Add token-based crate ownership invitation acceptance

Adds an API endpoint, handler, and web route for token-based acceptance. Also updates crate ownership invitation email to contain a URL with a token for accepting an invitation.

Author: nkanderson

app/router.js

@@ -48,6 +48,7 @@ Router.map(function() {
   this.route('policies');
   this.route('data-access');
   this.route('confirm', { path: '/confirm/:email_token' });
+  this.route('accept-invite', { path: '/accept-invite/:token' });
 
   this.route('catch-all', { path: '*path' });
 });

app/routes/accept-invite.js

@@ -0,0 +1,28 @@
+import Route from '@ember/routing/route';
+// import { inject as service } from '@ember/service';
+import ajax from 'ember-fetch/ajax';
+
+export default Route.extend({
+  // session: service(),
+
+  async model(params) {
+    try {
+      await ajax(`/api/v1//me/crate_owner_invitations/accept/${params.token}`, { method: 'PUT', body: '{}' });
+
+      // TODO: determine if user model reload is necessary here
+      // The crate invitation acceptance draws heavily on prior art from the email confirmation, which
+      // included the following block as a way to reload the user model after updating. It doesn't seem
+      // to be necessary for this route, but it's unclear how best to verify that.
+      // if (this.get('session.isLoggedIn')) {
+      //   ajax('/api/v1/me').then(response => {
+      //     this.session.set('currentUser', this.store.push(this.store.normalize('user', response.user)));
+      //   });
+      // }
+      this.set('response', { accepted: true });
+      return { response: this.get('response') };
+    } catch (error) {
+      this.set('response', { accepted: false });
+      return { response: this.get('response') };
+    }
+  },
+});

app/templates/accept-invite.hbs

@@ -0,0 +1,7 @@
+{{#if model.response.accepted}}
+  <h1>You've been added as a crate owner!</h1>
+  <p>Visit your <a href="/dashboard">dashboard</a> to view all of your crates, or <a href="/me">account settings</a> to manage email notification preferences for all of your crates.</p>
+{{else}}
+  <h1>Error in accepting crate ownership.</h1>
+  <p>You may want to visit <a href="/me/pending-invites">crates.io/me/pending-invites</a> to try again.</p>
+{{/if}}

src/controllers/crate_owner_invitation.rs

@@ -41,23 +41,46 @@ pub fn handle_invite(req: &mut dyn Request) -> AppResult<Response> {
         serde_json::from_str(&body).map_err(|_| cargo_err("invalid json request"))?;
 
     let crate_invite = crate_invite.crate_owner_invite;
+    let user_id = req.user()?.id;
 
     if crate_invite.accepted {
-        accept_invite(req, conn, crate_invite)
+        accept_invite(req, conn, crate_invite, user_id)
     } else {
         decline_invite(req, conn, crate_invite)
     }
 }
 
+/// Handles the `PUT /me/crate_owner_invitations/accept/:token` route.
+pub fn handle_invite_with_token(req: &mut dyn Request) -> AppResult<Response> {
+    let conn = req.db_conn()?;
+    let req_token = &req.params()["token"];
+
+    let crate_owner_invite: CrateOwnerInvitation = crate_owner_invitations::table
+        .filter(crate_owner_invitations::token.eq(req_token))
+        .first::<CrateOwnerInvitation>(&*conn)?;
+
+    // TODO: Return 404 if no crate_owner_invite was found
+
+    let invite_reponse = InvitationResponse {
+        crate_id: crate_owner_invite.crate_id,
+        accepted: true,
+    };
+    accept_invite(
+        req,
+        &conn,
+        invite_reponse,
+        crate_owner_invite.invited_user_id,
+    )
+}
+
 fn accept_invite(
     req: &dyn Request,
     conn: &PgConnection,
     crate_invite: InvitationResponse,
+    user_id: i32,
 ) -> AppResult<Response> {
     use diesel::{delete, insert_into};
 
-    let user_id = req.user()?.id;
-
     conn.transaction(|| {
         let pending_crate_owner = crate_owner_invitations::table
             .find((user_id, crate_invite.crate_id))

src/email.rs

@@ -90,13 +90,13 @@ https://crates.io/confirm/{}",
 /// Whether or not the email is sent, the invitation entry will be created in
 /// the database and the user will see the invitation when they visit
 /// https://crates.io/me/pending-invites/.
-pub fn send_owner_invite_email(email: &str, user_name: &str, crate_name: &str) {
+pub fn send_owner_invite_email(email: &str, user_name: &str, crate_name: &str, token: &str) {
     let subject = "Crate ownership invitation";
     let body = format!(
         "{} has invited you to become an owner of the crate {}!\n
-Please visit https://crates.io/me/pending-invites to accept or reject
-this invitation.",
-        user_name, crate_name
+Visit https://crates.io/accept-invite/{} to accept this invitation,
+or go to https://crates.io/me/pending-invites to manage all of your crate ownership invitations.",
+        user_name, crate_name, token
     );
 
     let _ = send_email(email, subject, &body);

src/models/krate.rs

@@ -439,12 +439,13 @@ impl Crate {
                     .get_result::<CrateOwnerInvitation>(conn)
                     .optional()?;
 
-                if maybe_inserted.is_some() {
+                if let Some(ownership_invitation) = maybe_inserted {
                     if let Ok(Some(email)) = user.verified_email(&conn) {
                         email::send_owner_invite_email(
                             &email.as_str(),
                             &req_user.gh_login.as_str(),
                             &self.name.as_str(),
+                            &ownership_invitation.token.as_str(),
                         );
                     }
                 }

src/router.rs

@@ -89,6 +89,10 @@ pub fn build_router(app: &App) -> R404 {
         "/me/crate_owner_invitations/:crate_id",
         C(crate_owner_invitation::handle_invite),
     );
+    api_router.put(
+        "/me/crate_owner_invitations/accept/:token",
+        C(crate_owner_invitation::handle_invite_with_token),
+    );
     api_router.put(
         "/me/email_notifications",
         C(user::me::update_email_notifications),