https://supertokens.com/ logo
Join Discord
Powered by
What's the best way to handle an invite workflow? ...
# share-your-work
h
What's the best way to handle an invite workflow? We've got an app that lets users invite other users. Email and password only. When a user is invited we don't want the inviter to have to set a password for the invitee (the invitee should set it when they accept the invite). It'a a Next.js app with an existing GraphQL API, so I'm hoping to use the SuperToken Node.js SDK and just swap-out the implementations for the exisiting mutations I've got (
invitePerson
, 
acceptInvite
, 
resetPassword
etc). Also, we've got our own email service (email templates as well as sending method), so just looking to generate tokens that we can use to construct our own links.
r
Hey!
- First you want to disable the sign up API to disallow anyone from creating users from the frontend. This can be done by setting the 
override.apis.signUp
to 
undefined
, in the EmailPassword.init on the backend config.
- Then you want to create an API which allows users to invite others. In this API, you want to call the 
signUp
function (https://supertokens.com/docs/nodejs/modules/recipe_emailpassword.html#signUp-1) with a throw away password and the user's email. This function will return the new user's userId. You then want to call the 
createResetPasswordToken
(https://supertokens.com/docs/nodejs/modules/recipe_emailpassword.html#createResetPasswordToken-1) function to generate a reset password token for them.
- You can create a link which has this reset password token in it. If you are using our pre built UI, then this link should look like 
{websiteDomain}/{websiteBasePath}/reset-password?token={token}&rid=emailpassword
. Otherwise you can make the link however you like.
- If using your own UI, on the reset password page, you want to extract the token from the link and call the reset password API with the token and the new password (https://app.swaggerhub.com/apis/supertokens/FDI/1.14.0#/EmailPassword%20Recipe/passwordReset)
- Finally, you want to override the sign in and reset password APIs to disallow the use of the throwaway password like so:
Copy code
EmailPassword.init({
    override: {
        apis: (oI) => {
            return {
                ...oI,
                signUpPOST: undefined, //  disabling the sign up API
                signInPOST: async function (input) {
                    let password = input.formFields.filter(i => i.id === "password")[0];
                    if (password === THROWAWAY_PASSWORD) {
                        // On our prebuilt UI, this will show a message on the frontend like "Incorrect credentials"
                        return {
                            status: "WRONG_CREDENTIALS_ERROR"
                        }
                    }
                    return oI.signInPOST!(input);
                },
                passwordResetPOST: async function (input) {
                    let password = input.formFields.filter(i => i.id === "password")[0];
                    if (password === THROWAWAY_PASSWORD) {
                        // The user is trying to change their password to the
                        // throw away password. Disallow that
                        return {
                            status: "GENERAL_ERROR",
                            message: "Please use another password"
                        }
                    }
                    return oI.passwordResetPOST!(input)
                }
            }
        }
    }
})
@haydn hope this helps 🙂
h
👍
r
@hhchift here
4 Views
PreviousNext
Powered by