☂️ Python Coverage

current status: ✅

Overall Coverage

New Files

No new covered files...

Modified Files

updated for commit: e2ece6b by action🐍

Test Results (postgresql)

945 tests  ±0   944 ✅ ±0   2m 16s ⏱️ -3s
  1 suites ±0     1 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit e2ece6b. ± Comparison against base commit 4d54673.

Test Results (mariadb)

945 tests  ±0   944 ✅ ±0   2m 16s ⏱️ -12s
  1 suites ±0     1 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit e2ece6b. ± Comparison against base commit 4d54673.

Greptile Summary

This PR makes invite token expiration configurable, replacing a hardcoded 10-minute timeout with an INVITE_TOKEN_EXPIRY_SECONDS environment variable (default 600 s) and an optional expiration query parameter on POST /users/invite-link. The frontend dialog gains an "Expires in" dropdown with seven presets (1 h → 30 days), defaulting to 1 day.

Key changes:

• backend/config/__init__.py — new INVITE_TOKEN_EXPIRY_SECONDS config constant via safe_int
• backend/handler/auth/base_handler.py — generate_invite_link_token() now accepts expiration (seconds); JWT exp and Redis TTL are both derived from the same value
• backend/endpoints/user.py — create_invite_link accepts expiration: int | None; validates it is positive when provided
• frontend/src/services/api/user.ts — createInviteLink() conditionally appends expiration to query params
• frontend/.../InviteLink.vue — expiration v-select dropdown added alongside the role toggle

Issues found:

1. The expiration query-param name is inconsistent with the INVITE_TOKEN_EXPIRY_SECONDS env-var name (and with the expiration_seconds example shown in the PR description). Renaming the param to expiration_seconds would improve discoverability for API consumers.
2. Dialog state (selectedRole, selectedExpiration, fullInviteLink) is not reset when the dialog is closed, so a stale link from a previous session remains visible when the dialog is reopened.
3. INVITE_TOKEN_EXPIRY_SECONDS is read with safe_int but never validated to be positive. Setting it to 0 or a negative value would cause Redis SETEX to raise a ResponseError and break all invite-link creation. The same > 0 guard applied to the query param should be applied to the env var at startup.

Confidence Score: 2/5

• Not safe to merge: missing critical positivity validation on env var can cause production crashes if misconfigured.
• The core feature logic is sound (base_handler.py correctly manages JWT expiry and Redis TTL), but the env var validation is incomplete. A zero or negative INVITE_TOKEN_EXPIRY_SECONDS will silently accept the invalid value and crash all invite-link creation at runtime when Redis SETEX rejects the non-positive TTL. This is a critical production issue. Additionally, there are two secondary concerns: API parameter naming is inconsistent with the env var (confusing for API consumers), and the invite dialog state is not reset on close (UX confusion). These should all be fixed before merge.
• backend/config/init.py (critical: add positivity validation for INVITE_TOKEN_EXPIRY_SECONDS), backend/endpoints/user.py (rename expiration param to expiration_seconds for consistency), frontend/src/components/Settings/Administration/Users/Dialog/InviteLink.vue (reset dialog state on close)

Important Files Changed

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Admin opens Invite dialog] --> B[Select role and expiration]
    B --> C[Click Generate]
    C --> D{expiration provided?}
    D -- Yes --> E[Use provided expiration seconds]
    D -- No --> F[Use INVITE_TOKEN_EXPIRY_SECONDS env var]
    E --> G{expiration > 0?}
    F --> H[Build JWT payload with exp = now + expires_in]
    G -- No --> I[HTTP 400 Bad Request]
    G -- Yes --> H
    H --> J[Sign JWT]
    J --> K[Store in Redis with matching TTL]
    K --> L[Return InviteLinkSchema to frontend]
    L --> M[Display full invite URL]

_{Last reviewed commit: e2ece6b}