feat: Add copy invite link

[ShaneMaglangit]

What does this PR do?

• Adds an option to create a shared invite link. Limited to Member role for security.
• Automatically send team invite to the user who accesses the invite link.

Fixes #6581
/claim #6581

Code Creation: https://www.loom.com/share/98d349beeeac4e16bb4dbe4583cff874
Open Invite Link: https://www.loom.com/share/18e33d78ba73436f9ce17ff49df1ad74

Environment: Staging(main branch) / Production

Type of change

• New feature (non-breaking change which adds functionality)

How should this be tested?

• On an account with team, create an invite link.
• On another account, access the generated link.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
cal	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 6, 2023 11:30pm
ui	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 6, 2023 11:30pm

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
api	⬜️ Ignored (Inspect)			Jun 6, 2023 11:30pm

[vercel]

@ShaneMaglangit is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

📦 Next.js Bundle Analysis for @calcom/web

This analysis was generated by the Next.js Bundle Analysis action. 🤖

Forty-seven Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page	Size (compressed)	First Load	% of Budget (350 KB)
/apps	277.53 KB	428.31 KB	122.37% (🟡 +0.23%)
/apps/[slug]	295.47 KB	446.25 KB	127.50% (🟡 +0.23%)
/apps/[slug]/[...pages]	458.15 KB	608.94 KB	173.98% (🟡 +0.23%)
/apps/categories	239.89 KB	390.67 KB	111.62% (🟡 +0.23%)
/apps/categories/[category]	260.72 KB	411.5 KB	117.57% (🟡 +0.23%)
/apps/installed/[category]	276.3 KB	427.08 KB	122.02% (🟡 +0.23%)
/availability	245.21 KB	396 KB	113.14% (🟡 +0.23%)
/availability/[schedule]	331.47 KB	482.25 KB	137.79% (🟡 +0.22%)
/availability/troubleshoot	240.63 KB	391.42 KB	111.83% (🟡 +0.23%)
/bookings/[status]	334.5 KB	485.28 KB	138.65% (🟡 +0.23%)
/event-types	426.11 KB	576.9 KB	164.83% (🟡 +0.22%)
/event-types/[type]	479.18 KB	629.96 KB	179.99% (🟡 +0.23%)
/insights	447.31 KB	598.09 KB	170.88% (🟡 +0.23%)
/more	239.52 KB	390.3 KB	111.51% (🟡 +0.23%)
/settings/admin	245.09 KB	395.87 KB	113.11% (🟡 +0.22%)
/settings/admin/apps	256.79 KB	407.57 KB	116.45% (🟡 +0.22%)
/settings/admin/apps/[category]	256.77 KB	407.56 KB	116.44% (🟡 +0.23%)
/settings/admin/flags	247.82 KB	398.6 KB	113.89% (🟡 +0.22%)
/settings/admin/impersonation	245.37 KB	396.15 KB	113.19% (🟡 +0.22%)
/settings/admin/users	246.51 KB	397.29 KB	113.51% (🟡 +0.23%)
/settings/admin/users/[id]/edit	332.86 KB	483.64 KB	138.18% (🟡 +0.23%)
/settings/admin/users/add	332.54 KB	483.32 KB	138.09% (🟡 +0.23%)
/settings/billing	245.23 KB	396.02 KB	113.15% (🟡 +0.22%)
/settings/developer/api-keys	273.84 KB	424.62 KB	121.32% (🟡 +0.23%)
/settings/developer/webhooks	248.24 KB	399.02 KB	114.01% (🟡 +0.22%)
/settings/developer/webhooks/[id]	249.92 KB	400.7 KB	114.49% (🟡 +0.22%)
/settings/developer/webhooks/new	249.78 KB	400.56 KB	114.45% (🟡 +0.22%)
/settings/my-account/appearance	267.98 KB	418.76 KB	119.65% (🟡 +0.22%)
/settings/my-account/calendars	250.87 KB	401.65 KB	114.76% (🟡 +0.22%)
/settings/my-account/conferencing	250.79 KB	401.57 KB	114.73% (🟡 +0.23%)
/settings/my-account/general	330.09 KB	480.87 KB	137.39% (🟡 +0.23%)
/settings/my-account/profile	373.19 KB	523.97 KB	149.71% (🟡 +0.22%)
/settings/security/impersonation	247.04 KB	397.83 KB	113.66% (🟡 +0.23%)
/settings/security/password	256.49 KB	407.27 KB	116.36% (🟡 +0.23%)
/settings/security/sso	254.53 KB	405.31 KB	115.80% (🟡 +0.23%)
/settings/security/two-factor-auth	249.51 KB	400.29 KB	114.37% (🟡 +0.22%)
/settings/teams	244.86 KB	395.64 KB	113.04% (🟡 +0.23%)
/settings/teams/[id]/appearance	259.39 KB	410.18 KB	117.19% (🟡 +0.23%)
/settings/teams/[id]/billing	245.09 KB	395.88 KB	113.11% (🟡 +0.22%)
/settings/teams/[id]/members	358.04 KB	508.83 KB	145.38% (🟡 +0.25%)
/settings/teams/[id]/onboard-members	162.54 KB	313.33 KB	89.52% (🟡 +0.26%)
/settings/teams/[id]/profile	368.11 KB	518.89 KB	148.25% (🟡 +0.23%)
/settings/teams/[id]/sso	254.63 KB	405.41 KB	115.83% (🟡 +0.23%)
/settings/teams/new	185.41 KB	336.19 KB	96.06% (🟡 +0.22%)
/teams	239.61 KB	390.39 KB	111.54% (🟡 +0.23%)
/workflows	252.45 KB	403.24 KB	115.21% (🟡 +0.23%)
/workflows/[workflow]	366.59 KB	517.38 KB	147.82% (🟡 +0.23%)

Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

The "Budget %" column shows what percentage of your performance budget the First Load total takes up. For example, if your budget was 100kb, and a given page's first load size was 10kb, it would be 10% of your budget. You can also see how much this has increased or decreased compared to the base branch of your PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this. If you see "+/- <0.01%" it means that there was a change in bundle size, but it is a trivial enough amount that it can be ignored.

[zomars]

Thank you for your contribution 🙏 I have some observations.

• The current code allows any logged in user to createInvite/setInviteExpiration/deactivateInvite/addMemberByLink for ANY team. That's a huge security concern.
• Can we reuse the inviteMember procedure as much as possible? We already ask the team admin if he wants to send the invite via email. We could add the option here to just get the link here.
• If we absolutely need to add a new Invite model to the DB then go for it (just rename it to TeamInvite). BUT I would like to reuse VerificationToken as much as possible which can be modified to serve the same purpose.

[ShaneMaglangit]

@zomars can you give me a bit more context on what is VerificationToken being used for? Been looking at /signup page and it seems like its only used for registration instead.

If we're going to reuse it, we would need to add a new metadata for the expiration (or modify it atleast). VerificationToken currently have expiresAt as a non-nullable field. Team invites must have a "never expire" option. We would have to make it nullable or add a new field (expireInDays). Wdyt?

[zomars]

@zomars can you give me a bit more context on what is VerificationToken being used for? Been looking at /signup page and it seems like it's only used for registration instead.

It is also used for team invites.

cal.com/packages/trpc/server/routers/viewer/teams.tsx

Lines 339 to 345 in d3f1f8b

	await ctx.prisma.verificationToken.create({
	data: {
	identifier: input.usernameOrEmail,
	token,
	expires: new Date(new Date().setHours(168)), // +1 week
	},
	});

If we're going to reuse it, we would need to add a new metadata for the expiration (or modify it atleast). VerificationToken currently have expiresAt as a non-nullable field. Team invites must have a "never expire" option. We would have to make it nullable or add a new field (expireInDays). Wdyt?

I'm ok with updating it to fit both cases.

[PeerRich]

should we rename "Deactivate" to "Delete"? basically you delete the link, no? we already have "delete" as a string, too

[PeerRich]

just to confirm: this also works if the person has no account already

[ShaneMaglangit]

just to confirm: this also works if the person has no account already

Yup, my fundamental assumption (which I tested prior), is that when accessing a protected route while unauthenticated. You will be redirected to the signup page with a corresponding callback link (invite link).

If we somehow lose the invite link with code because of some auth flow process, the user can always revisit the link.

That, I think, should sufficiently handle this case, no?

[PeerRich]

just to confirm: this also works if the person has no account already

Yup, my fundamental assumption (which I tested prior), is that when accessing a protected route while unauthenticated. You will be redirected to the signup page with a corresponding callback link (invite link).

If we somehow lose the invite link with code because of some auth flow process, the user can always revisit the link.

That, I think, should sufficiently handle this case, no?

awesome, yes!

[zomars]

Fixed faulty translations that broke e2e tests. But there's now another failure with App Store tests. Blocking to check.

[zomars]

Tested and seems like it's good to go! Thank you for your contribution 🙏