@accounter/server
Version:
Accounter GraphQL server
58 lines (57 loc) • 2.8 kB
TypeScript
import DataLoader from 'dataloader';
import { AdminContextProvider } from '../../admin-context/providers/admin-context.provider.js';
import { TenantAwareDBClient } from '../../app-providers/tenant-db-client.js';
import { AuditLogsProvider } from '../../common/providers/audit-logs.provider.js';
import { AuthContextProvider } from './auth-context.provider.js';
import { BusinessUsersProvider } from './business-users.provider.js';
/** Stored invitation as listed for management (never exposes the one-time token). */
export type BusinessInvitationRecord = {
id: string;
email: string;
roleId: string;
expiresAt: Date;
};
export declare class InvitationsProvider {
private db;
private adminContextProvider;
private businessUsersProvider;
private auditLogsProvider;
private authContextProvider;
constructor(db: TenantAwareDBClient, adminContextProvider: AdminContextProvider, businessUsersProvider: BusinessUsersProvider, auditLogsProvider: AuditLogsProvider, authContextProvider: AuthContextProvider);
private batchInvitationsByEmails;
getInvitationByEmailLoader: DataLoader<string, import("../types.js").IGetActiveInvitationsByEmailsResult[], string>;
private batchInvitationsByTokens;
getInvitationByTokensLoader: DataLoader<string, import("../types.js").IGetInvitationsByTokensResult[], string>;
insertInvitation({ email, roleId, auth0UserId, invitedByUserId, ownerId, }: {
email: string;
roleId: string;
auth0UserId: string;
invitedByUserId: string;
ownerId: string;
}): Promise<{
id: string;
email: string;
roleId: string;
expiresAt: Date;
token: string;
}>;
/**
* List the pending invitations for the current business.
* Restricted to business owners and strictly scoped to the caller's tenant.
* The one-time invitation token is never exposed.
*/
listInvitations(): Promise<BusinessInvitationRecord[]>;
/**
* Revoke (hard-delete) a pending invitation.
* Restricted to business owners and strictly scoped to the caller's tenant, so
* an invitation belonging to another business can never be revoked. Already
* accepted invitations are not revocable. The pending placeholder membership
* created alongside the invitation is removed too, so it does not linger as a
* ghost user. The Auth0 user is intentionally left untouched: the same blocked
* user may be shared by invitations across businesses (and is reused on
* re-invite), so deleting it here could break unrelated tenants.
* Returns false when no matching pending invitation exists in the current business.
*/
revokeInvitation(invitationId: string): Promise<boolean>;
private requireBusinessOwner;
}