Improve account invitation process

Author: alexiri

astra_app/core/account_invitation_reconcile.py

@@ -37,14 +37,17 @@ def reconcile_account_invitation_for_username(
     username: str,
     now: datetime,
 ) -> None:
-    normalized_username = str(username or "").strip()
+    normalized_username = str(username or "").strip().lower()
     if not normalized_username:
         return
 
     update_fields = ["freeipa_matched_usernames", "freeipa_last_checked_at"]
     if invitation.organization_id is None:
         invitation.accepted_at = invitation.accepted_at or now
         update_fields.insert(0, "accepted_at")
+        if not invitation.accepted_username:
+            invitation.accepted_username = normalized_username
+            update_fields.insert(1, "accepted_username")
 
     usernames = set(invitation.freeipa_matched_usernames)
     usernames.add(normalized_username)

astra_app/core/migrations/0081_account_invitation_accepted_username.py

@@ -0,0 +1,50 @@
+# Generated by Django 6.0.1 on 2026-02-24 10:10
+
+from __future__ import annotations
+
+from django.db import migrations, models
+
+
+def _backfill_org_claim_accepted_usernames(apps, schema_editor) -> None:
+    AccountInvitation = apps.get_model("core", "AccountInvitation")
+
+    invitations = (
+        AccountInvitation.objects.filter(
+            organization_id__isnull=False,
+            accepted_at__isnull=False,
+            accepted_username="",
+        )
+        .exclude(organization__representative="")
+        .select_related("organization")
+    )
+
+    for invitation in invitations.iterator():
+        if invitation.organization is None:
+            continue
+
+        accepted_username = str(invitation.organization.representative or "").strip().lower()
+        if not accepted_username:
+            continue
+
+        AccountInvitation.objects.filter(pk=invitation.pk, accepted_username="").update(
+            accepted_username=accepted_username,
+        )
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0080_organizationcsvimportlink_and_more"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="accountinvitation",
+            name="accepted_username",
+            field=models.CharField(blank=True, default="", max_length=255),
+        ),
+        migrations.RunPython(
+            code=_backfill_org_claim_accepted_usernames,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]

astra_app/core/models.py

@@ -472,6 +472,7 @@ class AccountInvitation(models.Model):
     dismissed_at = models.DateTimeField(blank=True, null=True)
     dismissed_by_username = models.CharField(max_length=255, blank=True, default="")
     accepted_at = models.DateTimeField(blank=True, null=True)
+    accepted_username = models.CharField(max_length=255, blank=True, default="")
     freeipa_matched_usernames = models.JSONField(blank=True, default=list)
     freeipa_last_checked_at = models.DateTimeField(blank=True, null=True)
 
@@ -490,6 +491,7 @@ def save(self, *args, **kwargs) -> None:
         self.invited_by_username = str(self.invited_by_username or "").strip()
         self.email_template_name = str(self.email_template_name or "").strip()
         self.dismissed_by_username = str(self.dismissed_by_username or "").strip()
+        self.accepted_username = str(self.accepted_username or "").strip().lower()
         if not isinstance(self.freeipa_matched_usernames, list):
             self.freeipa_matched_usernames = []
         else:

astra_app/core/password_reset.py

@@ -33,15 +33,25 @@ def password_reset_login_url(*, request: HttpRequest) -> str:
     return request.build_absolute_uri(reverse("login"))
 
 
-def send_password_reset_email(*, request: HttpRequest, username: str, email: str, last_password_change: str) -> None:
-    token = make_signed_token(
-        {
-            "p": PASSWORD_RESET_TOKEN_PURPOSE,
-            "u": username,
-            "e": email,
-            "lpc": last_password_change,
-        }
-    )
+def send_password_reset_email(
+    *,
+    request: HttpRequest,
+    username: str,
+    email: str,
+    last_password_change: str,
+    invitation_token: str | None = None,
+) -> None:
+    token_payload: dict[str, str] = {
+        "p": PASSWORD_RESET_TOKEN_PURPOSE,
+        "u": username,
+        "e": email,
+        "lpc": last_password_change,
+    }
+    normalized_invitation_token = _normalize_str(invitation_token)
+    if normalized_invitation_token:
+        token_payload["i"] = normalized_invitation_token
+
+    token = make_signed_token(token_payload)
     reset_url = password_reset_confirm_url(request=request, token=token)
 
     ttl_seconds = settings.PASSWORD_RESET_TOKEN_TTL_SECONDS

astra_app/core/templates/core/account_invitations.html

@@ -89,8 +89,14 @@ <h1 class="m-0">Account Invitations</h1>
                       <a href="{% url 'user-profile' username %}">{{ username }}</a>{% if not forloop.last %}, {% endif %}
                     {% endfor %}
                   </div>
+                  {% if invitation.accepted_username %}
+                    <div class="text-muted small">as <a href="{% url 'user-profile' invitation.accepted_username %}">{{ invitation.accepted_username }}</a></div>
+                  {% endif %}
                 {% else %}
                   Accepted
+                  {% if invitation.accepted_username %}
+                    <div class="text-muted small">as <a href="{% url 'user-profile' invitation.accepted_username %}">{{ invitation.accepted_username }}</a></div>
+                  {% endif %}
                 {% endif %}
               </td>
               <td>{{ invitation.accepted_at }}</td>

astra_app/core/templates/core/login.html

@@ -13,10 +13,10 @@
       <div class="card-header p-0 pt-1">
         <ul class="nav nav-tabs" role="tablist">
           <li class="nav-item">
-            <a class="nav-link active" href="{% url 'login' %}">Login</a>
+            <a class="nav-link active" href="{% url 'login' %}{% if request.GET.invite %}?invite={{ request.GET.invite|urlencode:'' }}{% endif %}">Login</a>
           </li>
           <li class="nav-item">
-            <a class="nav-link" href="{% url 'register' %}">Register</a>
+            <a class="nav-link" href="{% url 'register' %}{% if request.GET.invite %}?invite={{ request.GET.invite|urlencode:'' }}{% endif %}">Register</a>
           </li>
         </ul>
       </div>

astra_app/core/templates/core/register.html

@@ -13,10 +13,10 @@
       <div class="card-header p-0 pt-1">
         <ul class="nav nav-tabs" role="tablist">
           <li class="nav-item">
-            <a class="nav-link" href="{% url 'login' %}">Login</a>
+            <a class="nav-link" href="{% url 'login' %}{% if request.GET.invite %}?invite={{ request.GET.invite|urlencode:'' }}{% endif %}">Login</a>
           </li>
           <li class="nav-item">
-            <a class="nav-link active" href="{% url 'register' %}">Register</a>
+            <a class="nav-link active" href="{% url 'register' %}{% if request.GET.invite %}?invite={{ request.GET.invite|urlencode:'' }}{% endif %}">Register</a>
           </li>
         </ul>
       </div>

astra_app/core/tests/test_account_invitation_reconcile.py

@@ -1,4 +1,5 @@
 import datetime
+from types import SimpleNamespace
 from unittest.mock import patch
 
 from django.test import TestCase
@@ -56,9 +57,46 @@ def test_reconcile_account_invitation_for_username_is_idempotent_for_non_org(sel
 
         invitation.refresh_from_db()
         self.assertEqual(invitation.accepted_at, first_now)
+        self.assertEqual(invitation.accepted_username, "alice")
         self.assertEqual(invitation.freeipa_last_checked_at, second_now)
         self.assertEqual(invitation.freeipa_matched_usernames, ["alice", "zara"])
 
+    def test_reconcile_account_invitation_for_username_does_not_overwrite_existing_accepted_username(self) -> None:
+        invitation = AccountInvitation.objects.create(
+            email="invitee@example.com",
+            full_name="Invitee",
+            invited_by_username="committee",
+            accepted_username="zara",
+        )
+        now = timezone.make_aware(datetime.datetime(2026, 2, 15, 10, 0, 0), datetime.UTC)
+
+        reconcile_account_invitation_for_username(invitation=invitation, username="alice", now=now)
+
+        invitation.refresh_from_db()
+        self.assertEqual(invitation.accepted_username, "zara")
+        self.assertEqual(invitation.accepted_at, now)
+        self.assertEqual(invitation.freeipa_matched_usernames, ["alice"])
+
+    def test_reconcile_account_invitation_for_username_normalizes_username_to_lowercase(self) -> None:
+        now = timezone.make_aware(datetime.datetime(2026, 2, 15, 10, 0, 0), datetime.UTC)
+        invitation = SimpleNamespace(
+            organization_id=None,
+            accepted_at=None,
+            accepted_username="",
+            freeipa_matched_usernames=[],
+            freeipa_last_checked_at=None,
+        )
+
+        def _save(*, update_fields: list[str]) -> None:
+            _ = update_fields
+
+        invitation.save = _save
+
+        reconcile_account_invitation_for_username(invitation=invitation, username="Alice", now=now)
+
+        self.assertEqual(invitation.accepted_username, "alice")
+        self.assertIn("alice", invitation.freeipa_matched_usernames)
+
     def test_reconcile_account_invitation_for_username_keeps_org_invitation_pending(self) -> None:
         organization = Organization.objects.create(
             name="Pending Claim Org",
@@ -76,5 +114,6 @@ def test_reconcile_account_invitation_for_username_keeps_org_invitation_pending(
 
         invitation.refresh_from_db()
         self.assertIsNone(invitation.accepted_at)
+        self.assertEqual(invitation.accepted_username, "")
         self.assertEqual(invitation.freeipa_last_checked_at, now)
         self.assertEqual(invitation.freeipa_matched_usernames, ["alice"])

astra_app/core/tests/test_account_invitations.py

@@ -777,6 +777,71 @@ def test_account_invitations_list_shows_linked_organization_name_for_org_invites
         self.assertContains(response, "Visibility Org")
         self.assertContains(response, reverse("organization-detail", args=[organization.pk]))
 
+    def test_account_invitations_list_shows_accepted_username_link_for_accepted_invitation(self) -> None:
+        self._login_as_freeipa_user("committee")
+
+        invitation = AccountInvitation.objects.create(
+            email="accepted@example.com",
+            full_name="Accepted User",
+            note="",
+            invited_by_username="committee",
+            accepted_at=timezone.now(),
+            accepted_username="accepteduser",
+            freeipa_matched_usernames=["accepteduser"],
+        )
+
+        with (
+            patch("core.backends.FreeIPAUser.get", return_value=self._committee_user()),
+            patch(
+                "core.views_account_invitations.confirm_existing_usernames",
+                return_value=(invitation.freeipa_matched_usernames, True),
+            ),
+        ):
+            response = self.client.get(reverse("account-invitations"))
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "Accepted")
+        accepted_user_url = reverse("user-profile", kwargs={"username": "accepteduser"})
+        self.assertContains(
+            response,
+            f'<div class="text-muted small">as <a href="{accepted_user_url}">accepteduser</a></div>',
+            html=True,
+        )
+
+    def test_account_invitations_list_shows_accepted_username_link_for_multiple_matches(self) -> None:
+        self._login_as_freeipa_user("committee")
+
+        invitation = AccountInvitation.objects.create(
+            email="multi@example.com",
+            full_name="Matched User",
+            note="",
+            invited_by_username="committee",
+            accepted_at=timezone.now(),
+            accepted_username="accepteduser",
+            freeipa_matched_usernames=["alphauser", "accepteduser"],
+        )
+
+        with (
+            patch("core.backends.FreeIPAUser.get", return_value=self._committee_user()),
+            patch(
+                "core.views_account_invitations.confirm_existing_usernames",
+                return_value=(invitation.freeipa_matched_usernames, True),
+            ),
+        ):
+            response = self.client.get(reverse("account-invitations"))
+
+        self.assertEqual(response.status_code, 200)
+        self.assertContains(response, "Accepted (multiple matches)")
+        self.assertContains(response, "alphauser")
+        self.assertContains(response, "accepteduser")
+        self.assertContains(response, reverse("user-profile", kwargs={"username": "alphauser"}))
+        accepted_user_url = reverse("user-profile", kwargs={"username": "accepteduser"})
+        self.assertContains(
+            response,
+            f'<div class="text-muted small">as <a href="{accepted_user_url}">accepteduser</a></div>',
+            html=True,
+        )
+
     @override_settings(PUBLIC_BASE_URL="")
     def test_build_invitation_email_context_raises_when_public_base_url_missing(self) -> None:
         invitation = AccountInvitation.objects.create(

astra_app/core/tests/test_organization_user_views.py

@@ -917,7 +917,7 @@ def test_organization_claim_marks_linked_invitation_accepted(self) -> None:
         token = make_organization_claim_token(organization)
 
         claimant = FreeIPAUser("claimant", {"uid": ["claimant"], "memberof_group": [], "c": ["US"]})
-        self._login_as_freeipa_user("claimant")
+        self._login_as_freeipa_user("ClaImAnt")
 
         with (
             patch("core.backends.FreeIPAUser.get", return_value=claimant),
@@ -929,6 +929,7 @@ def test_organization_claim_marks_linked_invitation_accepted(self) -> None:
         self.assertEqual(response.status_code, 302)
         invitation.refresh_from_db()
         self.assertIsNotNone(invitation.accepted_at)
+        self.assertEqual(invitation.accepted_username, "claimant")
 
     def test_active_org_detail_hides_send_claim_invitation_link(self) -> None:
         from core.models import Organization