
   to: string
   inviterName: string
   workspaceName: string
+  invitationId: string
   token: string
 }) {
   try {
     const baseUrl = env.NEXT_PUBLIC_APP_URL || 'https://sim.ai'
-    // Always use the client-side invite route with token parameter
-    const invitationLink = `${baseUrl}/invite/${token}?token=${token}`
+    // Use invitation ID in path, token in query parameter for security
+    const invitationLink = `${baseUrl}/invite/${invitationId}?token=${token}`
 
     const emailHtml = await render(
       WorkspaceInvitationEmail({
diff --git a/apps/sim/app/invite/[id]/invite.tsx b/apps/sim/app/invite/[id]/invite.tsx
@@ -51,12 +51,10 @@ export default function Invite() {
     async function fetchInvitationDetails() {
       setIsLoading(true)
       try {
-        const workspaceInviteResponse = await fetch(
-          `/api/workspaces/invitations/${token}?token=${token}`,
-          {
-            method: 'GET',
-          }
-        )
+        // Fetch invitation details using the invitation ID from the URL path
+        const workspaceInviteResponse = await fetch(`/api/workspaces/invitations/${inviteId}`, {
+          method: 'GET',
+        })
 
         if (workspaceInviteResponse.ok) {
           const data = await workspaceInviteResponse.json()
@@ -118,7 +116,7 @@ export default function Invite() {
     setIsAccepting(true)
 
     if (invitationType === 'workspace') {
-      window.location.href = `/api/workspaces/invitations/${encodeURIComponent(token || '')}?token=${encodeURIComponent(token || '')}`
+      window.location.href = `/api/workspaces/invitations/${encodeURIComponent(inviteId)}?token=${encodeURIComponent(token || '')}`
     } else {
       try {
         const response = await client.organization.acceptInvitation({

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,10 @@ export async function GET(`
`27`	`27`	`// For token-based acceptance flows, redirect to login`
`28`	`28`	`if (isAcceptFlow) {`
`29`	`29`	`return NextResponse.redirect(`
`30`		- new URL(`/invite/${token}?token=${token}`, env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai')
	`30`	`+ new URL(`
	`31`	+ `/invite/${invitationId}?token=${token}`,
	`32`	`+ env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai'`
	`33`	`+ )`
`31`	`34`	`)`
`32`	`35`	`}`
`33`	`36`	`return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })`
`@@ -51,7 +54,10 @@ export async function GET(`
`51`	`54`	`if (new Date() > new Date(invitation.expiresAt)) {`
`52`	`55`	`if (isAcceptFlow) {`
`53`	`56`	`return NextResponse.redirect(`
`54`		- new URL(`/invite/${token}?error=expired`, env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai')
	`57`	`+ new URL(`
	`58`	+ `/invite/${invitation.id}?error=expired`,
	`59`	`+ env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai'`
	`60`	`+ )`
`55`	`61`	`)`
`56`	`62`	`}`
`57`	`63`	`return NextResponse.json({ error: 'Invitation has expired' }, { status: 400 })`
`@@ -67,7 +73,7 @@ export async function GET(`
`67`	`73`	`if (isAcceptFlow) {`
`68`	`74`	`return NextResponse.redirect(`
`69`	`75`	`new URL(`
`70`		- `/invite/${token}?error=workspace-not-found`,
	`76`	+ `/invite/${invitation.id}?error=workspace-not-found`,
`71`	`77`	`env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai'`
`72`	`78`	`)`
`73`	`79`	`)`
`@@ -79,7 +85,7 @@ export async function GET(`
`79`	`85`	`if (invitation.status !== ('pending' as WorkspaceInvitationStatus)) {`
`80`	`86`	`return NextResponse.redirect(`
`81`	`87`	`new URL(`
`82`		- `/invite/${token}?error=already-processed`,
	`88`	+ `/invite/${invitation.id}?error=already-processed`,
`83`	`89`	`env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai'`
`84`	`90`	`)`
`85`	`91`	`)`
`@@ -97,7 +103,7 @@ export async function GET(`
`97`	`103`	`if (!userData) {`
`98`	`104`	`return NextResponse.redirect(`
`99`	`105`	`new URL(`
`100`		- `/invite/${token}?error=user-not-found`,
	`106`	+ `/invite/${invitation.id}?error=user-not-found`,
`101`	`107`	`env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai'`
`102`	`108`	`)`
`103`	`109`	`)`
`@@ -108,7 +114,7 @@ export async function GET(`
`108`	`114`	`if (!isValidMatch) {`
`109`	`115`	`return NextResponse.redirect(`
`110`	`116`	`new URL(`
`111`		- `/invite/${token}?error=email-mismatch`,
	`117`	+ `/invite/${invitation.id}?error=email-mismatch`,
`112`	`118`	`env.NEXT_PUBLIC_APP_URL \|\| 'https://sim.ai'`
`113`	`119`	`)`
`114`	`120`	`)`