2.23.0: Enforce Policies API for invitations and creating accounts; added WeakPassword handling; Fix dialog open/closed states (#439)

* chore: bump version to 2.22.1 and update dependencies - Updated application version from 2.22.0 to 2.22.1 in package.json. - Updated various dependencies including @marsidev/react-turnstile to 1.4.1, @stripe/react-stripe-js to 5.4.1, @stripe/stripe-js to 8.6.1, and react-hook-form to 7.70.0. - Adjusted lucide-react version to be referenced from the catalog across multiple package.json files. - Enhanced consistency in pnpm-lock.yaml and pnpm-workspace.yaml with updated package versions. * chore: bump version to 2.23.0 and update dependencies - Updated application version from 2.22.1 to 2.23.0 in package.json. - Upgraded turbo dependency from 2.7.1 to 2.7.3 in package.json and pnpm-lock.yaml. - Enhanced end-to-end testing documentation in AGENTS.md and CLAUDE.md with instructions for running tests. - Updated AuthPageObject to use a new secret for user creation in auth.po.ts. - Refactored team ownership transfer and member role update dialogs to close on success. - Improved error handling for weak passwords in AuthErrorAlert component. - Adjusted database schemas and tests to reflect changes in invitation policies and role management.
2026-01-07 17:00:11 +01:00
parent 5237d34e6f
commit d5dc6f2528
41 changed files with 2896 additions and 1922 deletions
--- a/apps/web/supabase/migrations/20260107093634_secure-invitations-function.sql
+++ b/apps/web/supabase/migrations/20260107093634_secure-invitations-function.sql
@@ -0,0 +1,64 @@
+-- Remove invitations INSERT policy
+-- Permission and role hierarchy checks are now enforced in the server action.
+-- Invitations are created through server actions using admin client.
+
+drop policy if exists invitations_create_self on public.invitations;
+
+-- Update invitations RPC to accept invited_by and restrict execution.
+
+drop function if exists public.add_invitations_to_account(text, public.invitation[]);
+
+create
+or replace function public.add_invitations_to_account (
+  account_slug text,
+  invitations public.invitation[],
+  invited_by uuid
+) returns public.invitations[]
+set
+  search_path = '' as $$
+declare
+    new_invitation public.invitations;
+    all_invitations public.invitations[] := array[]::public.invitations[];
+    invite_token text;
+    email text;
+    role varchar(50);
+begin
+    FOREACH email,
+    role in array invitations loop
+        invite_token := extensions.uuid_generate_v4();
+
+        insert into public.invitations(
+            email,
+            account_id,
+            invited_by,
+            role,
+            invite_token)
+        values (
+            email,
+(
+                select
+                    id
+                from
+                    public.accounts
+                where
+                    slug = account_slug),
+            invited_by,
+            role,
+            invite_token)
+    returning
+        * into new_invitation;
+
+        all_invitations := array_append(all_invitations, new_invitation);
+
+    end loop;
+
+    return all_invitations;
+
+end;
+
+$$ language plpgsql;
+
+revoke execute on function public.add_invitations_to_account (text, public.invitation[], uuid) from authenticated;
+
+grant
+execute on function public.add_invitations_to_account (text, public.invitation[], uuid) to service_role;