Fix OAuth redirection handling in invite flow

[ThaminduDilshan]

Purpose

This pull request introduces a conditional OAuth redirection flow in the BaseAcceptInvite component. Now, if the server response indicates a redirection type, the component will automatically initiate an OAuth redirect using the provided URL.

Related Issues

• Accept Invite shows a blank page when a reusable invite is resumed from a federated login step thunder-id/thunderid#2712

Related PRs

• N/A

Checklist

• Followed the CONTRIBUTING guidelines.
• Manual test round performed and verified.
• Documentation provided. (Add links if there are any)
• Unit tests provided. (Add links if there are any)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

Summary by CodeRabbit

• Bug Fixes
  • Enhanced the invite acceptance process to streamline OAuth redirects, providing faster authentication when required during invite validation.

[coderabbitai]

Warning

Rate limit exceeded

@ThaminduDilshan has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 49 minutes and 46 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 30b46250-1632-41bb-918a-1b3382137540

📥 Commits

Reviewing files that changed from the base of the PR and between e8ed449 and ad7a9f1.

📒 Files selected for processing (1)

• .changeset/three-flowers-sneeze.md

📝 Walkthrough

Walkthrough

The BaseAcceptInvite component now detects a REDIRECTION response type during the initial invite-token validation step and immediately initiates an OAuth redirect, exiting early. This prevents the validation logic from proceeding to token error handling or form rendering when a redirect is detected.

Changes

Invite Validation Redirect Handling

Layer / File(s)	Summary
REDIRECTION detection and OAuth redirect initiation packages/react/src/components/presentation/auth/AcceptInvite/v2/BaseAcceptInvite.tsx	During the initial invite validation, an early branch for response.type === 'REDIRECTION' is added that reads redirectURL, calls initiateOAuthRedirect(redirectURL) when available in browser, and returns to prevent subsequent token validation and form rendering.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• asgardeo/javascript#510: Both PRs modify BaseAcceptInvite.tsx's invite-token/OAuth control flow to handle redirect-related states earlier—main PR on REDIRECTION during initial validation, retrieved PR by skipping validation when an OAuth code is present.
• asgardeo/javascript#512: Both PRs update invite-token handling logic in BaseAcceptInvite.tsx, with the main PR adding an early REDIRECTION branch during validation and the retrieved PR adjusting onError behavior based on flowStatus.

Suggested reviewers

• Malith-19
• brionmario

Poem

🐰 A redirect flows through the invite stream,
No need to wait—it's OAuth's dream!
Early exit, swift and clean,
REDIRECTION caught, early-scene. 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: fixing OAuth redirection handling in the invite flow, which matches the PR's purpose of adding conditional OAuth redirect logic to BaseAcceptInvite.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description follows the required template with Purpose, Related Issues, Related PRs, Checklist, and Security checks sections present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@packages/react/src/components/presentation/auth/AcceptInvite/v2/BaseAcceptInvite.tsx`:
- Around line 637-644: The REDIRECTION branch in BaseAcceptInvite.tsx currently
falls through when response.type === 'REDIRECTION' but redirectURL is missing;
update the handler for response.type === 'REDIRECTION' to treat a missing/empty
redirectURL as an error: detect redirectURL (from response.data?.redirectURL ||
(response as any)?.redirectURL), and if falsy, log or set an error state and
return early instead of continuing, otherwise call
initiateOAuthRedirect(redirectURL) as before; ensure you reference the same
symbols (response.type, redirectURL, initiateOAuthRedirect) and exit the
function after handling the error case to avoid leaving the UI in a dead-end
state.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ec60faa-0082-425d-9ec0-782737953e2d

📥 Commits

Reviewing files that changed from the base of the PR and between a63b732 and e8ed449.

📒 Files selected for processing (1)

• packages/react/src/components/presentation/auth/AcceptInvite/v2/BaseAcceptInvite.tsx

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fail fast when REDIRECTION is returned without a usable URL.

At Line 637, if response.type is REDIRECTION but redirectURL is missing/empty, execution falls through and may lead to a dead-end UI. Treat this as an error and return early.

Suggested patch

         if (response.type === 'REDIRECTION') {
           const redirectURL: any = response.data?.redirectURL || (response as any)?.redirectURL;

           if (redirectURL && typeof window !== 'undefined') {
             initiateOAuthRedirect(redirectURL);
             return;
           }
+
+          setIsTokenInvalid(true);
+          handleError(new Error('Invalid redirection response: missing redirect URL.'));
+          return;
         }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@packages/react/src/components/presentation/auth/AcceptInvite/v2/BaseAcceptInvite.tsx`
around lines 637 - 644, The REDIRECTION branch in BaseAcceptInvite.tsx currently
falls through when response.type === 'REDIRECTION' but redirectURL is missing;
update the handler for response.type === 'REDIRECTION' to treat a missing/empty
redirectURL as an error: detect redirectURL (from response.data?.redirectURL ||
(response as any)?.redirectURL), and if falsy, log or set an error state and
return early instead of continuing, otherwise call
initiateOAuthRedirect(redirectURL) as before; ensure you reference the same
symbols (response.type, redirectURL, initiateOAuthRedirect) and exit the
function after handling the error case to avoid leaving the UI in a dead-end
state.

[asgardeo-github-bot]

🦋 Changeset detected

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.