references/coolify
1
0
Fork 0
mirror of https://github.com/coollabsio/coolify.git synced 2026-06-13 19:09:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e7dff30b7c998c301fd91bd169727b90c59ec291
coolify/app/Livewire/Team/InviteLink.php
T
Andras Bacsai cd06e10b1b fix(auth): bind magic links to their invitation 
Include the invitation UUID in generated magic link tokens and validate the
matching stored invitation link before logging the user in, preventing stale
or same-email invitations from being reused.
2026-06-02 12:57:30 +02:00

123 lines
4.3 KiB
PHP
Raw Blame History

<?php
namespace App\Livewire\Team;
use App\Models\TeamInvitation;
use App\Models\User;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Notifications\Messages\MailMessage;
use Illuminate\Support\Facades\Crypt;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
use Livewire\Component;
use Visus\Cuid2\Cuid2;
class InviteLink extends Component
{
use AuthorizesRequests;
public string $email;
public string $role = 'member';
protected $rules = [
'email' => 'required|email',
'role' => 'required|string',
];
public function mount()
{
$this->email = isDev() ? 'test3@example.com' : '';
}
public function viaEmail()
{
$this->generateInviteLink(sendEmail: true);
}
public function viaLink()
{
$this->generateInviteLink(sendEmail: false);
}
private function generateInviteLink(bool $sendEmail = false)
{
try {
$this->authorize('manageInvitations', currentTeam());
$this->validate();
// Prevent privilege escalation: users cannot invite someone with higher privileges
$userRole = auth()->user()->role();
if (is_null($userRole) || ($userRole === 'member' && in_array($this->role, ['admin', 'owner']))) {
throw new \Exception('Members cannot invite admins or owners.');
}
if ($userRole === 'admin' && $this->role === 'owner') {
throw new \Exception('Admins cannot invite owners.');
}
$this->email = strtolower($this->email);
$member_emails = currentTeam()->members()->get()->pluck('email');
if ($member_emails->contains($this->email)) {
return handleError(livewire: $this, customErrorMessage: "$this->email is already a member of ".currentTeam()->name.'.');
}
$uuid = (string) new Cuid2(32);
$link = url('/').config('constants.invitation.link.base_url').$uuid;
$user = User::whereEmail($this->email)->first();
if (is_null($user)) {
$password = Str::password();
$user = User::create([
'name' => str($this->email)->before('@'),
'email' => $this->email,
'password' => Hash::make($password),
'force_password_reset' => true,
]);
$token = Crypt::encryptString("{$user->email}@@@{$uuid}@@@{$password}");
$link = route('auth.link', ['token' => $token]);
}
$invitation = TeamInvitation::whereEmail($this->email)->first();
if (! is_null($invitation)) {
$invitationValid = $invitation->isValid();
if ($invitationValid) {
return handleError(livewire: $this, customErrorMessage: "Pending invitation already exists for $this->email.");
} else {
$invitation->delete();
}
}
$invitation = TeamInvitation::firstOrCreate([
'team_id' => currentTeam()->id,
'uuid' => $uuid,
'email' => $this->email,
'role' => $this->role,
'link' => $link,
'via' => $sendEmail ? 'email' : 'link',
]);
if ($sendEmail) {
$mail = new MailMessage;
$mail->view('emails.invitation-link', [
'team' => currentTeam()->name,
'invitation_link' => $link,
]);
$mail->subject('You have been invited to '.currentTeam()->name.' on '.config('app.name').'.');
send_user_an_email($mail, $this->email);
$this->dispatch('success', 'Invitation sent via email.');
$this->dispatch('refreshInvitations');
return;
} else {
$this->dispatch('success', 'Invitation link generated.');
$this->dispatch('refreshInvitations');
}
} catch (\Throwable $e) {
$error_message = $e->getMessage();
if ($e->getCode() === '23505') {
$error_message = 'Invitation already sent.';
}
return handleError(error: $e, livewire: $this, customErrorMessage: $error_message);
}
}
}
Reference in New Issue View Git Blame Copy Permalink