From 09db565bc2517a77a529340b199e4844a804b179 Mon Sep 17 00:00:00 2001 From: Juanfran Date: Mon, 15 Jun 2026 13:13:04 +0200 Subject: [PATCH] :bug: Skip org membership lookup for anonymous invite recipients When an organization invitation token is verified by a logged-out recipient (e.g. an unregistered invitee opening the emailed link), profile-id is nil. The team-invitation branch still evaluated get-org-membership eagerly, calling nitrate with that nil profile-id. That request fails and surfaces as a generic error, masking the clean :invalid-token response and dropping the user on the login screen instead of the dedicated "Invite invalid" page. Only query membership when a logged-in profile is present, so a canceled or otherwise invalid org invite reaches the :invalid-token path as intended. --- backend/src/app/rpc/commands/verify_token.clj | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/backend/src/app/rpc/commands/verify_token.clj b/backend/src/app/rpc/commands/verify_token.clj index 30f57e9b39..e2433fec95 100644 --- a/backend/src/app/rpc/commands/verify_token.clj +++ b/backend/src/app/rpc/commands/verify_token.clj @@ -185,7 +185,10 @@ registration-disabled? (not (contains? cf/flags :registration)) org-invitation? (and (contains? cf/flags :nitrate) organization-id) - membership (when org-invitation? + ;; Membership only makes sense for a logged-in profile; querying it for + ;; an anonymous recipient would call nitrate with a nil profile-id and + ;; mask the clean :invalid-token response with a generic error. + membership (when (and profile org-invitation?) (nitrate/call cfg :get-org-membership {:profile-id profile-id :organization-id organization-id}))]