fix(invite): reject invalidated invites in acceptInvite

Same invalidatedAt gap as getInviteInfo: a superseded invite (status still 'pending', invalidatedAt set) could still be used to create an account and join the household. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-10 22:22:54 +02:00
parent 0ab1ba0b1b
commit 73af11e84b
2 changed files with 17 additions and 1 deletions
--- a/backend/src/main/java/com/recipeapp/household/HouseholdService.java
+++ b/backend/src/main/java/com/recipeapp/household/HouseholdService.java
@@ -205,7 +205,9 @@ public class HouseholdService {
        HouseholdInvite invite = householdInviteRepository.findByInviteCode(code)
                .orElseThrow(() -> new ResourceNotFoundException("Invite not found or invalid"));

-        if ("used".equals(invite.getStatus()) || invite.getExpiresAt().isBefore(Instant.now())) {
+        if ("used".equals(invite.getStatus())
+                || invite.getInvalidatedAt() != null
+                || invite.getExpiresAt().isBefore(Instant.now())) {
            throw new ResourceNotFoundException("Invite not found or invalid");
        }