make sure old invites get the proper message

we were accidentally covering up the expiry message with a more generic one
2026-04-30 22:21:16 -04:00 · 2017-11-02 13:49:24 +00:00
parent 5e175954d2
commit 04adb15e85
3 changed files with 35 additions and 6 deletions
--- a/app/config.py
+++ b/app/config.py
@@ -42,6 +42,7 @@ class Config(object):
        'nhs': 25000,
    }
    EMAIL_EXPIRY_SECONDS = 3600  # 1 hour
+    INVITATION_EXPIRY_SECONDS = 3600 * 24 * 2  # 2 days - also set on api
    HEADER_COLOUR = '#FFBF47'  # $yellow
    HTTP_PROTOCOL = 'http'
    MAX_FAILED_LOGIN_COUNT = 10
--- a/app/main/views/invites.py
+++ b/app/main/views/invites.py
@@ -7,6 +7,7 @@ from flask import (
    abort,
    current_app
 )
+from itsdangerous import SignatureExpired
 from markupsafe import Markup
 from notifications_utils.url_safe_token import check_token
 from flask_login import current_user
@@ -21,12 +22,20 @@ from app import (

@main.route("/invitation/<token>")
 def accept_invite(token):
-    check_token(
-        token,
-        current_app.config['SECRET_KEY'],
-        current_app.config['DANGEROUS_SALT'],
-        current_app.config['EMAIL_EXPIRY_SECONDS']
-    )
+    try:
+        check_token(
+            token,
+            current_app.config['SECRET_KEY'],
+            current_app.config['DANGEROUS_SALT'],
+            current_app.config['INVITATION_EXPIRY_SECONDS']
+        )
+    except SignatureExpired:
+        errors = [
+            'Your invitation to GOV.UK Notify has expired. '
+            'Please ask the person that invited you to send you another one'
+        ]
+        return render_template("error/400.html", message=errors), 400
+
    invited_user = invite_api_client.check_token(token)

    if not current_user.is_anonymous and current_user.email_address != invited_user.email_address:
--- a/tests/app/main/views/test_accept_invite.py
+++ b/tests/app/main/views/test_accept_invite.py
@@ -1,6 +1,7 @@
 from flask import url_for
 from bs4 import BeautifulSoup
 from unittest.mock import ANY
+from itsdangerous import SignatureExpired

 import app

@@ -368,3 +369,21 @@ def test_new_invited_user_verifies_and_added_to_service(
    raw_html = response.data.decode('utf-8')
    page = BeautifulSoup(raw_html, 'html.parser')
    assert page.find('h1').text == 'Dashboard'
+
+
+def test_gives_message_if_token_has_expired(
+    app_,
+    client,
+    mock_check_invite_token,
+    mocker,
+):
+    check_token = mocker.patch('app.main.views.invites.check_token', side_effect=SignatureExpired('this is too old'))
+
+    response = client.get(url_for('main.accept_invite', token='a really old token'))
+    raw_html = response.data.decode('utf-8')
+    page = BeautifulSoup(raw_html, 'html.parser')
+
+    check_token.assert_called_once_with(ANY, ANY, ANY, 3600 * 24 * 2)
+    assert response.status_code == 400
+    assert 'Your invitation to GOV.UK Notify has expired' in page.find('h1').text
+    assert not mock_check_invite_token.called