[cloud] Make org invite URLs unique
Created by: kopancek
Changes
- Adding a JWT token to the invite URL which makes the link unique for each invitaiton.
- Removing the organization name from the invite URL, to be more opaque.
- Preparation work for email invitations and expiring invitations.
- Created a new accept invitation screen for the new URL schema.
- Making the signing key for JWT configurable by adding new site-settings parameters:
organizationInvitations: {
expiryTime: 48,
signingKey: "hello world"
}Video
https://user-images.githubusercontent.com/9974711/152025250-19615093-7f5d-446f-b3ae-14b87e630432.mp4
Related issue
https://sourcegraph.atlassian.net/browse/CLOUD-186
Testing
- tested manually
- tested by increasing unit test coverage
Security implications
- JWT contains information about the invitation itself. This is how it looks decoded:
{
"invite_ID": 1,
"sender_id": 1, // user ID of user that created the invitation
"aud": ["2"], // user ID of user receiving the invitation (or email in the future)
"exp": 1643995760, // expiry time of invitation, default is 2 days, NOT enforced at the moment
"iss": "https://sourcegraph.com", // URL of the instance where the invitation was created
"sub": "1" // organizaiton ID to which the invitation is pointing
}- Since we are signing the token, we can verify that no one tampered with the data above and that the invitation URL really comes from us, which is a security bonus in comparison to previous solution