MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): admin access link doubles as magic-login for users with passwords
All checks were successful
Build and Push Docker Image / build (push) Successful in 9m7s
Details

Browse Source 
The original generateAccessLink branched on user state and minted either
an invite URL (forces password setup) or a reset URL (forces password
change). Both required the user to set/change a password — fine for new
users, painful for tech-illiterate sponsor jurors who already have a
working password and just need a fresh login because their JWT went
stale or their email is bouncing.

This adapts the existing invite-token flow to behave as a magic-login
when the user already has a password:

  - auth.ts credentials.authorize: only set mustSetPassword=true if the
    user has no passwordHash. Users who already set one keep it, the
    invite token is consumed, JWT is issued with their current role,
    they're signed in.
  - accept-invite/page.tsx: redirect to / after accept (was hardcoded
    to /set-password). The middleware already enforces the
    /set-password detour when mustSetPassword is true, so users who
    need it still land there; everyone else routes by role.
  - generateAccessLink: drop the reset-password branch. Always emits an
    /accept-invite URL. The flow naturally adapts: setup for new users,
    magic-login for active ones. Audit log records which behavior fired
    (kind: 'setup' | 'magic_login').
  - dialog copy: clearer description for each kind.

Net behavior: Didier (active, has password, stale JWT after role
migration) clicks his link → instant login on /jury, password preserved.
Magali (no password yet) clicks hers → /set-password → onboarding.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-05-07 17:35:22 +02:00
parent 44c7accf62
commit 47746d79dd
4 changed files with 43 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/app/(auth)/accept-invite/page.tsx
View File

@@ -160,8 +160,12 @@ function AcceptInviteContent() {
setState('error')
setErrorType('AUTH_FAILED')
} else if (result?.ok) {
// Redirect to set-password (middleware will enforce this since mustSetPassword=true)
window.location.href = '/set-password'
// Let app/page.tsx route by role. Middleware will detour to
// /set-password if the user still needs to set one (first-time
// setup); for users who already had a password (admin-issued
// access link, magic-login style) it'll go straight to their
// dashboard.
window.location.href = '/'
}
} catch {
setState('error')