letsbe
/
MOPC-App
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Fix S3/SMTP connectivity and add one-click invite flow
Build and Push Docker Image / build (push) Failing after 2m29s Details 

- Fix MinIO port parsing bug: use protocol-appropriate defaults (443/80)
  instead of hardcoded 9000 fallback, enabling public URL endpoint
- Remove unused SMTP server config from NextAuth EmailProvider to prevent
  connection errors (sendVerificationRequest is fully overridden)
- Replace extra_hosts with DNS config (8.8.8.8) so container resolves
  mail.monaco-opc.com to public IP instead of host loopback
- Add invite token auth: single-click accept-invite flow replacing broken
  two-email invitation process
- Auto-send invitation emails on bulk user creation
- Update email template expiry text from 24 hours to 7 days

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Matt 2026-01-31 14:13:16 +01:00
parent 5aedade41d
commit 81db15333f
9 changed files with 387 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docker/.env.production
View File

@ -21,12 +21,13 @@ NEXTAUTH_SECRET=CHANGE_ME_use_openssl_rand
# ============================================================================= # =============================================================================
# FILE STORAGE (MinIO - external stack) # FILE STORAGE (MinIO - external stack)
# ============================================================================= # =============================================================================
# Internal endpoint (server-to-server, within Docker host) # Use the public URL — nginx proxies to MinIO internally.
MINIO_ENDPOINT=http://localhost:9000 # The port parsing handles standard ports (443 for HTTPS, 80 for HTTP) automatically.
MINIO_ENDPOINT=https://s3.monaco-opc.com
# Public endpoint for browser-accessible pre-signed URLs # MINIO_PUBLIC_ENDPOINT is only needed if the internal endpoint differs from the public one.
# Set this when MinIO is behind a reverse proxy # When using the public URL as MINIO_ENDPOINT, leave this empty or omit it.
# MINIO_PUBLIC_ENDPOINT=https://storage.monaco-opc.com # MINIO_PUBLIC_ENDPOINT=
MINIO_ACCESS_KEY=CHANGE_ME MINIO_ACCESS_KEY=CHANGE_ME
MINIO_SECRET_KEY=CHANGE_ME MINIO_SECRET_KEY=CHANGE_ME

5
docker/docker-compose.yml
View File

@ -13,8 +13,9 @@ services:
image: ${REGISTRY_URL}/mopc-app:latest image: ${REGISTRY_URL}/mopc-app:latest
container_name: mopc-app container_name: mopc-app
restart: unless-stopped restart: unless-stopped
extra_hosts: dns:
- "host.docker.internal:host-gateway" - 8.8.8.8
- 8.8.4.4
ports: ports:
- "127.0.0.1:7600:7600" - "127.0.0.1:7600:7600"
env_file: env_file:

4
prisma/schema.prisma
View File

@ -236,6 +236,10 @@ model User {
passwordSetAt DateTime? // When password was set passwordSetAt DateTime? // When password was set
mustSetPassword Boolean @default(true) // Force setup on first login mustSetPassword Boolean @default(true) // Force setup on first login
// Invitation token for one-click invite acceptance
inviteToken String? @unique
inviteTokenExpiresAt DateTime?
createdAt DateTime @default(now()) createdAt DateTime @default(now())
updatedAt DateTime @updatedAt updatedAt DateTime @updatedAt
lastLoginAt DateTime? lastLoginAt DateTime?

216
src/app/(auth)/accept-invite/page.tsx Normal file
View File

@ -0,0 +1,216 @@
'use client'
import { useState, useEffect } from 'react'
import { useSearchParams, useRouter } from 'next/navigation'
import { signIn } from 'next-auth/react'
import { Button } from '@/components/ui/button'
import {
Card,
CardContent,
CardDescription,
CardHeader,
CardTitle,
} from '@/components/ui/card'
import { Loader2, CheckCircle2, AlertCircle, XCircle, Clock } from 'lucide-react'
import { trpc } from '@/lib/trpc/client'
type InviteState = 'loading' | 'valid' | 'accepting' | 'error'
export default function AcceptInvitePage() {
const [state, setState] = useState<InviteState>('loading')
const [errorType, setErrorType] = useState<string | null>(null)
const searchParams = useSearchParams()
const router = useRouter()
const token = searchParams.get('token') || ''
const { data, isLoading, error } = trpc.user.validateInviteToken.useQuery(
{ token },
{ enabled: !!token, retry: false }
)
useEffect(() => {
if (!token) {
setState('error')
setErrorType('MISSING_TOKEN')
return
}
if (isLoading) {
setState('loading')
return
}
if (error) {
setState('error')
setErrorType('NETWORK_ERROR')
return
}
if (data) {
if (data.valid) {
setState('valid')
} else {
setState('error')
setErrorType(data.error || 'UNKNOWN')
}
}
}, [token, data, isLoading, error])
const handleAccept = async () => {
setState('accepting')
try {
const result = await signIn('credentials', {
inviteToken: token,
redirect: false,
})
if (result?.error) {
setState('error')
setErrorType('AUTH_FAILED')
} else if (result?.ok) {
// Redirect to set-password (middleware will enforce this since mustSetPassword=true)
window.location.href = '/set-password'
}
} catch {
setState('error')
setErrorType('AUTH_FAILED')
}
}
const getRoleLabel = (role: string): string => {
switch (role) {
case 'JURY_MEMBER': return 'Jury Member'
case 'PROGRAM_ADMIN': return 'Program Admin'
case 'MENTOR': return 'Mentor'
case 'OBSERVER': return 'Observer'
default: return role
}
}
const getErrorContent = () => {
switch (errorType) {
case 'MISSING_TOKEN':
return {
icon: <XCircle className="h-6 w-6 text-red-600" />,
title: 'Invalid Link',
description: 'This invitation link is incomplete. Please check your email for the correct link.',
}
case 'INVALID_TOKEN':
return {
icon: <XCircle className="h-6 w-6 text-red-600" />,
title: 'Invalid Invitation',
description: 'This invitation link is not valid. It may have already been used or the link is incorrect.',
}
case 'EXPIRED_TOKEN':
return {
icon: <Clock className="h-6 w-6 text-amber-600" />,
title: 'Invitation Expired',
description: 'This invitation has expired. Please contact your administrator to receive a new invitation.',
}
case 'ALREADY_ACCEPTED':
return {
icon: <CheckCircle2 className="h-6 w-6 text-blue-600" />,
title: 'Already Accepted',
description: 'This invitation has already been accepted. You can sign in with your credentials.',
}
case 'AUTH_FAILED':
return {
icon: <AlertCircle className="h-6 w-6 text-red-600" />,
title: 'Something Went Wrong',
description: 'We couldn\'t complete your account setup. The invitation may have expired. Please try again or contact your administrator.',
}
default:
return {
icon: <AlertCircle className="h-6 w-6 text-red-600" />,
title: 'Something Went Wrong',
description: 'An unexpected error occurred. Please try again or contact your administrator.',
}
}
}
// Loading state
if (state === 'loading') {
return (
<Card className="w-full max-w-md">
<CardContent className="flex flex-col items-center justify-center py-12">
<Loader2 className="h-8 w-8 animate-spin text-muted-foreground" />
<p className="mt-4 text-sm text-muted-foreground">Verifying your invitation...</p>
</CardContent>
</Card>
)
}
// Error state
if (state === 'error') {
const errorContent = getErrorContent()
return (
<Card className="w-full max-w-md">
<CardHeader className="text-center">
<div className="mx-auto mb-4 flex h-12 w-12 items-center justify-center rounded-full bg-gray-100">
{errorContent.icon}
</div>
<CardTitle className="text-xl">{errorContent.title}</CardTitle>
<CardDescription className="text-base">
{errorContent.description}
</CardDescription>
</CardHeader>
<CardContent>
<Button
variant="outline"
className="w-full"
onClick={() => router.push('/login')}
>
Go to Login
</Button>
</CardContent>
</Card>
)
}
// Valid invitation - show welcome
const user = data?.user
return (
<Card className="w-full max-w-md">
<CardHeader className="text-center">
<div className="mx-auto mb-4 flex h-12 w-12 items-center justify-center rounded-full bg-green-100">
<CheckCircle2 className="h-6 w-6 text-green-600" />
</div>
<CardTitle className="text-xl">
{user?.name ? `Welcome, ${user.name}!` : 'Welcome!'}
</CardTitle>
<CardDescription className="text-base">
You&apos;ve been invited to join the Monaco Ocean Protection Challenge platform
{user?.role ? ` as a ${getRoleLabel(user.role)}.` : '.'}
</CardDescription>
</CardHeader>
<CardContent className="space-y-4">
{user?.email && (
<div className="rounded-md bg-muted/50 p-3 text-center">
<p className="text-sm text-muted-foreground">Signing in as</p>
<p className="font-medium">{user.email}</p>
</div>
)}
<Button
className="w-full"
size="lg"
onClick={handleAccept}
disabled={state === 'accepting'}
>
{state === 'accepting' ? (
<>
<Loader2 className="mr-2 h-4 w-4 animate-spin" />
Setting up your account...
</>
) : (
'Get Started'
)}
</Button>
<p className="text-xs text-center text-muted-foreground">
You&apos;ll be asked to set a password after accepting.
</p>
</CardContent>
</Card>
)
}

1
src/lib/auth.config.ts
View File

@ -41,6 +41,7 @@ export const authConfig: NextAuthConfig = {
'/login', '/login',
'/verify-email', '/verify-email',
'/auth-error', '/auth-error',
'/accept-invite',
'/api/auth', '/api/auth',
] ]

55
src/lib/auth.ts
View File

@ -19,28 +19,65 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
providers: [ providers: [
// Email provider for magic links (used for first login and password reset) // Email provider for magic links (used for first login and password reset)
EmailProvider({ EmailProvider({
server: {
host: process.env.SMTP_HOST,
port: Number(process.env.SMTP_PORT || 587),
auth: {
user: process.env.SMTP_USER,
pass: process.env.SMTP_PASS,
},
},
from: process.env.EMAIL_FROM || 'MOPC Platform <noreply@monaco-opc.com>', from: process.env.EMAIL_FROM || 'MOPC Platform <noreply@monaco-opc.com>',
maxAge: parseInt(process.env.MAGIC_LINK_EXPIRY || '900'), // 15 minutes maxAge: parseInt(process.env.MAGIC_LINK_EXPIRY || '900'), // 15 minutes
sendVerificationRequest: async ({ identifier: email, url }) => { sendVerificationRequest: async ({ identifier: email, url }) => {
await sendMagicLinkEmail(email, url) await sendMagicLinkEmail(email, url)
}, },
}), }),
// Credentials provider for email/password login // Credentials provider for email/password login and invite token auth
CredentialsProvider({ CredentialsProvider({
name: 'credentials', name: 'credentials',
credentials: { credentials: {
email: { label: 'Email', type: 'email' }, email: { label: 'Email', type: 'email' },
password: { label: 'Password', type: 'password' }, password: { label: 'Password', type: 'password' },
inviteToken: { label: 'Invite Token', type: 'text' },
}, },
async authorize(credentials) { async authorize(credentials) {
// Handle invite token authentication
if (credentials?.inviteToken) {
const token = credentials.inviteToken as string
const user = await prisma.user.findUnique({
where: { inviteToken: token },
select: {
id: true,
email: true,
name: true,
role: true,
status: true,
inviteTokenExpiresAt: true,
},
})
if (!user || user.status !== 'INVITED') {
return null
}
if (user.inviteTokenExpiresAt && user.inviteTokenExpiresAt < new Date()) {
return null
}
// Clear token, activate user, mark as needing password
await prisma.user.update({
where: { id: user.id },
data: {
inviteToken: null,
inviteTokenExpiresAt: null,
status: 'ACTIVE',
mustSetPassword: true,
lastLoginAt: new Date(),
},
})
return {
id: user.id,
email: user.email,
name: user.name,
role: user.role,
mustSetPassword: true,
}
}
if (!credentials?.email || !credentials?.password) { if (!credentials?.email || !credentials?.password) {
return null return null
} }

4
src/lib/email.ts
View File

@ -294,7 +294,7 @@ function getGenericInvitationTemplate(
${paragraph(`You've been invited to join the Monaco Ocean Protection Challenge platform as a <strong>${roleLabel}</strong>.`)} ${paragraph(`You've been invited to join the Monaco Ocean Protection Challenge platform as a <strong>${roleLabel}</strong>.`)}
${paragraph('Click the button below to set up your account and get started.')} ${paragraph('Click the button below to set up your account and get started.')}
${ctaButton(url, 'Accept Invitation')} ${ctaButton(url, 'Accept Invitation')}
${infoBox('This link will expire in 24 hours.', 'info')} ${infoBox('This link will expire in 7 days.', 'info')}
` `
return { return {
@ -309,7 +309,7 @@ Click the link below to set up your account and get started:
${url} ${url}
This link will expire in 24 hours. This link will expire in 7 days.
--- ---
Monaco Ocean Protection Challenge Monaco Ocean Protection Challenge

2
src/lib/minio.ts
View File

@ -17,7 +17,7 @@ function createMinioClient(): Minio.Client {
return new Minio.Client({ return new Minio.Client({
endPoint: url.hostname, endPoint: url.hostname,
port: parseInt(url.port) || 9000, port: url.port ? parseInt(url.port) : (url.protocol === 'https:' ? 443 : 80),
useSSL: url.protocol === 'https:', useSSL: url.protocol === 'https:',
accessKey: process.env.MINIO_ACCESS_KEY || 'minioadmin', accessKey: process.env.MINIO_ACCESS_KEY || 'minioadmin',
secretKey: process.env.MINIO_SECRET_KEY || 'minioadmin', secretKey: process.env.MINIO_SECRET_KEY || 'minioadmin',

112
src/server/routers/user.ts
View File

@ -1,3 +1,4 @@
import crypto from 'crypto'
import { z } from 'zod' import { z } from 'zod'
import { TRPCError } from '@trpc/server' import { TRPCError } from '@trpc/server'
import type { Prisma } from '@prisma/client' import type { Prisma } from '@prisma/client'
@ -5,6 +6,12 @@ import { router, protectedProcedure, adminProcedure, superAdminProcedure, public
import { sendInvitationEmail, sendMagicLinkEmail } from '@/lib/email' import { sendInvitationEmail, sendMagicLinkEmail } from '@/lib/email'
import { hashPassword, validatePassword } from '@/lib/password' import { hashPassword, validatePassword } from '@/lib/password'
const INVITE_TOKEN_EXPIRY_MS = 7 * 24 * 60 * 60 * 1000 // 7 days
function generateInviteToken(): string {
return crypto.randomBytes(32).toString('hex')
}
export const userRouter = router({ export const userRouter = router({
/** /**
* Get current user profile * Get current user profile
@ -29,6 +36,35 @@ export const userRouter = router({
}) })
}), }),
/**
* Validate an invitation token (public, no auth required)
*/
validateInviteToken: publicProcedure
.input(z.object({ token: z.string().min(1) }))
.query(async ({ ctx, input }) => {
const user = await ctx.prisma.user.findUnique({
where: { inviteToken: input.token },
select: { id: true, name: true, email: true, role: true, status: true, inviteTokenExpiresAt: true },
})
if (!user) {
return { valid: false, error: 'INVALID_TOKEN' as const }
}
if (user.status !== 'INVITED') {
return { valid: false, error: 'ALREADY_ACCEPTED' as const }
}
if (user.inviteTokenExpiresAt && user.inviteTokenExpiresAt < new Date()) {
return { valid: false, error: 'EXPIRED_TOKEN' as const }
}
return {
valid: true,
user: { name: user.name, email: user.email, role: user.role },
}
}),
/** /**
* Update current user profile * Update current user profile
*/ */
@ -415,7 +451,56 @@ export const userRouter = router({
}, },
}) })
return { created: created.count, skipped } // Auto-send invitation emails to newly created users
const baseUrl = process.env.NEXTAUTH_URL || 'http://localhost:3000'
const createdUsers = await ctx.prisma.user.findMany({
where: { email: { in: newUsers.map((u) => u.email.toLowerCase()) } },
select: { id: true, email: true, name: true, role: true },
})
let emailsSent = 0
const emailErrors: string[] = []
for (const user of createdUsers) {
try {
const token = generateInviteToken()
await ctx.prisma.user.update({
where: { id: user.id },
data: {
inviteToken: token,
inviteTokenExpiresAt: new Date(Date.now() + INVITE_TOKEN_EXPIRY_MS),
},
})
const inviteUrl = `${baseUrl}/accept-invite?token=${token}`
await sendInvitationEmail(user.email, user.name, inviteUrl, user.role)
await ctx.prisma.notificationLog.create({
data: {
userId: user.id,
channel: 'EMAIL',
provider: 'SMTP',
type: 'JURY_INVITATION',
status: 'SENT',
},
})
emailsSent++
} catch (e) {
emailErrors.push(user.email)
await ctx.prisma.notificationLog.create({
data: {
userId: user.id,
channel: 'EMAIL',
provider: 'SMTP',
type: 'JURY_INVITATION',
status: 'FAILED',
errorMsg: e instanceof Error ? e.message : 'Unknown error',
},
})
}
}
return { created: created.count, skipped, emailsSent, emailErrors }
}), }),
/** /**
@ -487,9 +572,18 @@ export const userRouter = router({
}) })
} }
// Generate magic link URL // Generate invite token and store on user
const token = generateInviteToken()
await ctx.prisma.user.update({
where: { id: user.id },
data: {
inviteToken: token,
inviteTokenExpiresAt: new Date(Date.now() + INVITE_TOKEN_EXPIRY_MS),
},
})
const baseUrl = process.env.NEXTAUTH_URL || 'http://localhost:3000' const baseUrl = process.env.NEXTAUTH_URL || 'http://localhost:3000'
const inviteUrl = `${baseUrl}/api/auth/signin?email=${encodeURIComponent(user.email)}` const inviteUrl = `${baseUrl}/accept-invite?token=${token}`
// Send invitation email // Send invitation email
await sendInvitationEmail(user.email, user.name, inviteUrl, user.role) await sendInvitationEmail(user.email, user.name, inviteUrl, user.role)
@ -544,7 +638,17 @@ export const userRouter = router({
for (const user of users) { for (const user of users) {
try { try {
const inviteUrl = `${baseUrl}/api/auth/signin?email=${encodeURIComponent(user.email)}` // Generate invite token for each user
const token = generateInviteToken()
await ctx.prisma.user.update({
where: { id: user.id },
data: {
inviteToken: token,
inviteTokenExpiresAt: new Date(Date.now() + INVITE_TOKEN_EXPIRY_MS),
},
})
const inviteUrl = `${baseUrl}/accept-invite?token=${token}`
await sendInvitationEmail(user.email, user.name, inviteUrl, user.role) await sendInvitationEmail(user.email, user.name, inviteUrl, user.role)
await ctx.prisma.notificationLog.create({ await ctx.prisma.notificationLog.create({