fix: update workspace invitation flow to use token for validation

dheeru0198 · dheeru0198 · commit 349539a5bf6e · 2026-01-08T21:04:23.000+05:30
- Modified the invite link to include a token for enhanced security.
- Updated the WorkspaceJoinEndpoint to validate the token instead of the email.
- Adjusted the workspace invitation task to generate links with the token.
- Refactored the frontend to handle token in the invitation process.
diff --git a/apps/api/plane/app/serializers/workspace.py b/apps/api/plane/app/serializers/workspace.py
@@ -107,7 +107,7 @@ class WorkSpaceMemberInviteSerializer(BaseSerializer):
     invite_link = serializers.SerializerMethodField()
 
     def get_invite_link(self, obj):
-        return f"/workspace-invitations/?invitation_id={obj.id}&email={obj.email}&slug={obj.workspace.slug}"
+        return f"/workspace-invitations/?invitation_id={obj.id}&slug={obj.workspace.slug}&token={obj.token}"
 
     class Meta:
         model = WorkspaceMemberInvite
diff --git a/apps/api/plane/app/views/workspace/invite.py b/apps/api/plane/app/views/workspace/invite.py
@@ -159,10 +159,10 @@ class WorkspaceJoinEndpoint(BaseAPIView):
     def post(self, request, slug, pk):
         workspace_invite = WorkspaceMemberInvite.objects.get(pk=pk, workspace__slug=slug)
 
-        email = request.data.get("email", "")
+        token = request.data.get("token", "")
 
-        # Check the email
-        if email == "" or workspace_invite.email != email:
+        # Validate the token to verify the user received the invitation email
+        if not token or workspace_invite.token != token:
             return Response(
                 {"error": "You do not have permission to join the workspace"},
                 status=status.HTTP_403_FORBIDDEN,
@@ -176,7 +176,7 @@ def post(self, request, slug, pk):
 
             if workspace_invite.accepted:
                 # Check if the user created account after invitation
-                user = User.objects.filter(email=email).first()
+                user = User.objects.filter(email=workspace_invite.email).first()
 
                 # If the user is present then create the workspace member
                 if user is not None:
diff --git a/apps/api/plane/bgtasks/workspace_invitation_task.py b/apps/api/plane/bgtasks/workspace_invitation_task.py
@@ -25,7 +25,7 @@ def workspace_invitation(email, workspace_id, token, current_site, inviter):
 
         # Relative link
         relative_link = (
-            f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&email={email}&slug={workspace.slug}"  # noqa: E501
+            f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&slug={workspace.slug}&token={token}"  # noqa: E501
         )
 
         # The complete url including the domain
diff --git a/apps/web/app/(all)/workspace-invitations/page.tsx b/apps/web/app/(all)/workspace-invitations/page.tsx
@@ -1,4 +1,3 @@
-import React from "react";
 import { observer } from "mobx-react";
 import { useSearchParams } from "next/navigation";
 import useSWR from "swr";
@@ -28,8 +27,8 @@ function WorkspaceInvitationPage() {
   // query params
   const searchParams = useSearchParams();
   const invitation_id = searchParams.get("invitation_id");
-  const email = searchParams.get("email");
   const slug = searchParams.get("slug");
+  const token = searchParams.get("token");
   // store hooks
   const { data: currentUser } = useUser();
 
@@ -45,29 +44,29 @@ function WorkspaceInvitationPage() {
     workspaceService
       .joinWorkspace(invitationDetail.workspace.slug, invitationDetail.id, {
         accepted: true,
-        email: invitationDetail.email,
+        token: token,
       })
       .then(() => {
-        if (email === currentUser?.email) {
+        if (invitationDetail.email === currentUser?.email) {
           router.push(`/${invitationDetail.workspace.slug}`);
         } else {
-          router.push(`/?${searchParams.toString()}`);
+          router.push("/");
         }
       })
-      .catch((err) => console.error(err));
+      .catch((err: unknown) => console.error(err));
   };
 
   const handleReject = () => {
-    if (!invitationDetail) return;
-    workspaceService
+    if (!invitationDetail || !token) return;
+    void workspaceService
       .joinWorkspace(invitationDetail.workspace.slug, invitationDetail.id, {
         accepted: false,
-        email: invitationDetail.email,
+        token: token,
       })
       .then(() => {
         router.push("/");
       })
-      .catch((err) => console.error(err));
+      .catch((err: unknown) => console.error(err));
   };
 
   return (

Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ def workspace_invitation(email, workspace_id, token, current_site, inviter):`
`25`	`25`
`26`	`26`	`# Relative link`
`27`	`27`	`relative_link = (`
`28`		`- f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&email={email}&slug={workspace.slug}" # noqa: E501`
	`28`	`+ f"/workspace-invitations/?invitation_id={workspace_member_invite.id}&slug={workspace.slug}&token={token}" # noqa: E501`
`29`	`29`	`)`
`30`	`30`
`31`	`31`	`# The complete url including the domain`