Accept Invitation
POST/api/v1/auth/accept-invite
Accept a workspace invitation and optionally set password.
Security features (Issue #67):
- Uses Invitation model with hashed token storage
- Atomic transaction prevents race conditions on double-accept
- Token validated via SHA256 hash comparison
- Single-use enforcement (used_at timestamp)
- Sibling invites auto-revoked on acceptance
- Clears stale verification tokens on acceptance
Phase 77 WR-03 — strict email-match guard against authenticated session. If the request carries a valid JWT and the authenticated user's email does NOT match the invitation's email, reject with 409 + error_code INVITE_EMAIL_MISMATCH. Mirrors the guard in google_mobile_api.py and invite_sso_service.resolve_for_callback so the threat-model claim "Email-mismatch: must NOT add user to workspace" is enforced on the password path as well as the Google path. The mobile client now force-logs-out before reaching this endpoint (CR-01), so this is a defense-in-depth check for any other caller (web, raw API consumers).
Args: data.token: Invitation token (plaintext, will be hashed for lookup) data.invite_id: Invitation ID (UUID) data.password: New password (optional for existing users with password)
Returns: 200: Success with access/refresh tokens 400: Invalid state (already used, revoked, expired, invalid password) 404: Invalid token/invite_id combination 409: Authenticated session email does not match invitation email
Request
Responses
- 200
- 400
- 401
- 403
- 404
- 409
- 422
- 429
OK
Bad Request
Unauthorized
Forbidden
Not Found
Conflict
Validation Error
Too Many Requests