You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
No copy-link/resend: create() emails best-effort (silent skip if mailer unconfigured, .catch logs only) and the list strips the token β a failed invite email is irrecoverable from the UI (revoke + re-create = same risk). The CREATE response does include the token: add a one-time copy-link affordance in both views, and/or a resend endpoint.
revoke() has no status guard ({_id} filter only): can revoke an ACCEPTED invite via API (corrupts future referral counts β flips status while keeping acceptedAt/acceptedUserId) and revoke mid-claim (benign race β in-flight signup still succeeds, attribution skipped; document). Fix: filter {_id, status:'pending'} β 409 otherwise.
Cross-PR review 2026-06-11:
create()emails best-effort (silent skip if mailer unconfigured, .catch logs only) and the list strips the token β a failed invite email is irrecoverable from the UI (revoke + re-create = same risk). The CREATE response does include the token: add a one-time copy-link affordance in both views, and/or a resend endpoint.revoke()has no status guard ({_id}filter only): can revoke an ACCEPTED invite via API (corrupts future referral counts β flips status while keeping acceptedAt/acceptedUserId) and revoke mid-claim (benign race β in-flight signup still succeeds, attribution skipped; document). Fix: filter{_id, status:'pending'}β 409 otherwise.create().Refs: π Invitation edge-case hardeningΒ #3811, epic π― Decouple invitations from organizations (referral-ready platform invitations)Β #3808.