implement handling ephemeral registration token

williamstein · williamstein · commit 1750e91821a2 · 2025-11-14T13:49:59.000-08:00
diff --git a/src/packages/next/pages/api/v2/auth/ephemeral.ts b/src/packages/next/pages/api/v2/auth/ephemeral.ts
@@ -0,0 +1,58 @@
+/*
+ *  This file is part of CoCalc: Copyright © 2024 Sagemath, Inc.
+ *  License: MS-RSL – see LICENSE.md for details
+ */
+
+import { v4 } from "uuid";
+
+import createAccount from "@cocalc/server/accounts/create-account";
+import redeemRegistrationToken from "@cocalc/server/auth/tokens/redeem";
+import { signUserIn } from "./sign-in";
+import getParams from "lib/api/get-params";
+
+export default async function createEphemeralAccount(req, res) {
+  let { registrationToken } = getParams(req);
+  registrationToken = (registrationToken ?? "").trim();
+  if (!registrationToken) {
+    res.json({ error: "Registration token required." });
+    return;
+  }
+  let tokenInfo;
+  try {
+    tokenInfo = await redeemRegistrationToken(registrationToken);
+  } catch (err) {
+    res.json({
+      error: `Issue with registration token -- ${err.message}`,
+    });
+    return;
+  }
+  if (!tokenInfo?.ephemeral || tokenInfo.ephemeral <= 0) {
+    res.json({
+      error:
+        "This registration token is not configured for ephemeral accounts.",
+    });
+    return;
+  }
+
+  const account_id = v4();
+  const suffix = account_id.slice(0, 6);
+  try {
+    await createAccount({
+      email: undefined,
+      password: undefined,
+      firstName: "Ephemeral",
+      lastName: `User-${suffix}`,
+      account_id,
+      tags: ["ephemeral"],
+      signupReason: "ephemeral",
+      ephemeral: tokenInfo.ephemeral,
+    });
+  } catch (err) {
+    res.json({
+      error: `Problem creating ephemeral account -- ${err.message}`,
+    });
+    return;
+  }
+
+  await signUserIn(req, res, account_id, { maxAge: tokenInfo.ephemeral });
+}
diff --git a/src/packages/next/pages/api/v2/auth/sign-in.ts b/src/packages/next/pages/api/v2/auth/sign-in.ts
@@ -81,12 +81,18 @@ export async function getAccount(
   return account_id;
 }
 
-export async function signUserIn(req, res, account_id: string): Promise<void> {
+export async function signUserIn(
+  req,
+  res,
+  account_id: string,
+  opts?: { maxAge?: number },
+): Promise<void> {
   try {
     await setSignInCookies({
       req,
       res,
       account_id,
+      maxAge: opts?.maxAge,
     });
   } catch (err) {
     res.json({ error: `Problem setting auth cookies -- ${err}` });
diff --git a/src/packages/next/pages/ephemeral.tsx b/src/packages/next/pages/ephemeral.tsx
@@ -9,42 +9,55 @@ import Footer from "components/landing/footer";
 import Header from "components/landing/header";
 import Head from "components/landing/head";
 import { Icon } from "@cocalc/frontend/components/icon";
+import apiPost from "lib/api/post";
 import { Customize } from "lib/customize";
 import withCustomize from "lib/with-customize";
+import { useRouter } from "next/router";
 
 const { Paragraph, Text, Title } = Typography;
 
-type Status = "idle" | "verifying";
+type Status = "idle" | "verifying" | "redirecting";
 
 interface Props {
   customize;
   token?: string;
 }
 
 export default function EphemeralPage({ customize, token }: Props) {
+  const router = useRouter();
   const [registrationToken, setRegistrationToken] = useState<string>(
     token ?? "",
   );
   const [status, setStatus] = useState<Status>("idle");
   const [info, setInfo] = useState<string>("");
+  const [error, setError] = useState<string>("");
 
   useEffect(() => {
     if (token) {
       setRegistrationToken(token);
     }
   }, [token]);
 
-  const disabled = registrationToken.trim().length === 0 || status !== "idle";
+  const trimmedToken = registrationToken.trim();
+  const working = status !== "idle";
+  const disabled = trimmedToken.length === 0 || working;
 
-  function handleConfirm(): void {
+  async function handleConfirm(): Promise<void> {
+    if (disabled) return;
     setStatus("verifying");
-    // Placeholder wiring – actual validation happens in the next task.
-    setTimeout(() => {
+    setInfo("");
+    setError("");
+    try {
+      await apiPost("/auth/ephemeral", {
+        registrationToken: trimmedToken,
+      });
+      setStatus("redirecting");
+      setInfo("Success! Redirecting you to your workspace…");
+      await router.push("/app");
+    } catch (err) {
+      setError(err?.message ?? `${err}`);
       setStatus("idle");
-      setInfo(
-        "Token validation isn't wired up yet. Once implemented, this button will create an ephemeral account.",
-      );
-    }, 250);
+    }
   }
 
   return (
@@ -94,11 +107,23 @@ export default function EphemeralPage({ customize, token }: Props) {
                     onChange={(e) => {
                       setRegistrationToken(e.target.value);
                       if (info) setInfo("");
+                      if (error) setError("");
                     }}
                     onPressEnter={disabled ? undefined : handleConfirm}
                   />
                 </div>
 
+                {error && (
+                  <Alert
+                    type="error"
+                    message="Unable to create account"
+                    description={error}
+                    showIcon
+                    closable
+                    onClose={() => setError("")}
+                  />
+                )}
+
                 {info && (
                   <Alert
                     type="info"
@@ -113,11 +138,11 @@ export default function EphemeralPage({ customize, token }: Props) {
                   type="primary"
                   size="large"
                   disabled={disabled}
-                  loading={status === "verifying"}
+                  loading={working}
                   onClick={handleConfirm}
                   block
                 >
-                  Continue
+                  {status === "redirecting" ? "Redirecting…" : "Continue"}
                 </Button>
 
                 <Alert
@@ -127,9 +152,10 @@ export default function EphemeralPage({ customize, token }: Props) {
                   description={
                     <Paragraph style={{ marginBottom: 0 }}>
                       Ephemeral accounts automatically expire after the duration
-                      configured with their registration token. You will be
-                      signed in automatically and redirected to your workspace
-                      as soon as token verification is implemented.
+                      configured with their registration token. When the token
+                      is valid you'll be signed in automatically and redirected
+                      to your workspace with a cookie that expires at the same
+                      time.
                     </Paragraph>
                   }
                 />
diff --git a/src/packages/server/accounts/create-account.ts b/src/packages/server/accounts/create-account.ts
@@ -15,8 +15,8 @@ import { getServerSettings } from "@cocalc/database/settings/server-settings";
 const log = getLogger("server:accounts:create");
 
 interface Params {
-  email: string;
-  password: string;
+  email?: string;
+  password?: string;
   firstName: string;
   lastName: string;
   account_id: string;
@@ -27,6 +27,7 @@ interface Params {
   // I added this to avoid leaks with unit testing, but it may be useful in other contexts, e.g.,
   // avoiding confusion with self-hosted installs.
   noFirstProject?: boolean;
+  ephemeral?: number;
 }
 
 export default async function createAccount({
@@ -39,6 +40,7 @@ export default async function createAccount({
   signupReason,
   owner_id,
   noFirstProject,
+  ephemeral,
 }: Params): Promise<void> {
   try {
     log.debug(
@@ -52,7 +54,7 @@ export default async function createAccount({
     );
     const pool = getPool();
     await pool.query(
-      "INSERT INTO accounts (email_address, password_hash, first_name, last_name, account_id, created, tags, sign_up_usage_intent, owner_id) VALUES($1::TEXT, $2::TEXT, $3::TEXT, $4::TEXT, $5::UUID, NOW(), $6::TEXT[], $7::TEXT, $8::UUID)",
+      "INSERT INTO accounts (email_address, password_hash, first_name, last_name, account_id, created, tags, sign_up_usage_intent, owner_id, ephemeral) VALUES($1::TEXT, $2::TEXT, $3::TEXT, $4::TEXT, $5::UUID, NOW(), $6::TEXT[], $7::TEXT, $8::UUID, $9::BIGINT)",
       [
         email ? email : undefined, // can't insert "" more than once!
         password ? passwordHash(password) : undefined, // definitely don't set password_hash to hash of empty string, e.g., anonymous accounts can then NEVER switch to email/password.  This was a bug in production for a while.
@@ -62,6 +64,7 @@ export default async function createAccount({
         tags,
         signupReason,
         owner_id,
+        ephemeral ?? null,
       ],
     );
     const { insecure_test_mode } = await getServerSettings();
@@ -85,4 +88,3 @@ export default async function createAccount({
     throw error; // re-throw to bubble up to higher layers if needed
   }
 }
-
diff --git a/src/packages/server/auth/tokens/redeem.ts b/src/packages/server/auth/tokens/redeem.ts
@@ -9,7 +9,14 @@ then returns no matter what the input is.
 import getRequiresTokens from "./get-requires-token";
 import { getTransactionClient } from "@cocalc/database/pool";
 
-export default async function redeem(token: string): Promise<void> {
+export interface RegistrationTokenInfo {
+  token: string;
+  ephemeral?: number;
+}
+
+export default async function redeem(
+  token: string,
+): Promise<RegistrationTokenInfo | undefined> {
   const required = await getRequiresTokens();
   if (!required) {
     // no token required, so nothing to do.
@@ -29,7 +36,7 @@ export default async function redeem(token: string): Promise<void> {
     // → if counter, check counter vs. limit
     //   → true: increase the counter → ok
     //   → false: ok
-    const q_match = `SELECT "expires", "counter", "limit", "disabled"
+    const q_match = `SELECT "expires", "counter", "limit", "disabled", "ephemeral"
                      FROM registration_tokens
                      WHERE token = $1::TEXT
                      FOR UPDATE`;
@@ -44,6 +51,7 @@ export default async function redeem(token: string): Promise<void> {
       counter: counter_raw,
       limit,
       disabled: disabled_raw,
+      ephemeral,
     } = match.rows[0];
     const counter = counter_raw ?? 0;
     const disabled = disabled_raw ?? false;
@@ -68,6 +76,10 @@ export default async function redeem(token: string): Promise<void> {
 
     // all good, let's commit
     await client.query("COMMIT");
+    return {
+      token,
+      ephemeral: typeof ephemeral === "number" ? ephemeral : undefined,
+    };
   } catch (err) {
     await client.query("ROLLBACK");
     throw err;
