my-fullstack-ai-platform/app/api/invite/accept/route.ts

import { createClient } from "@/lib/supabase/server";
import { NextResponse } from "next/server";
import { createClient as createAdminClient } from "@supabase/supabase-js";

export async function GET(request: Request) {
  const { searchParams } = new URL(request.url);
  const token = searchParams.get("token");

  if (!token) {
    return NextResponse.json({ error: "No token provided" }, { status: 400 });
  }

  const supabase = await createClient();

  const supabaseAdmin = createAdminClient(
    process.env.NEXT_PUBLIC_SUPABASE_URL!,
    process.env.SUPABASE_SERVICE_ROLE_KEY!
  );

  // Validate the token
  const { data: invite, error: inviteError } = await supabaseAdmin
    .from("invitations")
    .select("id, organization_id, status, expires_at, email")
    .eq("token", token)
    .single();

  if (inviteError || !invite) {
    return NextResponse.redirect(new URL("/?error=invalid_token", request.url));
  }

  if (invite.status !== "pending") {
    return NextResponse.redirect(new URL("/?error=already_accepted", request.url));
  }

  if (new Date(invite.expires_at) < new Date()) {
    return NextResponse.redirect(new URL("/?error=expired", request.url));
  }

  const { data: userData } = await supabase.auth.getUser();

  if (!userData?.user) {
    // Not logged in -> Store token in cookies and redirect to sign up
    const response = NextResponse.redirect(new URL(`/auth/sign-up?email=${encodeURIComponent(invite.email)}`, request.url));
    response.cookies.set("invite_token", token, {
      maxAge: 60 * 60 * 24, // 1 day
      path: "/",
      httpOnly: true,
      secure: process.env.NODE_ENV === "production",
      sameSite: "lax",
    });
    return response;
  }

  const userId = userData.user.id;

  await supabase
    .from("profiles")
    .update({ organization_id: invite.organization_id, role: "member" })
    .eq("id", userId);

  await supabaseAdmin
    .from("invitations")
    .update({ status: "accepted" })
    .eq("id", invite.id);

  return NextResponse.redirect(new URL("/dashboard", request.url));
}
Implement team invitations flow, RLS bypass, and E2E tests 2026-04-05 00:59:25 +00:00			`import { createClient } from "@/lib/supabase/server";`
			`import { NextResponse } from "next/server";`
			`import { createClient as createAdminClient } from "@supabase/supabase-js";`

			`export async function GET(request: Request) {`
			`const { searchParams } = new URL(request.url);`
			`const token = searchParams.get("token");`

			`if (!token) {`
			`return NextResponse.json({ error: "No token provided" }, { status: 400 });`
			`}`

			`const supabase = await createClient();`

			`const supabaseAdmin = createAdminClient(`
			`process.env.NEXT_PUBLIC_SUPABASE_URL!,`
			`process.env.SUPABASE_SERVICE_ROLE_KEY!`
			`);`

			`// Validate the token`
			`const { data: invite, error: inviteError } = await supabaseAdmin`
			`.from("invitations")`
			`.select("id, organization_id, status, expires_at, email")`
			`.eq("token", token)`
			`.single();`

			`if (inviteError \|\| !invite) {`
			`return NextResponse.redirect(new URL("/?error=invalid_token", request.url));`
			`}`

			`if (invite.status !== "pending") {`
			`return NextResponse.redirect(new URL("/?error=already_accepted", request.url));`
			`}`

			`if (new Date(invite.expires_at) < new Date()) {`
			`return NextResponse.redirect(new URL("/?error=expired", request.url));`
			`}`

			`const { data: userData } = await supabase.auth.getUser();`

			`if (!userData?.user) {`
			`// Not logged in -> Store token in cookies and redirect to sign up`
			const response = NextResponse.redirect(new URL(`/auth/sign-up?email=${encodeURIComponent(invite.email)}`, request.url));
			`response.cookies.set("invite_token", token, {`
			`maxAge: 60 * 60 * 24, // 1 day`
			`path: "/",`
			`httpOnly: true,`
			`secure: process.env.NODE_ENV === "production",`
			`sameSite: "lax",`
			`});`
			`return response;`
			`}`

			`const userId = userData.user.id;`

			`await supabase`
			`.from("profiles")`
			`.update({ organization_id: invite.organization_id, role: "member" })`
			`.eq("id", userId);`

			`await supabaseAdmin`
			`.from("invitations")`
			`.update({ status: "accepted" })`
			`.eq("id", invite.id);`

			`return NextResponse.redirect(new URL("/dashboard", request.url));`
			`}`