fix: use higher entropy invite tokens

[myftija]

We currently use CUIDs for invite tokens, which are generated using
a pattern and are not cryptographically secure. This PR switches to
a higher entropy string generated with nanoid.

Will remove the default value in the prisma schema in a separate PR.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0d11391

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Replaces inline invite construction in apps/webapp/app/models/member.server.ts with a pre-built invites array that includes a generated token per invite. Adds a module-level token length and token generator using nanoid, and imports Prisma types. Uses Prisma's createMany to insert the invites (removing the previous skipDuplicates option). Keeps the subsequent query flow to return the created invites.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The PR description does not follow the repository’s required template, as it is missing the issue-closure line, checklist, testing steps, changelog, and any screenshots sections outlined in the description template.	Please update the description to use the provided template by adding “Closes #”, completing the checklist, detailing testing steps, providing a changelog entry, and including screenshots if applicable.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title “fix: use higher entropy invite tokens” directly summarizes the primary change of replacing CUIDs with nanoid-generated tokens and is concise, specific, and clear about the main update.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-invite-tokens

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

apps/webapp/app/models/member.server.ts (1)

102-111: Hash tokens at rest; uniqueness is already enforced
Prisma schema defines token String @unique @default(cuid()). To avoid plaintext exposure in DB/backups, store only a hash (e.g., SHA-256) and match incoming tokens by hash. Ensure tokens aren’t serialized to clients or logs.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a3bdd3c and a3a3549.

📒 Files selected for processing (1)

• apps/webapp/app/models/member.server.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Always prefer using isomorphic code like fetch, ReadableStream, etc. instead of Node.js specific code
For TypeScript, we usually use types over interfaces
Avoid enums
No default exports, use function declarations

Files:

• apps/webapp/app/models/member.server.ts

{packages/core,apps/webapp}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

We use zod a lot in packages/core and in the webapp

Files:

• apps/webapp/app/models/member.server.ts

apps/webapp/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

When importing from @trigger.dev/core in the webapp, never import the root package path; always use one of the documented subpath exports from @trigger.dev/core’s package.json

Files:

• apps/webapp/app/models/member.server.ts

{apps/webapp/app/**/*.server.{ts,tsx},apps/webapp/app/routes/**/*.ts}

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

Access environment variables only via the env export from app/env.server.ts; do not reference process.env directly

Files:

• apps/webapp/app/models/member.server.ts

apps/webapp/app/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

Modules intended for test consumption under apps/webapp/app/**/*.ts must not read environment variables; accept configuration via options instead

Files:

• apps/webapp/app/models/member.server.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (22)

• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: typecheck / typecheck
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

apps/webapp/app/models/member.server.ts (1)

1-1: Good: typed Prisma import used for satisfies

Importing type Prisma avoids runtime bloat and keeps checks at compile-time. LGTM.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

apps/webapp/app/models/member.server.ts (1)

102-111: Normalize and dedupe emails (trim; optional case-insensitive) before creating invites

Prevent surprises from whitespace in inputs and reduce duplicate rows from variant spellings. Minimal change is to trim before Set-deduping.

Apply within this hunk:

-  const invites = [...new Set(emails)].map(
+  const normalizedEmails = [...new Set(emails.map((e) => e.trim()))];
+  const invites = normalizedEmails.map(
     (email) =>
       ({
         email,
         token: tokenGenerator(),
         organizationId: org.id,
         inviterId: userId,
         role: "MEMBER",
       } satisfies Prisma.OrgMemberInviteCreateManyInput)
   );

If you want case-insensitive dedupe, build a Map keyed by email.toLowerCase() and store the first occurrence.

Also update the subsequent query to use normalizedEmails for consistency (outside this hunk).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a3a3549 and 0d11391.

📒 Files selected for processing (1)

• apps/webapp/app/models/member.server.ts (2 hunks)

🧰 Additional context used

📓 Path-based instructions (5)

**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Always prefer using isomorphic code like fetch, ReadableStream, etc. instead of Node.js specific code
For TypeScript, we usually use types over interfaces
Avoid enums
No default exports, use function declarations

Files:

• apps/webapp/app/models/member.server.ts

{packages/core,apps/webapp}/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

We use zod a lot in packages/core and in the webapp

Files:

• apps/webapp/app/models/member.server.ts

apps/webapp/**/*.{ts,tsx}

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

When importing from @trigger.dev/core in the webapp, never import the root package path; always use one of the documented subpath exports from @trigger.dev/core’s package.json

Files:

• apps/webapp/app/models/member.server.ts

{apps/webapp/app/**/*.server.{ts,tsx},apps/webapp/app/routes/**/*.ts}

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

Access environment variables only via the env export from app/env.server.ts; do not reference process.env directly

Files:

• apps/webapp/app/models/member.server.ts

apps/webapp/app/**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/webapp.mdc)

Modules intended for test consumption under apps/webapp/app/**/*.ts must not read environment variables; accept configuration via options instead

Files:

• apps/webapp/app/models/member.server.ts

🧬 Code graph analysis (1)

apps/webapp/app/models/member.server.ts (1)

apps/webapp/app/db.server.ts (1)

• Prisma (99-99)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (23)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: typecheck / typecheck
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (3)

apps/webapp/app/models/member.server.ts (3)

1-1: Type-only Prisma import looks good

Using import type Prisma keeps runtime clean while enabling the satisfies check below.

---

113-115: Idempotency across requests: consider re‑enabling skipDuplicates with a composite unique

As previously noted, deduping the input array avoids intra-request dupes, but repeated requests can still create multiple invites for the same (organizationId, email) unless the DB enforces a composite unique. After adding @@unique([organizationId, email]), re-enable skipDuplicates:

   await prisma.orgMemberInvite.createMany({
-    data: invites,
+    data: invites,
+    skipDuplicates: true, // requires @@unique([organizationId, email]) in the Prisma model
   });

This makes the batch write safe to retry.

---

3-6: Secure, high-entropy token: ensure DB uniqueness and prefer findUnique for lookups

Good switch to nanoid with a fixed integer length. Please ensure OrgMemberInvite.token has a DB unique index; otherwise, getInviteFromToken’s findFirst can be ambiguous if a duplicate ever occurs (however unlikely), and it weakens guarantees around token-based access.

Follow-ups:

• Add a unique constraint on token in Prisma (and ensure the column length supports 40 chars).
• After that, change getInviteFromToken to use findUnique({ where: { token } }).

Example (outside this diff):

• Prisma schema:
  model OrgMemberInvite { token String @unique ... }
• Lookup:
  export async function getInviteFromToken({ token }: { token: string }) {
  return prisma.orgMemberInvite.findUnique({ where: { token }, include: { organization: true, inviter: true } });
  }

Note: The nanoid version audit across the repo was called out in a previous review; not repeating details here.