Invitation expiry workflow is wonky

(Sam Saffron) #1

Out of the box invitations are good for 14 days, when this period expires the user clicking on the invite must be informed that the invitation expired.

If a user is ever invited again to the topic the day counter must be reset.

(this is all particularly problematic for sites such as parley where access is restricted)

Programmatically inviting users
(Jeff Atwood) #2

Seems like a fair point perhaps @neil can work on this when he is back.

(Neil Lalonde) #3

I’m back! Added this to my list.

(Sam Saffron) #4

I wonder what ever happened here :slight_smile:

(Neil Lalonde) #5

This keeps floating up and down my todo list, but never quite reaching the top. So… I’ll get to it?

(Jeff Atwood) #6

Aha invitation expiration is implemented.

But: can an invitation be redeemed twice? I will test on try later.

(Phil Nelson) #7

Additional to this: The “send reset password” link on the user preferences page is a little confusing for the first time user- why am I resetting a password I never set in the first place?

There should be some kind of context there for users who were 1) invited 2) haven’t set a password.

(Jeff Atwood) #8

Possibly, I see your point, @neil can you add that to your list. Feels like another if statement plus copy.

(Phil Nelson) #9

This would solve the problem thoroughly for me at least.

(Jeff Atwood) #10

OK, I tested on and trust level 2 “Invite Friends to Reply” invitation URLs are definitely not invalidated once clicked on.

{trust level 2+ user} invited you to the topic “{topicname}” at Try Discourse.

If you’re interested, click the link below to visit the discussion:

Visit {site name}

You were invited by a trusted user, so you’ll be able to post a reply immediately, without needing to log in.

I could come back in as that user in multiple anon/inprivate/incognito browser sessions by clicking the magic link sent via the “Invite Friends to Reply” button.

We should probably make it so the invitations are invalidated, but I wonder if immediately after the first click is too strong – like if someone did not come back for a while, or didn’t set a password. Shouldn’t be immediate.

Some ideas:

  1. Invalidate the invitation link after the user sets a password or logs in again without using the magic URL
  2. Invalidate after the invite is “redeemed”, we do track this if you check your user page under invitations
  3. Invalidate in 24-48 hours no matter what

(Jeff Atwood) #11

I think if you don’t have a password, and are at the login page and click ‘forgot password’ we should email them something like

We do have an account with this email address, but no password is set. You can, however, log in using any supported online service (Google, Facebook, etc) that is also associated with this validated email address.

(Phil Nelson) #12

I’d go a step further and give them the opportunity to create a password upon using the invite key. I understand part of the coolness is that you DON’T have to create a password right away- but it becomes necessary at some point, and it doesn’t seem like users are informed of that sufficiently.

(Phil Nelson) #13

Addition: Keep in mind that admin may have turned off Google, Facebook, etc, authentication. This is currently the case with our discourse installation (but won’t be forever).

(Jeff Atwood) #14

Well then you and I will have to agree to disagree about that. There are some other improvements stated above that will certainly help.

(Jeff Atwood) #15

@neil will be working on addressing some of this, this week.

(Neil Lalonde) #16

I think I addressed all these issues today.

  • We already had an expiry on invites with the invite_expiry_days site setting. The default time is 14 days. Should we lower the default? I think 24 hours is way too short. I’m not good at the 0 inbox thing, so some emails can sit for days before I act on them.
  • When an invite expires, invites were broken for the email associated with it. No future invites would work. So I fixed that. If someone sends another invite and an expired one exists, a new invite is created with a new token.
  • After an invite expires, the invite link can’t be used to log in anymore.
  • When you set a password for your account, or authenticate with a 3rd party provider, the invite link stops working as a way to log in.
  • If your account has no password (because you were invited or signed up with 3rd party auth), the reset password button says “Set Password”. Also, the email you get and the new password form make more sense.

Somebody asked to add a password to your account on Neil’s Discourse. Alternatively, you can log in using any supported online service (Google, Facebook, etc) that is associated with this validated email address.

If you did not make this request, you can safely ignore this email.

Click the following link to choose a password:

(Jeff Atwood) #17

Maybe 4 days? We want safe defaults.

(Neil Lalonde) #18

All done! Set to 4 days.

(Jeff Atwood) #19