Invite flow: multi-member onboarding — single-use vs reusable link #60

New Issue

marcel · 2026-04-10T20:47:45+02:00

marcel commented

2026-04-10 20:47:45 +02:00

Problem

The current invite implementation has one active link per household, single-use (status set to "used" on accept). This creates a usability gap: a planner who wants to invite multiple people simultaneously either has to wait for each person to accept (or 48h to expire) before inviting the next, or regenerate the link (invalidating the previous one).

Questions to resolve

Should a household be able to have multiple active invite links at once (one per invitee), or a single link that is reusable until it expires or the planner regenerates it?
If single-use: how does the planner invite 3 people at once? Generate 3 links? Or generate one, wait, then generate the next?
If reusable: what's the maximum number of people who can join via one link? Unlimited until expiry? Capped?

Security note (from Sable)

Single-use is the least-privilege option — a leaked link can only be misused once. Reusable links expand the blast radius of a leak (anyone with the link can join until expiry or until the planner regenerates). If reusable links are chosen, rate limiting on the accept endpoint becomes more important.

Current state

HouseholdService.acceptInvite() marks status = "used" on accept → strictly single-use. The /members page allows the planner to regenerate the link, which invalidates the old one.

Out of scope here

Implementation — this issue is for product decision only. Came up during discussion of #21.

## Problem The current invite implementation has one active link per household, single-use (status set to `"used"` on accept). This creates a usability gap: a planner who wants to invite multiple people simultaneously either has to wait for each person to accept (or 48h to expire) before inviting the next, or regenerate the link (invalidating the previous one). ## Questions to resolve - Should a household be able to have **multiple active invite links** at once (one per invitee), or a single link that is **reusable** until it expires or the planner regenerates it? - If single-use: how does the planner invite 3 people at once? Generate 3 links? Or generate one, wait, then generate the next? - If reusable: what's the maximum number of people who can join via one link? Unlimited until expiry? Capped? ## Security note (from Sable) Single-use is the least-privilege option — a leaked link can only be misused once. Reusable links expand the blast radius of a leak (anyone with the link can join until expiry or until the planner regenerates). If reusable links are chosen, rate limiting on the accept endpoint becomes more important. ## Current state `HouseholdService.acceptInvite()` marks `status = "used"` on accept → strictly single-use. The `/members` page allows the planner to regenerate the link, which invalidates the old one. ## Out of scope here Implementation — this issue is for product decision only. Came up during discussion of #21.

marcel referenced this issue

2026-04-10 20:54:36 +02:00

Frontend: A4 — Join household (accept invite) #21

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/mealprep#60