ФУНКЦИИ - NODEDC LAUNCHER: регистрация по инвайту

2026-05-05 16:58:37 +03:00 · 2026-05-05 16:58:37 +03:00 · d15e90b9b5
parent 745f0f928d
commit d15e90b9b5
5 changed files with 348 additions and 18 deletions
--- a/server/control-plane-store.mjs
+++ b/server/control-plane-store.mjs
@ -461,6 +461,21 @@ export function createControlPlaneStore({ projectRoot }) {
    };
  }

+  function prepareInviteRegistration(token, payload = {}) {
+    const data = readData();
+    const result = applyInviteRegistration(data, token, payload, { commit: false });
+
+    return result;
+  }
+
+  async function commitInviteRegistration(token, payload = {}, provisioning) {
+    const data = readData();
+    const result = applyInviteRegistration(data, token, payload, { commit: true, provisioning });
+
+    await writeData(data);
+    return result;
+  }
+
  async function acceptInvite(token, identity) {
    const data = readData();
    const invite = findInviteByToken(data, token);
@ -997,8 +1012,10 @@ export function createControlPlaneStore({ projectRoot }) {
    deleteMembership,
    deleteService,
    acceptInvite,
+    commitInviteRegistration,
    getInviteByToken,
    getSnapshot,
+    prepareInviteRegistration,
    readData,
    replaceData,
    reorderServices,
@ -1169,6 +1186,94 @@ function toPublicClient(client) {
  };
 }

+function applyInviteRegistration(data, token, payload, { commit, provisioning = null } = {}) {
+  const invite = findInviteByToken(data, token);
+  const client = findById(data.clients, invite.clientId, "client");
+  const now = isoNow();
+  const email = invite.email.toLowerCase();
+  const name = optionalString(payload?.name, email.split("@")[0]);
+
+  validateInviteCanBeRegistered(invite);
+
+  let user = data.users.find((item) => item.email.toLowerCase() === email);
+
+  if (user?.authentikUserId && !provisioning) {
+    throw new Error("Аккаунт уже существует. Войдите под почтой инвайта.");
+  }
+
+  if (user) {
+    user.name = name;
+    user.globalStatus = "active";
+    user.authentikUserId = provisioning?.authentikUserId ?? user.authentikUserId ?? null;
+    user.updatedAt = now;
+  } else {
+    user = {
+      id: uniqueId(data.users, "user", email),
+      authentikUserId: provisioning?.authentikUserId ?? null,
+      name,
+      email,
+      phone: null,
+      position: null,
+      notes: `Создан через публичную регистрацию по инвайту клиента ${client.name}.`,
+      avatarUrl: null,
+      globalStatus: "active",
+      createdAt: now,
+      updatedAt: now,
+    };
+    data.users.push(user);
+  }
+
+  let membership = data.memberships.find((item) => item.clientId === invite.clientId && item.userId === user.id);
+
+  if (membership) {
+    membership.role = invite.role;
+    membership.status = "active";
+    membership.updatedAt = now;
+  } else {
+    membership = {
+      id: uniqueId(data.memberships, "mem", `${invite.clientId}-${email}`),
+      clientId: invite.clientId,
+      userId: user.id,
+      role: invite.role,
+      status: "active",
+      createdAt: now,
+      updatedAt: now,
+    };
+    data.memberships.push(membership);
+  }
+
+  invite.status = "accepted";
+  invite.updatedAt = now;
+  markPendingSync(data, user, "user", email);
+
+  if (commit) {
+    addAuditEvent(data, { id: user.id, name: user.name, email: user.email, source: "invite" }, {
+      action: "Регистрация по инвайту",
+      objectType: "invite",
+      objectName: invite.email,
+      clientId: client.id,
+      result: "success",
+      details: `Role: ${invite.role}`,
+    });
+  }
+
+  return { invite, client, user, membership, data };
+}
+
+function validateInviteCanBeRegistered(invite) {
+  if (invite.status === "accepted") {
+    throw new Error("Инвайт уже принят");
+  }
+
+  if (invite.status === "revoked") {
+    throw new Error("Инвайт отозван");
+  }
+
+  if (invite.status === "expired" || isInviteExpired(invite)) {
+    throw new Error("Срок действия инвайта истёк");
+  }
+}
+
 function findById(items, id, label) {
  const item = items.find((candidate) => candidate.id === id);

--- a/server/dev-server.mjs
+++ b/server/dev-server.mjs
@ -361,6 +361,52 @@ app.get("/api/invites/:token", (req, res) => {
  }
 });

+app.post("/api/invites/:token/register", asyncRoute(async (req, res) => {
+  let payload;
+
+  try {
+    payload = sanitizeInviteRegistrationPayload(req.body);
+  } catch (error) {
+    sendInviteApiError(res, error);
+    return;
+  }
+
+  if (!authentikSyncClient.isConfigured()) {
+    res.status(503).json({ error: "Регистрация временно недоступна: Authentik API не настроен" });
+    return;
+  }
+
+  let draft;
+
+  try {
+    draft = controlPlaneStore.prepareInviteRegistration(req.params.token, payload);
+  } catch (error) {
+    sendInviteApiError(res, error);
+    return;
+  }
+
+  const provisionedUser = await authentikSyncClient.provisionUser({
+    data: draft.data,
+    userId: draft.user.id,
+    password: payload.password,
+  });
+  const result = await controlPlaneStore.commitInviteRegistration(req.params.token, payload, provisionedUser);
+  const storeResult = await controlPlaneStore.markUserAuthentikProvisioned(result.user.id, provisionedUser, {
+    sub: provisionedUser.authentikUserId,
+    email: result.user.email,
+    name: result.user.name,
+  });
+
+  publishControlPlaneEvent("invite.registered", [result.user.id]);
+  res.json({
+    ...result,
+    user: storeResult.user,
+    data: storeResult.data,
+    provisioning: toProvisioningResponse(provisionedUser),
+    loginUrl: buildLoginRedirectUrl("/", { forceLogin: true }),
+  });
+}));
+
 app.post("/api/invites/:token/accept", requireSession, asyncRoute(async (req, res) => {
  let result;

@ -783,6 +829,15 @@ function sanitizeNewPassword(value) {
  return value;
 }

+function sanitizeInviteRegistrationPayload(payload) {
+  const name = typeof payload?.name === "string" ? payload.name.trim() : "";
+
+  return {
+    name: name.slice(0, 120),
+    password: sanitizeNewPassword(payload?.password),
+  };
+}
+
 function sendInviteApiError(res, error) {
  const message = error instanceof Error ? error.message : "Инвайт недоступен";
  const status =
--- a/src/app/LauncherApp.tsx
+++ b/src/app/LauncherApp.tsx
@ -45,7 +45,7 @@ import {
  type LauncherAuthApp,
 } from "../shared/api/authApi";
 import { updateOwnPassword, updateOwnProfile } from "../shared/api/profileApi";
-import { acceptInvite, fetchPublicInvite, type PublicInviteResponse } from "../shared/api/inviteApi";
+import { acceptInvite, fetchPublicInvite, registerInvite, type PublicInviteResponse, type RegisterInviteCommand } from "../shared/api/inviteApi";
 import { subscribeToNodeDCLogoutEvents } from "../shared/session/sessionSync";
 import { loadPersistedLauncherData } from "../shared/api/storageApi";
 import {
@ -66,6 +66,8 @@ type InviteFlowState =
  | { status: "ready"; payload: PublicInviteResponse }
  | { status: "accepting"; payload: PublicInviteResponse }
  | { status: "accepted"; payload: PublicInviteResponse }
+  | { status: "registering"; payload: PublicInviteResponse }
+  | { status: "registered"; payload: PublicInviteResponse; loginUrl: string }
  | { status: "error"; message: string; payload?: PublicInviteResponse };

 export function LauncherApp() {
@ -202,12 +204,13 @@ export function LauncherApp() {

  useEffect(() => {
    if (!authSession || authSession.authenticated) return;
+    if (inviteToken) return;

    redirectToLogin(authSession.loginUrl);
-  }, [authSession]);
+  }, [authSession, inviteToken]);

  useEffect(() => {
-    if (!inviteToken || !authSession?.authenticated) return;
+    if (!inviteToken) return;

    let isMounted = true;
    setInviteFlow({ status: "loading" });
@ -225,7 +228,7 @@ export function LauncherApp() {
    return () => {
      isMounted = false;
    };
-  }, [authSession, inviteToken]);
+  }, [inviteToken]);

  useEffect(() => {
    let isRedirecting = false;
@ -460,6 +463,25 @@ export function LauncherApp() {
    }
  }

+  async function handleRegisterInvite(command: RegisterInviteCommand) {
+    if (!inviteToken || inviteFlow?.status !== "ready") return;
+
+    setInviteFlow({ status: "registering", payload: inviteFlow.payload });
+
+    try {
+      const result = await registerInvite(inviteToken, command);
+
+      setData(syncLauncherServiceLinks(result.data));
+      setInviteFlow({ status: "registered", payload: inviteFlow.payload, loginUrl: result.loginUrl });
+    } catch (error) {
+      setInviteFlow({
+        status: "error",
+        message: error instanceof Error ? error.message : "Не удалось зарегистрироваться по инвайту",
+        payload: inviteFlow.payload,
+      });
+    }
+  }
+
  function handleUpdateInvite(inviteId: string, patch: Partial<Invite>) {
    applyControlPlaneMutation(updateAdminInvite(inviteId, patch));
  }
@ -573,20 +595,15 @@ export function LauncherApp() {
    setSelectedServiceId((current) => (current === serviceId ? undefined : current));
  }

-  if (!authSession) {
-    return null;
-  }
-
-  if (!authSession.authenticated) {
-    return null;
-  }
-
  if (inviteToken) {
    return (
      <InviteFlowScreen
        state={inviteFlow ?? { status: "loading" }}
-        currentEmail={authSession.user.email}
+        currentEmail={authSession?.authenticated ? authSession.user.email : null}
+        isAuthenticated={Boolean(authSession?.authenticated)}
        onAccept={() => void handleAcceptInvite()}
+        onRegister={(command) => void handleRegisterInvite(command)}
+        onLogin={() => redirectToLogin(authSession?.authenticated ? "/auth/login?prompt=login" : authSession?.loginUrl)}
        onSwitchAccount={() => {
          const returnTo = `${window.location.pathname}${window.location.search}${window.location.hash}`;
          window.location.replace(`/auth/logout?global=1&returnTo=${encodeURIComponent(returnTo)}`);
@ -599,6 +616,14 @@ export function LauncherApp() {
    );
  }

+  if (!authSession) {
+    return null;
+  }
+
+  if (!authSession.authenticated) {
+    return null;
+  }
+
  const handleLogout = () => {
    window.location.replace(authSession.logoutUrl);
  };
@ -743,28 +768,49 @@ function resolveDefaultClientId(data: LauncherData, userId: string, requestedCli
 function InviteFlowScreen({
  state,
  currentEmail,
+  isAuthenticated,
  onAccept,
+  onRegister,
+  onLogin,
  onSwitchAccount,
  onGoHome,
 }: {
  state: InviteFlowState;
-  currentEmail: string;
+  currentEmail: string | null;
+  isAuthenticated: boolean;
  onAccept: () => void;
+  onRegister: (command: RegisterInviteCommand) => void;
+  onLogin: () => void;
  onSwitchAccount: () => void;
  onGoHome: () => void;
 }) {
+  const [name, setName] = useState("");
+  const [password, setPassword] = useState("");
+  const [passwordConfirm, setPasswordConfirm] = useState("");
  const payload = "payload" in state ? state.payload : undefined;
-  const emailMismatch = payload && payload.invite.email.toLowerCase() !== currentEmail.toLowerCase();
+  const defaultInviteName = payload ? payload.invite.email.split("@")[0] : "";
+  const emailMismatch = payload && currentEmail ? payload.invite.email.toLowerCase() !== currentEmail.toLowerCase() : false;
  const inviteStatus = payload?.invite.status;
  const isAccepting = state.status === "accepting";
+  const isRegistering = state.status === "registering";
  const canAccept = Boolean(
    state.status === "ready" &&
+      isAuthenticated &&
      !emailMismatch &&
      inviteStatus !== "accepted" &&
      inviteStatus !== "expired" &&
      inviteStatus !== "revoked"
  );
  const isTerminalInvite = inviteStatus === "accepted" || inviteStatus === "expired" || inviteStatus === "revoked";
+  const passwordMismatch = Boolean(passwordConfirm && password !== passwordConfirm);
+  const canRegister = Boolean(
+    payload &&
+      state.status === "ready" &&
+      !isAuthenticated &&
+      !isTerminalInvite &&
+      password.length >= 8 &&
+      password === passwordConfirm
+  );
  const details = payload
    ? [
        `Рабочая область: ${payload.client.name}`,
@ -772,7 +818,13 @@ function InviteFlowScreen({
        `Почта инвайта: ${payload.invite.email}`,
      ]
    : ["Проверяем приглашение и платформенную сессию"];
-  const statusMessage = resolveInviteStatusMessage(state, Boolean(emailMismatch), inviteStatus);
+  const statusMessage = resolveInviteStatusMessage(state, Boolean(emailMismatch), isAuthenticated, inviteStatus);
+
+  useEffect(() => {
+    if (!defaultInviteName || name) return;
+
+    setName(defaultInviteName);
+  }, [defaultInviteName, name]);

  return (
    <div className="launcher-app nodedc-auth-page">
@ -792,11 +844,56 @@ function InviteFlowScreen({

          {statusMessage ? <p className="nodedc-auth-card__status">{statusMessage}</p> : null}
          {state.status === "error" ? <p className="nodedc-auth-card__status">{state.message}</p> : null}
+          {passwordMismatch ? <p className="nodedc-auth-card__status">Пароли не совпадают.</p> : null}

-          {emailMismatch ? (
+          {payload && !isAuthenticated && (state.status === "ready" || state.status === "registering") && !isTerminalInvite ? (
+            <form
+              className="nodedc-auth-card__form"
+              onSubmit={(event) => {
+                event.preventDefault();
+                if (!canRegister) return;
+                onRegister({ name: name.trim() || defaultInviteName, password });
+              }}
+            >
+              <label className="nodedc-auth-card__field">
+                <span>Имя</span>
+                <input value={name} placeholder="Ваше имя" autoComplete="name" onChange={(event) => setName(event.target.value)} />
+              </label>
+              <label className="nodedc-auth-card__field">
+                <span>Пароль</span>
+                <input
+                  value={password}
+                  type="password"
+                  placeholder="Минимум 8 символов"
+                  autoComplete="new-password"
+                  onChange={(event) => setPassword(event.target.value)}
+                />
+              </label>
+              <label className="nodedc-auth-card__field">
+                <span>Повторите пароль</span>
+                <input
+                  value={passwordConfirm}
+                  type="password"
+                  placeholder="Повторите пароль"
+                  autoComplete="new-password"
+                  onChange={(event) => setPasswordConfirm(event.target.value)}
+                />
+              </label>
+              <button className="button button--primary" type="submit" disabled={!canRegister || isRegistering}>
+                {isRegistering ? "Создаём аккаунт" : "Создать аккаунт"}
+              </button>
+              <button className="button button--secondary" type="button" onClick={onLogin}>
+                Уже есть аккаунт
+              </button>
+            </form>
+          ) : emailMismatch ? (
            <button className="button button--primary" type="button" onClick={onSwitchAccount}>
              Сменить аккаунт
            </button>
+          ) : state.status === "registered" ? (
+            <button className="button button--primary" type="button" onClick={() => redirectToLogin(state.loginUrl)}>
+              Войти в NODE.DC
+            </button>
          ) : state.status === "error" || state.status === "accepted" || isTerminalInvite ? (
            <button className="button button--primary" type="button" onClick={onGoHome}>
              Перейти в витрину
@ -822,13 +919,16 @@ function NodeDcAuthBrandHeader() {
  );
 }

-function resolveInviteStatusMessage(state: InviteFlowState, emailMismatch: boolean, inviteStatus?: Invite["status"]) {
+function resolveInviteStatusMessage(state: InviteFlowState, emailMismatch: boolean, isAuthenticated: boolean, inviteStatus?: Invite["status"]) {
  if (state.status === "loading") return "Проверяем приглашение.";
  if (state.status === "accepting") return "Подключаем доступ к рабочей области.";
+  if (state.status === "registering") return "Создаём аккаунт и подключаем доступ.";
+  if (state.status === "registered") return "Аккаунт создан. Теперь войдите в NODE.DC.";
  if (state.status === "accepted" || inviteStatus === "accepted") return "Доступ уже подключён.";
  if (inviteStatus === "expired") return "Срок действия приглашения истёк.";
  if (inviteStatus === "revoked") return "Приглашение отозвано.";
  if (emailMismatch) return "Нужно войти под почтой, на которую выписан инвайт.";
+  if (!isAuthenticated) return "Создайте аккаунт для почты, на которую выписан инвайт.";
  return null;
 }

--- a/src/shared/api/inviteApi.ts
+++ b/src/shared/api/inviteApi.ts
@ -16,10 +16,26 @@ export interface AcceptInviteResponse {
  data: LauncherData;
 }

+export interface RegisterInviteCommand {
+  name: string;
+  password: string;
+}
+
+export interface RegisterInviteResponse extends AcceptInviteResponse {
+  loginUrl: string;
+}
+
 export async function fetchPublicInvite(token: string): Promise<PublicInviteResponse> {
  return requestJson<PublicInviteResponse>(`/api/invites/${encodeURIComponent(token)}`);
 }

+export async function registerInvite(token: string, command: RegisterInviteCommand): Promise<RegisterInviteResponse> {
+  return requestJson<RegisterInviteResponse>(`/api/invites/${encodeURIComponent(token)}/register`, {
+    method: "POST",
+    body: JSON.stringify(command),
+  });
+}
+
 export async function acceptInvite(token: string): Promise<AcceptInviteResponse> {
  return requestJson<AcceptInviteResponse>(`/api/invites/${encodeURIComponent(token)}/accept`, {
    method: "POST",
--- a/src/styles/globals.css
+++ b/src/styles/globals.css
@ -219,6 +219,47 @@ code {
  line-height: 1rem;
 }

+.nodedc-auth-card__form {
+  display: grid;
+  gap: 1.05rem;
+}
+
+.nodedc-auth-card__field {
+  display: grid;
+  gap: 0.42rem;
+  color: var(--nodedc-auth-text-placeholder);
+  font-size: 0.75rem;
+  line-height: 1rem;
+}
+
+.nodedc-auth-card__field input {
+  width: 100%;
+  min-height: 3rem;
+  padding: 0 1rem;
+  border: 0;
+  border-radius: 1.15rem;
+  outline: none;
+  background:
+    linear-gradient(180deg, rgba(255, 255, 255, 0.028) 0%, rgba(255, 255, 255, 0.012) 100%),
+    rgba(255, 255, 255, 0.03);
+  color: var(--nodedc-auth-text-primary);
+  font-size: 0.875rem;
+  font-weight: 400;
+  caret-color: var(--nodedc-auth-primary);
+}
+
+.nodedc-auth-card__field input::placeholder {
+  color: var(--nodedc-auth-text-placeholder);
+  opacity: 1;
+}
+
+.nodedc-auth-card__field input:focus {
+  background:
+    linear-gradient(180deg, rgba(255, 255, 255, 0.028) 0%, rgba(255, 255, 255, 0.012) 100%),
+    rgba(255, 255, 255, 0.03);
+  box-shadow: none;
+}
+
 .nodedc-auth-card .button {
  width: 100%;
  min-height: 3.25rem;
@ -237,6 +278,19 @@ code {
  color: var(--nodedc-auth-on-primary);
 }

+.nodedc-auth-card .button.button--secondary {
+  min-height: 2.25rem;
+  margin-top: -0.25rem;
+  background: transparent;
+  color: var(--nodedc-auth-primary);
+}
+
+.nodedc-auth-card .button.button--secondary:hover:not(:disabled),
+.nodedc-auth-card .button.button--secondary:focus-visible:not(:disabled) {
+  background: transparent;
+  color: var(--nodedc-auth-primary-hover);
+}
+
 .nodedc-auth-card .button:disabled {
  opacity: 0.58;
 }