Versions Compared

Old Version 82

changes.mady.by.user Hao Hu

Saved on

compared with

New Version 83

changes.mady.by.user Hao Hu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

  • Inform our users of the risks in the email invitation widget.
  • Require the user to type the recipient email address a second time for confirmation.
  • Allow the user to invalidate pending invitations.
  • Make all invitation links single-use. Also, make them expire after a certain period of time. This prevents a malicious person from using an invitation link they found in an email inbox they hacked.
  • Require the consumer of the invitation link to prove that they are the owner of the email address to which Alice sent the email invitation, i.e. prove that they are Bob.
    We can do this by sending a verification email to Bob's email address when the invitation link is used.

Proposal

Option 1

Models to implement or modify

New models
EmailMembershipInvitationEmailMembershipInvitationSignedTokenEmailMembershipInvitationsResponseEmailValidationSignedTokenAccountCreationTokenInviteeVerificationSignedToken

inviteeEmail

teamId

createdBy

id

emailMembershipInvitationId

timestamp

hmac

results - ARRAY<EmailMembershipInvitation>

nextPageToken

email

timestamp

hmac

emailValidationSignedToken

emailMembershipInvitationSignedToken (optional)


inviteeId

emailMembershipInvitationId

timestamp

hmac


Existing models (modified)
AccountSetupInfoNewUser

firstName

lastName

emailValidationToken

emailValidationSignedToken

username

password

email

lastName

firstName

userName

EmailMembershipInvitationSignedToken (optional)

Services to implement or modify

Existing or newDescriptionIntended UserURIMethodRequest ParametersRequest BodyResponse Body
New

Create an email membership invitation.

Send an email containing an invitation link to the invitee. The link will contain a serialized EmailMembershipInvitationSignedToken.

team administrator/emailMembershipInvitationPOSTportalEndpointEmailMembershipInvitationEmailMembershipInvitation

New

Retrieve all the email membership invitations from a Team.team administrator/team/{id}/emailMembershipInvitationsGETnextPageToken--EmailMembershipInvitationsResponse
NewRetrieve an email membership invitation.signed token holder/emailMembershipInvitation/{id}GET--EmailMembershipInvitationSignedTokenEmailMembershipInvitation
NewDelete an email membership invitation.team administrator/emailMembershipInvitation/{id}DELETE------
Existing

Start the process of creating a new account, and optionally also the process of associating a membership invitation to the new account.

Send a 'validation email' message to the provided email address. The email will contain a link to complete the registration process.

The link will contain a serialized AccountCreationToken.

Intended to be used in conjunction with POST /account.

public

/account/emailValidation

POST

portalEndpoint

NewUser--
New

Verify whether the inviteeEmail of the indicated EmailMembershipInvitation is associated with the authenticated user.

If it is, the response body will contain an InviteeVerificationSignedToken.

If it is not, the response body will be null and an identity verification email containing a link will be sent to the inviteeEmail of the indicated EmailMembershipInvitation. The link will contain a serialized InviteeVerificationSignedToken.

authenticated user/emailMembershipInvitation/{id}/verificationPOSTportalEndpoint--InviteeVerificationSignedToken
New

Create a MembershipInvitation. The invitation is created from the team associated with the given email membership invitation to the currently authenticated user.

A valid InviteeVerificationSignedToken must have an inviteeId equal to the id of the authenticated user and an emailMembershipInvitationId equal to the id in the URI.

Doesn't send any email notifications.

authenticated signed token holder/emailMembershipInvitation/{id}/membershipInvitationPOST--


InviteeVerificationSignedTokenMembershipInvtnSubmission

Related services: POST /accountPOST /session

Option 2

Models to implement or modify

...

Existing or newDescriptionIntended UserURIMethodRequest ParametersRequest BodyResponse Body
Existing

Create a membership invitation. The team must be specified. Either an inviteeId or an inviteeEmail must be specified.

If an inviteeEmail is specified, send an email containing an invitation link to the invitee. The link will contain a serialized MembershipInvtnSignedToken.

team administrator/membershipInvitationPOST

acceptInvitationEndpoint (optional)

notificationUnsubscribeEndpoint (optional)

MembershipInvtnSubmissionMembershipInvtnSubmission
ExistingRetrieve a membership invitation.signed token holder/membershipInvitation/{id}GET--MembershipInvtnSignedTokenMembershipInvtnSubmission

Existing

Start the process of creating a new account, and optionally also the process of associating a membership invitation to the new account.

Send a 'validation email' message to the provided email address. The email will contain a link to complete the registration process.

The link will contain a serialized AccountCreationToken.

Intended to be used in conjunction with POST /account.

public

/account/emailValidation

POST

portalEndpoint

NewUser--
New

Verify whether the inviteeEmail of the indicated MembershipInvitation is associated with the authenticated user.

If it is, the response body will contain an InviteeVerificationSignedToken.

If it is not, the response body will be null and an identity verification email containing a link will be sent to the inviteeEmail of the indicated MembershipInvitation. The link will contain a serialized InviteeVerificationSignedToken.

This call will only succeed if the indicated MembershipInvitation has a null inviteeId and a non null inviteeEmail.

authenticated user/membershipInvitation/{id}/verificationPOSTportalEndpoint--InviteeVerificationSignedToken

New

Set the inviteeId of a MembershipInvitation.

A valid InviteeVerificationSignedToken must have an inviteeId equal to the id of the authenticated user and an membershipInvitationId equal to the id in the URI.

This call will only succeed if the indicated MembershipInvitation has a null inviteeId and a non null inviteeEmail.

authenticated signed token holder/membershipInvitation/{id}/inviteeIdPUT--


InviteeVerificationSignedTokenMembershipInvtnSubmission

...