Support invitations for unregistered users

When inviting an email without an InvoiceShelf account, the email now links to a registration page (/register?invitation={token}) instead of login. After registering, the invitation is auto-accepted. Backend: - InvitationRegistrationController: public details() and register() endpoints. Registration validates token + email match, creates account, auto-accepts invitation, returns Sanctum token. - AuthController: login now accepts optional invitation_token param to auto-accept invitation for existing users clicking the email link. - CompanyInvitationMail: conditional URL based on user existence. - Web route for /invitations/{token}/decline (email decline link). Frontend: - RegisterWithInvitation.vue: fetches invitation details, shows company name + role, registration form with pre-filled email. - Router: /register route added. Tests: 3 new tests (invitation details, register + accept, email mismatch).
2026-04-15 17:24:10 +00:00 · 2026-04-03 23:26:58 +02:00
parent 6343b4a17f
commit c1994887ef
9 changed files with 425 additions and 3 deletions
--- a/app/Http/Controllers/Company/Auth/AuthController.php
+++ b/app/Http/Controllers/Company/Auth/AuthController.php
@@ -4,7 +4,9 @@ namespace App\Http\Controllers\Company\Auth;

 use App\Http\Controllers\Controller;
 use App\Http\Requests\LoginRequest;
+use App\Models\CompanyInvitation;
 use App\Models\User;
+use App\Services\InvitationService;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Hash;
@@ -22,6 +24,17 @@ class AuthController extends Controller
            ]);
        }

+        // Auto-accept invitation if token is provided
+        if ($request->has('invitation_token') && $request->invitation_token) {
+            $invitation = CompanyInvitation::where('token', $request->invitation_token)
+                ->pending()
+                ->first();
+
+            if ($invitation) {
+                app(InvitationService::class)->accept($invitation, $user);
+            }
+        }
+
        return response()->json([
            'type' => 'Bearer',
            'token' => $user->createToken($request->device_name)->plainTextToken,
--- a/app/Http/Controllers/Company/Auth/InvitationRegistrationController.php
+++ b/app/Http/Controllers/Company/Auth/InvitationRegistrationController.php
@@ -0,0 +1,83 @@
+<?php
+
+namespace App\Http\Controllers\Company\Auth;
+
+use App\Http\Controllers\Controller;
+use App\Models\CompanyInvitation;
+use App\Models\User;
+use App\Services\InvitationService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Validation\ValidationException;
+
+class InvitationRegistrationController extends Controller
+{
+    public function __construct(
+        private readonly InvitationService $invitationService,
+    ) {}
+
+    /**
+     * Get invitation details by token (public endpoint for registration page).
+     */
+    public function details(string $token): JsonResponse
+    {
+        $invitation = CompanyInvitation::where('token', $token)
+            ->pending()
+            ->with(['company', 'role'])
+            ->first();
+
+        if (! $invitation) {
+            return response()->json([
+                'error' => 'Invitation not found or expired.',
+            ], 404);
+        }
+
+        return response()->json([
+            'email' => $invitation->email,
+            'company_name' => $invitation->company->name,
+            'role_name' => $invitation->role->title,
+        ]);
+    }
+
+    /**
+     * Register a new user and auto-accept the invitation.
+     */
+    public function register(Request $request): JsonResponse
+    {
+        $request->validate([
+            'name' => 'required|string|max:255',
+            'email' => 'required|string|email|max:255|unique:users',
+            'password' => 'required|string|min:8|confirmed',
+            'invitation_token' => 'required|string',
+        ]);
+
+        $invitation = CompanyInvitation::where('token', $request->invitation_token)
+            ->pending()
+            ->first();
+
+        if (! $invitation) {
+            throw ValidationException::withMessages([
+                'invitation_token' => ['Invitation not found or expired.'],
+            ]);
+        }
+
+        if ($invitation->email !== $request->email) {
+            throw ValidationException::withMessages([
+                'email' => ['Email does not match the invitation.'],
+            ]);
+        }
+
+        $user = User::create([
+            'name' => $request->name,
+            'email' => $request->email,
+            'password' => $request->password,
+        ]);
+
+        $this->invitationService->accept($invitation, $user);
+
+        return response()->json([
+            'type' => 'Bearer',
+            'token' => $user->createToken('web')->plainTextToken,
+        ]);
+    }
+}