Expiration of User Invitations

[2001aspaceodyssey]

Expiration of User Invitations

Problem

FusionAuth doesn't have a built-in method for expiring invites. Currently the link sent in the invite expires, but the password can still be set using the reset password workflow.

There is no way to disambiguate the following errors returned from the forgot password API:

• Forgot password flow expiration
• Invite expiration

The workflow I would like to achieve in our application UI is the following (also outlined in the related forum post):

• Invites expire after 7 days
• In the list of users I can see what users have accepted the invite and which haven't
• If user's invite has expired, an admin can resend them the invite

Solution

• Create a setting in FusionAuth that allows an invite to expire and determine a length of time for an invite to last
• Create a way to disambiguate errors between reset password workflow and invite workflows. Possible solutions:
  • If a user tries to accept their invite by invoking the change-password API when expired, return a specific error code for an expired invite.
  • Create a new endpoint for accepting invites other than the change-password endpoint
• When fetching a user or list of users, include a boolean for whether they've accepted their invite or not
• Create a new API endpoint for resending an invite

Alternatives/workarounds

Custom code written by the customer, possibly as outlined here: https://fusionauth.io/community/forum/topic/330/is-it-possible-to-disable-two-factor-without-providing-the-two-factor-code

Additional context

This issue is discussed in a forum post: https://fusionauth.io/community/forum/topic/401/how-long-does-the-email-template-changepasswordid-id-last-before-it-expires-how-can-invitation-expiration-be-implemented

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[robotdan]

It sounds like what you want, is a new feature for "user invitations"? If so, perhaps we should rephrase the title of the issue.

If you're looking expiration settings for existing workflows, that are found in the tenant settings.
https://fusionauth.io/docs/v1/tech/core-concepts/tenants#advanced

[2001aspaceodyssey]

Thanks @robotdan, I have updated the language of the title to include "user invitations."

Unfortunately I haven't found an existing workflow to expire the invitation. The closest workflow that I saw is for setting a time limit for the Setup Password. It looks like this will only invalidate the change password id that is sent in the email after the set period of time, but the user account will still be accessible by using the forgot password flow to reset the password.

If I am missing something, please let me know. Thanks for responding to this issue.

[robotdan]

Another possible option for you would be to use email verification. When this is enabled, you can configure users that have not yet verified their email address to be deleted automatically.

See Tenant > Email > Email verification > Delete unverified users.

[2001aspaceodyssey]

Thanks for the suggestion. This seems like it would work if we were having users do self sign up. In our case this probably wouldn't be optimal since we are having user admins invite their other users to our application.

[andrewpai]

Closing this issue, as user invitations are not a feature of FusionAuth at this time.