feat: add user invitation

Author: smyllet

.env.example

@@ -17,4 +17,6 @@ SMTP_USERNAME=username
 SMTP_PASSWORD=password
 SMTP_SECURE=false
 SMTP_FROM_EMAIL=dev@example.fr
-SMTP_FROM_NAME="Dev Aquatracking"
+SMTP_FROM_NAME="Dev Aquatracking"
+INITIAL_ADMIN_EMAIL=admin@example.fr
+INITIAL_ADMIN_PASSWORD=password

app/controllers/admin/user_invitations_controller.ts

@@ -0,0 +1,50 @@
+import User from '#models/user'
+import UserInvitation from '#models/user_invitation'
+import { userInviteValidator } from '#validators/user_invite_validator'
+import type { HttpContext } from '@adonisjs/core/http'
+
+export default class AdminUsersInvitationController {
+  async store({ request, session, i18n, response }: HttpContext) {
+    const { email } = await request.validateUsing(userInviteValidator)
+
+    const existingUser = await User.query().where('email', email).first()
+    const existingInvitation = await UserInvitation.query().where('email', email).first()
+
+    if (existingUser) {
+      session.flashErrors({
+        E_EMAIL_ALREADY_USED: i18n.t('errors.E_EMAIL_ALREADY_USED'),
+      })
+    } else if (existingInvitation) {
+      await existingInvitation.delete()
+
+      const invitation = await UserInvitation.generateInvite(email, i18n.locale)
+
+      session.flash('notification', {
+        type: 'success',
+        message: i18n.t('notifications.invitationRenewed', { email: invitation.email }),
+      })
+    } else {
+      const invitation = await UserInvitation.generateInvite(email, i18n.locale)
+
+      session.flash('notification', {
+        type: 'success',
+        message: i18n.t('notifications.invitationSent', { email: invitation.email }),
+      })
+    }
+
+    return response.redirect().toRoute('admin.users.index')
+  }
+
+  async destroy({ params, session, i18n, response }: HttpContext) {
+    const invitation = await UserInvitation.findOrFail(params.id)
+
+    await invitation?.delete()
+
+    session.flash('notification', {
+      type: 'success',
+      message: i18n.t('notifications.invitationDeleted', { email: invitation.email }),
+    })
+
+    return response.redirect().toRoute('admin.users.index')
+  }
+}

app/controllers/admin/users_controller.ts

@@ -0,0 +1,15 @@
+import User from '#models/user'
+import UserInvitation from '#models/user_invitation'
+import type { HttpContext } from '@adonisjs/core/http'
+
+export default class AdminUsersController {
+  async index({ inertia }: HttpContext) {
+    const users = await User.query().orderBy('createdAt', 'desc').exec()
+    const invitations = await UserInvitation.query().orderBy('createdAt', 'desc').exec()
+
+    return inertia.render('admin/users/index', {
+      users: users.map((user) => user.serialize()),
+      invitations: invitations.map((invitation) => invitation.serialize()),
+    })
+  }
+}

app/controllers/auth/login_controller.ts

@@ -1,6 +1,7 @@
 import User from '#models/user'
 import UserToken from '#models/user_token'
 import MailService from '#services/mail_service'
+import env from '#start/env'
 import { loginValidator } from '#validators/login_validator'
 import { inject } from '@adonisjs/core'
 import type { HttpContext } from '@adonisjs/core/http'
@@ -13,7 +14,8 @@ export default class LoginController {
    * Display the login form
    */
   async index({ inertia }: HttpContext) {
-    return inertia.render('auth/login')
+    const requireInvitation = env.get('REQUIRE_INVITATION')
+    return inertia.render('auth/login', { requireInvitation: !!requireInvitation })
   }
 
   /**

app/controllers/auth/register_controller.ts

@@ -1,9 +1,12 @@
 import User from '#models/user'
+import UserInvitation from '#models/user_invitation'
 import UserToken from '#models/user_token'
 import MailService from '#services/mail_service'
+import env from '#start/env'
 import { createRegisterValidator } from '#validators/register_validator'
 import { inject } from '@adonisjs/core'
 import type { HttpContext } from '@adonisjs/core/http'
+import vine from '@vinejs/vine'
 
 @inject()
 export default class RegisterController {
@@ -12,18 +15,74 @@ export default class RegisterController {
   /**
    * Display the registration form
    */
-  async index({ inertia }: HttpContext) {
-    return inertia.render('auth/register')
+  async index({ inertia, request, session, i18n, response }: HttpContext) {
+    if (!env.get('REQUIRE_INVITATION')) {
+      return inertia.render('auth/register')
+    }
+
+    const { invitationToken } = await request.validateUsing(
+      vine.compile(
+        vine.object({
+          invitationToken: vine.string().optional(),
+        })
+      )
+    )
+
+    if (!invitationToken) {
+      session.flashErrors({
+        E_INVITATION_REQUIRED: i18n.t('errors.E_INVITATION_REQUIRED'),
+      })
+
+      return response.redirect().toPath('/auth/login')
+    }
+
+    const invitation = await UserInvitation.query().where('token', invitationToken).first()
+
+    if (!invitation || invitation.isExpired()) {
+      session.flashErrors({
+        E_INVITATION_INVALID: i18n.t('errors.E_INVITATION_INVALID'),
+      })
+      return response.redirect().toPath('/auth/login')
+    }
+
+    return inertia.render('auth/register', {
+      email: invitation.email,
+    })
   }
 
   /**
    * Handle form submission for the create action
    */
   async store({ request, response, session, i18n }: HttpContext) {
-    const { fullName, email, password } = await request.validateUsing(createRegisterValidator)
+    const { fullName, email, password, invitationToken } =
+      await request.validateUsing(createRegisterValidator)
+
+    if (env.get('REQUIRE_INVITATION')) {
+      if (!invitationToken) {
+        session.flashErrors({
+          E_INVITATION_REQUIRED: i18n.t('errors.E_INVITATION_REQUIRED'),
+        })
+
+        return response.redirect().toPath('/auth/login')
+      }
+
+      const invitation = await UserInvitation.query()
+        .where('email', email)
+        .where('token', invitationToken)
+        .first()
+
+      if (!invitation || invitation.isExpired()) {
+        session.flashErrors({
+          E_INVITATION_INVALID: i18n.t('errors.E_INVITATION_INVALID'),
+        })
+        return response.redirect().toPath('/auth/login')
+      }
+    }
 
     const user = await User.create({ fullName, email, password })
 
+    await UserInvitation.query().where('email', email).delete()
+
     const token = await UserToken.generateEmailVerificationToken(user)
     await this.mailService.sendEmailVerification(user, token, i18n.locale)
 

app/dto/user_dto.ts

@@ -8,6 +8,7 @@ const userDtoSchema = vine.object({
   verified: vine.boolean(),
   createdAt: vine.date(),
   updatedAt: vine.date(),
+  isAdmin: vine.boolean(),
 })
 
 export const userDtoValidator = vine.compile(userDtoSchema)

app/dto/user_invitation_dto.ts

@@ -0,0 +1,7 @@
+export type UserInvitationDto = {
+  id: string
+  email: string
+  createdAt: Date
+  updatedAt: Date
+  expiresAt: Date
+}

app/middleware/admin_middleware.ts

@@ -0,0 +1,14 @@
+import { HttpContext } from '@adonisjs/core/http'
+import { NextFn } from '@adonisjs/core/types/http'
+
+export default class AdminMiddleware {
+  async handle(ctx: HttpContext, next: NextFn) {
+    const user = ctx.auth.getUserOrFail()
+
+    if (!user.isAdmin) {
+      return ctx.response.status(403).send('Forbidden')
+    }
+
+    return next()
+  }
+}

app/models/user.ts

@@ -32,6 +32,9 @@ export default class User extends compose(BaseModel, AuthFinder) {
   @column()
   declare verified: boolean
 
+  @column()
+  declare isAdmin: boolean
+
   @column.dateTime({ autoCreate: true })
   declare createdAt: DateTime
 

app/models/user_invitation.ts

@@ -0,0 +1,55 @@
+import MailService from '#services/mail_service'
+import string from '@adonisjs/core/helpers/string'
+import app from '@adonisjs/core/services/app'
+import { BaseModel, beforeCreate, column } from '@adonisjs/lucid/orm'
+import { DateTime } from 'luxon'
+import { randomUUID } from 'node:crypto'
+
+const TOKEN_SIZE = 64
+
+export default class UserInvitation extends BaseModel {
+  static selfAssignPrimaryKey = true
+
+  @column({ isPrimary: true })
+  declare id: string
+
+  @column()
+  declare email: string
+
+  @column()
+  declare token: string
+
+  @column.dateTime()
+  declare expiresAt: DateTime
+
+  @column.dateTime({ autoCreate: true })
+  declare createdAt: DateTime
+
+  @column.dateTime({ autoCreate: true, autoUpdate: true })
+  declare updatedAt: DateTime
+
+  isExpired() {
+    return this.expiresAt < DateTime.now()
+  }
+
+  @beforeCreate()
+  static assignUuid(userInvitation: UserInvitation) {
+    userInvitation.id = randomUUID()
+  }
+
+  static async generateInvite(email: string, locale: string) {
+    const mailService = await app.container.make(MailService)
+
+    const token = string.generateRandom(TOKEN_SIZE)
+    const expiresAt = DateTime.now().plus({ days: 7 })
+
+    const invitation = await UserInvitation.create({
+      email,
+      token,
+      expiresAt,
+    })
+    await mailService.sendUserInvitation(email, token, locale)
+
+    return invitation
+  }
+}

app/services/mail_service.ts

@@ -48,4 +48,21 @@ export default class MailService {
         .text(i18n.t('email.passwordResetConfirmation.text', { fullName: user.fullName }))
     })
   }
+
+  async sendUserInvitation(email: string, token: string, locale: string = 'en') {
+    const i18n = i18nManager.locale(locale)
+
+    const invitationLink = Router.makeUrl('auth_register.index', undefined, {
+      qs: { invitationToken: token },
+      prefixUrl: env.get('BASE_URL').replace(/\/$/, ''),
+    })
+
+    await mail.sendLater((message) => {
+      message.to(email).subject(i18n.t('email.invitation.subject')).text(
+        i18n.t('email.invitation.text', {
+          invitationLink,
+        })
+      )
+    })
+  }
 }

app/validators/register_validator.ts

@@ -12,5 +12,6 @@ export const createRegisterValidator = vine.compile(
         return !user
       }),
     password: vine.string().minLength(8),
+    invitationToken: vine.string().optional(),
   })
 )

app/validators/user_invite_validator.ts

@@ -0,0 +1,7 @@
+import vine from '@vinejs/vine'
+
+export const userInviteValidator = vine.compile(
+  vine.object({
+    email: vine.string().email().normalizeEmail(),
+  })
+)

database/migrations/1741037017175_add_admin_column_to_users.ts

@@ -0,0 +1,17 @@
+import { BaseSchema } from '@adonisjs/lucid/schema'
+
+export default class extends BaseSchema {
+  protected tableName = 'users'
+
+  async up() {
+    this.schema.table(this.tableName, (table) => {
+      table.boolean('is_admin').defaultTo(false)
+    })
+  }
+
+  async down() {
+    this.schema.table(this.tableName, (table) => {
+      table.dropColumn('is_admin')
+    })
+  }
+}

database/migrations/1741037730061_add_default_admin_user.ts

@@ -0,0 +1,27 @@
+import env from '#start/env'
+import hash from '@adonisjs/core/services/hash'
+import { BaseSchema } from '@adonisjs/lucid/schema'
+import { randomUUID } from 'node:crypto'
+
+export default class extends BaseSchema {
+  async up() {
+    // Create an admin user if there are no users
+    const users = await this.db.from('users')
+    const adminEmail = env.get('INITIAL_ADMIN_EMAIL')
+    const adminPassword = env.get('INITIAL_ADMIN_PASSWORD')
+    if (users.length === 0 && adminEmail && adminPassword) {
+      await this.db.table('users').insert({
+        id: randomUUID(),
+        full_name: 'Admin',
+        verified: true,
+        email: adminEmail,
+        password: await hash.make(adminPassword),
+        is_admin: true,
+        created_at: this.now(),
+        updated_at: this.now(),
+      })
+    }
+  }
+
+  async down() {}
+}

database/migrations/1741378847062_create_user_invitations_table.ts

@@ -0,0 +1,21 @@
+import { BaseSchema } from '@adonisjs/lucid/schema'
+
+export default class extends BaseSchema {
+  protected tableName = 'user_invitations'
+
+  async up() {
+    this.schema.createTable(this.tableName, (table) => {
+      table.uuid('id').notNullable().primary()
+      table.string('email').notNullable()
+      table.string('token').notNullable()
+      table.timestamp('expires_at').notNullable()
+
+      table.timestamp('created_at')
+      table.timestamp('updated_at')
+    })
+  }
+
+  async down() {
+    this.schema.dropTable(this.tableName)
+  }
+}