Laravel Teams
This episode is for members only

Sign up to access "Laravel Teams" right now.

Get started
Already a member? Sign in to continue
Playing
26. Accepting an invitation

Episodes

0%
Your progress
  • Total: 4h 36m
  • Played: 0m
  • Remaining: 4h 36m
Join or sign in to track your progress
01. Introduction and demo
4m 49s
0%
02. Setup with Pest
4m 2s
0%
03. Building the user teams relations
6m 5s
0%
04. Creating a personal team when registering
6m 3s
0%
05. Leaving all teams when an account is deleted
3m 55s
0%
06. Tracking the current team
4m 50s
0%
07. Showing team details in the UI
2m 55s
0%
08. Switching to another team
7m 24s
0%
09. Authorising team switching
6m 53s
0%
10. Updating a team name
10m 48s
0%
11. Basic roles and permissions setup
5m 26s
0%
12. Team roles and permissions middleware
9m 18s
0%
13. Authorising current team updates
3m 43s
0%
14. Testing team permissions through HTTP requests
3m 58s
0%
15. Leaving a team
10m 50s
0%
16. Displaying team members
8m 42s
0%
17. Making team members look better
5m 3s
0%
18. Removing a team member
15m 18s
0%
19. Preventing self removal from a team
4m 7s
0%
20. Storing invitations
13m 31s
0%
21. Validating invitations
6m 38s
0%
22. Authorising team invitation creation
6m 22s
0%
23. Displaying invitations
3m 16s
0%
24. Revoking invitations
12m 46s
0%
25. Sending an invitation email
13m 6s
0%
26. Accepting an invitation
12m 22s
0%
27. Displaying a modal to change a member’s role
10m 31s
0%
28. Updating a member’s role
9m 5s
0%
29. More authorisation and checks for role changing
10m 14s
0%
30. Fixing up the email sending test details
49s
0%
31. Fixing and validating email addresses for invites
1m 32s
0%
32. Tidying up @can directive checks
3m 25s
0%
33. Detaching roles when removing users
5m
0%
34. Adding an extra layer of protection to the team middleware
6m 35s
0%
35. Getting related models through teams
5m 37s
0%
36. Building a helper to access the current team
10m 47s
0%
37. Getting all related models through all teams
7m 15s
0%
38. Creating new teams
13m 7s
0%

Transcript

00:00
By the end of this episode we'll be able to go through the entire flow of inviting a user and then going ahead and clicking the link either signing up or already being logged in and being
00:10
added to that team. Let's start out with a test and remember when we set the middleware here for signed which made sure that this was a signed route and verified everything. Let's write a test to make sure that the exception fails if the route isn't assigned. So let's go ahead and say it fails to accept invite if route is not signed and let's go ahead and start to build this invite up.
00:38
So team invite factory and let's go ahead and say that this is for any team so let's use a factory to create out any team here it doesn't really matter which one it is and let's go ahead and create that so all we're really interested in is if this fails when we go ahead and accept this as a user. So we have to be authenticated to accept an invite so the user will be forwarded over to
01:04
login or register before they hit this url so we do need an accepting user someone who is going to accept this so let's go ahead and create that user out just in here and then let's act as that user who is going to accept that invite and go ahead and get this url so with this we don't want to build the route up so we just want to manually pass this in so team invite accept and we'll pass
01:29
in the token here and that is going to be the token directly from the invite and we basically just want to assert forbidden so because we're trying to access a url which doesn't have any signature doesn't have any expiry it should be forbidden automatically so let's go ahead and run either on this or let's just do our entire controller and have a look great that passed so
01:56
it will not accept this if the route is not assigned okay now let's go ahead and write out the test for the best case which is it can accept an invite so with this we either need to build up assigned url manually or we just need to exclude the validate signature middleware let's go ahead and just start this through so let's copy what we've got here because it's going to be pretty
02:19
much exactly the same along with the accepting user as well so we can pull all of that in let's pull that in so we've got the invite in here we've got the user who's going to accept this let's go ahead and acting as that accepting user let's make a request to the url that we've just created so again we can use the root helper to build this up so let's pull in team invite and
02:46
accept again we don't have any query string associated with this actually it's probably just a bit easier to manually pull this in rather than tack it onto the end so let's say accept and token is going to be the token from the invite and we want to assert that we're redirected over to our dashboard for example once this invite has been successfully accepted now this isn't
03:15
going to work so if we just run our test here obviously we get a failed because we get a 403 forbidden so what we want to do is just for this test we want to exclude the validate signature middleware so we can actually get through to this route without requiring the signed url we've already got a test to make sure that we have to have a signed url so it doesn't matter if we
03:36
exclude it for this other test okay there we go so we've run our tests and we get that die dumped which we saw in the browser earlier let's go ahead and think about some of the other things that we want to happen here so the first thing is we want to assert that we are missing this invite in the database we basically want to get rid of it from the team invites table you might want to mark it
03:58
as accepted it's entirely up to you but in our case we can just go ahead and safely delete this invite so let's say invite team id and just match up some of the other details in here just to make sure this is deleted token and we'll do the same for the email as well we may as well so say invite and email and let's go ahead and run this and of course we should get a failure if we just get rid
04:25
of the die dump in here because that's getting in the way of our test okay so yeah that failed so this data is still in the database and that's not great so let's do that first we're kind of going backwards here but let's try this out anyway so when we accept the invite we want to delete the invite but we need to fetch the invite first of all so let's fetch that out and that's obviously
04:48
going to be important to be able to accept this anyway let's say where token and let's just make sure we have this pulled in yeah so where the token matches the request token now you can either do where token or you can do where token separated by both arguments it's entirely up to you and really importantly we're going to do first or fail so even if we do get through to this route
05:15
and the invite's being revoked or it doesn't even exist in the first place we're just going to fail this request with the 404 so after we found the invite let's go ahead and delete that invite out and then let's redirect the user to their dashboard like so and that should be enough to make this pass let's just test this out yeah so it has been deleted from the database successfully so what's
05:41
the next thing or the other thing that we want to do directly within this test well we want to make sure that the user who has just accepted this is now part of that team so that's pretty straightforward to do we would can just say expect the accepting user teams to contain the team from the invite and we're going to make sure that that is true now if we run this test again of course it's going to
06:14
fail because that user is not part of that team that's our job inside of this controller so just before we delete this invitation what do we need to do well we need to go ahead and take the currently authenticated user who is authenticated and has accepted this invitation and we want to attach them to the team that the invite relates to okay let's go ahead and run that test again and
06:40
yeah that's all good so we know that they've been added to that team now now let's just think before we touch the ui what's going to happen if they're added to a team and then redirected to their dashboard well they're not going to be switched over to that team to start with and also they're not going to have a role as part of that team because they will have signed up and been assigned
07:03
a team admin as part of their personal team but they won't be switched over to this so we don't necessarily need to switch them to that team we can do that by setting their current team id so we can do that as well but really importantly we need to make sure that they have the correct role so let's go ahead and test for that as well so on the end of this expectation let's also say
07:25
and we want the accepting user to have a role of team member and we're going to say we want that to be true let's go ahead and run our tests and yeah sure enough that fails so let's go back over to our team invite controller and let's set this up now cast your mind back to the start of the course over in our user observer where when we created a user and attached them to their own
07:52
personal team we needed to assign the role but in the context of the team that they were in so we pretty much want to do this but assign them a team member as part of that team so we can just copy and paste this directly over let's make sure that we set this up to be the invite team id and we want to assign the request users roles team member as part of that team let's run our tests and yeah that
08:20
passes so we now know that for that team they are now a team member okay so you could also switch them over to that team if you wanted to so over in the test let's go ahead and update this as well so let's say and accepting user current team or we could just use the relationship direct directly here id and we're going to expect that to be the invite team id okay let's try this out
08:53
and yeah of course it fails because we've not manually switched them over they are still associated with their personal team so back over here we could also set up and switch their current team over so we could do something like request user current team associate with the invite team switch them over to that and then go ahead and save them out let's try this out again and there
09:19
we go we get green okay so that's pretty much our invite done of course you can do anything in here you want you can send an email you can configure this however you want the whole process is pretty much the same but what we want to do now is just do this in the browser to see how it feels so we want to make sure that we've got our emails open and ready to go and let's try this out so let's
09:41
try it with a pre-existing user so we know that Mabel is a user in the database I'm going to remove her from the team so we can sort of start fresh so let's go ahead and invite Mabel to this team click invite of course that's now a pending invitation let's go over to our mail client and you can see that we have got this email of course it's been sent to Mabel and we can click accept
10:03
invite now what I'm going to do is just copy the link because if I open this it's going to open up in my browser session and of course that's not going to work properly so we'll go ahead and create our new incognito window here and go ahead and paste this in so what we can do is either log in or register so let's go ahead and say Mabel at Cocos.com password and let's go over and check
10:24
this out okay so yeah we've actually got an issue here with the middleware so our tests wouldn't have caught that redirect let's just see what's happened here I think it's because we manually created this user in the database and this would have been null so this should never be null so let's just go and set this to Mabel's personal team which I don't think we even have okay so
10:49
we're sort of going about this the wrong way what we're going to do is get rid of this user sign up as a normal user and that will trigger our user observer to create their own personal team we can fix this a little bit later but it's unlikely that a user is ever not going to have a current team id because we set it throughout the entire process so let's get rid of this invite
11:11
let's just make sure everything's good here and let's just go through the process of registering an account as normal so let's go back over and register let's register as Mabel and set the password here and there we go so we're in we now have a current team id so that's always going to be the case let's go back over to our other browser window here and we'll just pull
11:34
this one across so we can access both of these and let's go ahead and invite Mabel again and see the process so invite let's open up our mail client this is the new email let's copy the link back over to the browser we're going to now either click that in our mail client we don't necessarily have to be logged in but if Mabel is logged in and she accepts this invitation that's been accepted
12:00
the team's been switched we're now inside of that team and of course that team invite from here has been deleted and now we now have Mabel as a team member so the whole flow works it didn't work initially because we just manually created that user in the database and they weren't part of any team when they were signed in but that is pretty much the whole flow now working

Episode summary

In this episode, we walk through the entire process of accepting a team invitation, both from a testing and a user experience perspective. First, we start by writing tests to make sure our invitation flow is secure and works as expected. We cover checking that unsigned invite acceptance attempts are blocked, and then move on to the successful flow where invites can be accepted if everything's valid.

You'll see how we validate that an invite token works, that the invite gets deleted after it's accepted, and that the user is properly attached to the team with the right role. We also make sure that the user's current team is set to the one they just got invited to, so everything's smooth for them once they accept.

After covering all that logic with tests, we hop into the browser to try it all out for real. We do a manual end-to-end test using the UI, inviting a user, grabbing the email link, and going through the login/acceptance process. Along the way, we run into a minor issue caused by manually adding users to the database (without setting their current team), and we show how to fix that edge case.

By the end of the episode, you've got a robust invite acceptance flow that deletes used invites, adds users to teams, gives them the correct role, and even switches their current team automatically. Plus, you've seen how to catch and fix some sneaky bugs that might come up in testing vs. real life!

Episode discussion

No comments, yet. Be the first!