W009: Look up invitation by token
Returns a redacted summary of an invitation so the public Accept Invite page can render context before the user signs in. The only L3 workflow callable without a tenant context; the L4 boundary skips app.org_id for this route.
Steps
-
Load the invitation by token. Call
Platform.getInvitationByToken. -
Reject consumed or expired tokens. If
acceptedAt,revokedAt, or an expiry in the past, raiseInvalidTransitionError(the L4 route maps this to HTTP 410 Gone). -
Build a redacted summary. Return only the inviting org's name, the invited email, the role, and the expiry. Raw token, internal ids, inviter id, and any tenant-internal fields are omitted.
Returns
{ orgName, email, role, expiresAt }.
Business rules
- Unauthenticated and tenant-free. This is the one workflow callable without a Firebase token or
app.org_id. No platform user record is consulted. - Rate-limited. Public endpoint guarded by a per-IP limiter (20 requests per 15 minutes) to discourage token brute-forcing.
- Output is intentionally minimal. Anything not needed by the Accept Invite page is stripped to avoid leaking org-internal data to anonymous callers.
- Consumed tokens return 410, not 404. Distinguishes "you had a valid link but it's expired or already used" from "this link is not real," giving better client UX.
Errors
NotFoundError. The token is unknown.InvalidTransitionError. The invitation has been accepted, revoked, or has expired.