fix(invitations): preserve tokens after error in invitation flow

[waleedlatif1]

Summary

• preserve tokens after error in invitation flow
• previously, we fallback to the intiation id as the token and it complicated the flow when they changed accounts
• added tests

Type of Change

• Bug fix

Testing

Tested manually, added tests

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Jan 14, 2026 4:03am

[greptile-apps]

Greptile Summary

This PR fixes a critical bug in the workspace invitation flow where tokens were lost during error scenarios. Previously, when users encountered errors (expired invitation, email mismatch, etc.), the token was not preserved in the redirect URL, causing the frontend to fall back to using the invitation ID as the token. This complicated the flow significantly when users needed to switch accounts.

The fix ensures that:

• All error redirects in the API route now preserve the token as a query parameter with proper URL encoding
• The frontend retrieves tokens from sessionStorage when not present in URL params, maintaining state across auth flows
• Users can successfully retry invitation acceptance after switching to the correct account

The implementation includes comprehensive test coverage for all error paths, URL encoding edge cases, and end-to-end flow validation.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are well-scoped, thoroughly tested, and fix a clear bug without introducing new complexity. All error paths include token preservation with proper URL encoding. Test coverage includes edge cases like special characters and the full retry flow.
• No files require special attention

Important Files Changed

Filename	Overview
apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts	Added token preservation to all error redirect paths in the invitation acceptance flow. Token is properly URL-encoded when appended to error redirects.
apps/sim/app/api/workspaces/invitations/[invitationId]/route.test.ts	Added comprehensive test coverage for token preservation in error scenarios. Includes tests for URL encoding and end-to-end flow with account switching.
apps/sim/app/invite/[id]/invite.tsx	Updated token retrieval logic to check sessionStorage when token not in query params. Token is now retrieved from sessionStorage in getCallbackUrl to ensure it persists through auth flows.

Sequence Diagram

sequenceDiagram
    participant User
    participant Browser
    participant InvitePage as /invite/[id]
    participant API as /api/invitations/[id]
    participant SessionStorage
    
    Note over User,SessionStorage: Scenario: Email Mismatch with Token Preservation
    
    User->>Browser: Click invitation link with token param
    Browser->>InvitePage: Load page with token in query
    InvitePage->>SessionStorage: Store invitation token
    InvitePage->>API: GET with token param
    
    Note over API: User logged in with wrongEmail
    Note over API: Invitation sent to correctEmail
    
    API->>API: Detect email mismatch
    API->>Browser: Redirect with error and token preserved
    
    Browser->>InvitePage: Load error page with token
    InvitePage->>SessionStorage: Token already stored
    InvitePage->>User: Show "Wrong Account" error
    
    User->>InvitePage: Click "Sign in with different account"
    InvitePage->>SessionStorage: Read stored token
    InvitePage->>Browser: Redirect to login with callback
    
    Note over User,Browser: User signs in with correctEmail
    
    Browser->>InvitePage: Return with token in URL
    InvitePage->>SessionStorage: Token persists
    InvitePage->>API: GET with token param
    
    Note over API: User now logged in with correctEmail
    
    API->>API: Email matches successfully
    API->>API: Accept invitation
    API->>Browser: Redirect to workspace

Loading