Table of Contents

Inform our users of the risks in the email invitation widget.
Require the user to type the recipient email address a second time for confirmation.
Allow the user to invalidate pending invitations.
Make all invitation links single-use. Also, make them expire after a certain period of time. This prevents a malicious person from using an invitation link they found in an email inbox they hacked.
Require the consumer of the invitation link to prove that they are the owner of the email address to which Alice sent the email invitation, i.e. prove that they are Bob.
We can do this by sending a verification email to Bob's email address when the invitation link is used.

Proposal

...

Models to implement

...

or modify

New models

Existing models (modified)

EmailMembershipInvitation

EmailMembershipInvitationId

EmailMembershipInvitationsResponse

EmailValidationSignedToken

InviteeVerificationSignedToken

AccountSetupInfo

NewUser

emailAddress

teamId

createdBy

id

emailMembershipInvitationId

results - ARRAY<EmailMembershipInvitation>

nextPageToken

email

timestamp

hmac

inviteeId

emailMembershipInvitationId

timestamp

hmac

firstName

lastName

~~emailValidationToken~~

emailValidationSignedToken

username

password

email

~~lastName~~

~~firstName~~

~~userName~~

...

Services to implement or modify

...

Description Intended User URI Method Request Parameters Request Body Response Body
Create an email membership invitation.
Send an email containing an invitation link to the invitee. The link will contain a serialized EmailMembershipInvitationId.
team administrator /emailMembershipInvitation POST portalEndpoint EmailMembershipInvitation EmailMembershipInvitation
Retrieve a pending email membership invitation. The emailAddress field of the response body object will be null. authenticated user /emailMembershipInvitation/{id} GET -- -- EmailMembershipInvitation
Retrieve all the pending email membership invitations from a Team. team administrator /team/{id}/emailMembershipInvitations GET nextPageToken -- EmailMembershipInvitationsResponse
Delete a pending email membership invitation. team administrator /emailMembershipInvitation/{id} DELETE -- -- --
Start the process of creating a new account, similarly to POST /account/emailValidation, but also the process of associating a membership invitation to the new account.
Send a 'validation email' message to the provided email address. The email will contain a link to complete the registration process.
The link will contain a serialized EmailValidationSignedToken (used for new account registration) and a serialized EmailMembershipInvitationId (used to create membership invitation).
Intended to be used in conjunction with POST /account.
public
/emailMembershipInvitation/{id}/account/emailValidation
(or extend the existing /account/emailValidation service with an optional parameter emailMembershipInvitationId)
POST portalEndpoint NewUser --
Verify whether the authenticated user is the invitee of the indicated EmailMembershipInvitation.
If they are, the response body will contain an InviteeVerificationSignedToken.
If they are not, the response body will be null and an identity verification email containing a link will be sent to the address associated with the indicated EmailMembershipInvitation. The link will contain a serialized InviteeVerificationSignedToken.
authenticated user /emailMembershipInvitation/{id}/verification POST portalEndpoint -- InviteeVerificationSignedToken
Create a MembershipInvitation. The invitation is created from the team associated with the given email membership invitation to the currently authenticated user.
A valid InviteeVerificationSignedToken must have an inviteeId equal to the id of the authenticated user and an emailInvitationId equal to the id in the URI.
Doesn't send any email notifications.
authenticated user /emailMembershipInvitation/{id}/membershipInvitation POST --

InviteeVerificationSignedToken MembershipInvtnSubmission
...

Versions Compared

Old Version 73

New Version 74

Key

Proposal

Models to implement

or modify

Services to implement or modify

Description	Intended User	URI	Method	Request Parameters	Request Body	Response Body
Create an email membership invitation. Send an email containing an invitation link to the invitee. The link will contain a serialized EmailMembershipInvitationId.	team administrator	/emailMembershipInvitation	POST	portalEndpoint	EmailMembershipInvitation	EmailMembershipInvitation
Retrieve a pending email membership invitation. The emailAddress field of the response body object will be null.	authenticated user	/emailMembershipInvitation/{id}	GET	--	--	EmailMembershipInvitation
Retrieve all the pending email membership invitations from a Team.	team administrator	/team/{id}/emailMembershipInvitations	GET	nextPageToken	--	EmailMembershipInvitationsResponse
Delete a pending email membership invitation.	team administrator	/emailMembershipInvitation/{id}	DELETE	--	--	--
Start the process of creating a new account, similarly to POST /account/emailValidation, but also the process of associating a membership invitation to the new account. Send a 'validation email' message to the provided email address. The email will contain a link to complete the registration process. The link will contain a serialized EmailValidationSignedToken (used for new account registration) and a serialized EmailMembershipInvitationId (used to create membership invitation). Intended to be used in conjunction with POST /account.	public	/emailMembershipInvitation/{id}/account/emailValidation (or extend the existing /account/emailValidation service with an optional parameter emailMembershipInvitationId)	POST	portalEndpoint	NewUser	--
Verify whether the authenticated user is the invitee of the indicated EmailMembershipInvitation. If they are, the response body will contain an InviteeVerificationSignedToken. If they are not, the response body will be null and an identity verification email containing a link will be sent to the address associated with the indicated EmailMembershipInvitation. The link will contain a serialized InviteeVerificationSignedToken.	authenticated user	/emailMembershipInvitation/{id}/verification	POST	portalEndpoint	--	InviteeVerificationSignedToken
Create a MembershipInvitation. The invitation is created from the team associated with the given email membership invitation to the currently authenticated user. A valid InviteeVerificationSignedToken must have an inviteeId equal to the id of the authenticated user and an emailInvitationId equal to the id in the URI. Doesn't send any email notifications.	authenticated user	/emailMembershipInvitation/{id}/membershipInvitation	POST	--	InviteeVerificationSignedToken	MembershipInvtnSubmission

Page Comparison

Versions Compared

Old Version 73

New Version 74

Key

Proposal

Models to implement

or modify

Services to implement or modify