fix: validate invitation expiry and status on signup

Also checks that the invitation is not expired and has not already been used before allowing account creation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-15 20:25:23 +02:00 · 2026-04-05 12:39:43 -06:00
parent 17393af717
commit 04ffa43008
1 changed files with 10 additions and 0 deletions
--- a/packages/server/src/lib/auth.ts
+++ b/packages/server/src/lib/auth.ts
@@ -154,6 +154,16 @@ const { handler, api } = betterAuth({
 									message: "User not found",
 								});
 							}
+							if (invitation.isExpired) {
+								throw new APIError("BAD_REQUEST", {
+									message: "Invitation has expired",
+								});
+							}
+							if (invitation.status !== "pending") {
+								throw new APIError("BAD_REQUEST", {
+									message: "Invitation has already been used",
+								});
+							}
 							if (_user.email !== invitation.email) {
 								throw new APIError("BAD_REQUEST", {
 									message: "Email does not match invitation",