feature: require invites

2025-10-08 14:42:01 -07:00 · 2025-10-08 14:42:01 -07:00 · a3302d2eff
commit a3302d2eff
parent 8b70172493
22 changed files with 385 additions and 482 deletions
--- a/public/api/users/:user_id/index.ts
+++ b/public/api/users/:user_id/index.ts
@ -143,6 +143,8 @@ export async function DELETE(_req: Request, meta: Record<string, any>): Promise<

 	await USERS.delete(user);

+	// TODO: delete any uploads?
+
 	return Response.json({
 		deleted: true
 	}, {
--- a/public/api/users/index.ts
+++ b/public/api/users/index.ts
@ -8,12 +8,13 @@ import { create_new_session, SESSION_RESULT } from '../auth/index.ts';
 import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../utils/prechecks.ts';
 import * as CANNED_RESPONSES from '../../../utils/canned_responses.ts';
 import * as bcrypt from '@da/bcrypt';
-import { WALK_ENTRY } from '@andyburke/fsdb';
 import { INVITE_CODE, INVITE_CODES } from '../../../models/invites.ts';

 // TODO: figure out a better solution for doling out permissions
 const DEFAULT_USER_PERMISSIONS: string[] = [
 	'files.write.own',
+	'invites.create',
+	'invites.read.own',
 	'self.read',
 	'self.write',
 	'topics.read',
@ -112,22 +113,52 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			});
 		}

-		const invite_code: INVITE_CODE | undefined = typeof submitted_invite_code === 'string' && submitted_invite_code.length
-			? (await INVITE_CODES.find({
-				code: submitted_invite_code
-			})).shift()?.load()
-			: undefined;
+		const at_least_one_existing_user = (await USERS.all({
+			limit: 1,
+			offset: 0
+		})).shift()?.load();

-		const is_expired = invite_code?.timestamps.expires ? now <= invite_code.timestamps.expires : true;
-		const is_limited = invite_code?.limit
-			? (await SIGNUPS.find({
-				referring_invite_code_id: invite_code.id
+		let root_invite_code_secret = undefined;
+		if (!at_least_one_existing_user) {
+			root_invite_code_secret = lurid();
+
+			const root_invite_code: INVITE_CODE = {
+				id: lurid(),
+				code: root_invite_code_secret,
+				creator_id: new_user_id,
+				timestamps: {
+					created: now
+				}
+			};
+
+			await INVITE_CODES.create(root_invite_code);
+		}
+
+		const secret_code = submitted_invite_code ?? root_invite_code_secret;
+		if (typeof secret_code !== 'string' || secret_code.length < 3) {
+			return Response.json({
+				error: {
+					cause: 'missing_invite_code',
+					message: 'You need to specify an invite code.'
+				}
 			}, {
-				limit: invite_code.limit
-			})).length >= invite_code.limit
-			: false;
+				status: 400
+			});
+		}

-		if (!invite_code || is_expired || is_limited) {
+		const invite_code: INVITE_CODE | undefined = (await INVITE_CODES.find({
+			code: secret_code
+		})).shift()?.load();
+
+		const is_expired = invite_code?.timestamps.expires ? now <= invite_code.timestamps.expires : false;
+		const is_used = (await SIGNUPS.find({
+			referring_invite_code_id: invite_code?.id
+		}, {
+			limit: 1
+		})).length > 0;
+		const is_cancelled = !!invite_code?.timestamps?.cancelled;
+
+		if (!invite_code || is_expired || is_used || is_cancelled) {
 			return Response.json({
 				error: {
 					cause: 'invalid_signup_code',
@ -135,7 +166,8 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 					meta: {
 						exists: !!invite_code,
 						is_expired,
-						is_limited
+						is_used,
+						is_cancelled
 					}
 				}
 			}, {
@ -146,8 +178,8 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 		const signup: SIGNUP = {
 			id: lurid(),
 			user_id: new_user_id,
-			invite_code_id: invite_code.id,
-			referring_user_id: invite_code.creator_id,
+			invite_code_id: invite_code?.id ?? 'able-able-able-able-able-able-able-able-able-able',
+			referring_user_id: invite_code?.creator_id ?? new_user_id,
 			timestamps: {
 				created: now
 			}