From 04ffa430088790812c56aba18f8b10e5a9c0dbe1 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Sun, 5 Apr 2026 12:39:43 -0600
Subject: [PATCH] fix: validate invitation expiry and status on signup

Also checks that the invitation is not expired and has not already been
used before allowing account creation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 packages/server/src/lib/auth.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/packages/server/src/lib/auth.ts b/packages/server/src/lib/auth.ts
index 051e11797..88ccfe231 100644
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -154,6 +154,16 @@ const { handler, api } = betterAuth({
 									message: "User not found",
 								});
 							}
+							if (invitation.isExpired) {
+								throw new APIError("BAD_REQUEST", {
+									message: "Invitation has expired",
+								});
+							}
+							if (invitation.status !== "pending") {
+								throw new APIError("BAD_REQUEST", {
+									message: "Invitation has already been used",
+								});
+							}
 							if (_user.email !== invitation.email) {
 								throw new APIError("BAD_REQUEST", {
 									message: "Email does not match invitation",