feat: Guest email authentication (#1088)

* feat: API endpoints for email signin

* fix: After testing

* Initial signin flow working

* move shared middleware

* feat: Add guest signin toggle, obey on endpoints

* feat: Basic email signin when enabled

* Improve guest signin email
Disable double signin with JWT

* fix: Simple rate limiting

* create placeholder users in db

* fix: Give invited users default avatar
add invited users to people settings

* test

* add transaction

* tmp: test CI

* derp

* md5

* urgh

* again

* test: pass

* test

* fix: Remove usage of data values

* guest signin page

* Visually separator 'Invited' from other people tabs

* fix: Edge case attempting SSO signin for guest email account

* fix: Correctly set email auth method to cookie

* Improve rate limit error display

* lint: cleanup / comments

* Improve invalid token error display

* style tweaks

* pass guest value to subdomain

* Restore copy link option

* feat: Allow invite revoke from people management

* fix: Incorrect users email schema does not allow for user deletion

* lint

* fix: avatarUrl for deleted user failure

* change default to off for guest invites

* fix: Changing security settings wipes subdomain

* fix: user delete permissioning

* test: Add user.invite specs

server/api/users.test.js

@@ -76,6 +76,26 @@ describe('#users.info', async () => {
   });
 });
 
+describe('#users.invite', async () => {
+  it('should return sent invites', async () => {
+    const user = await buildUser();
+    const res = await server.post('/api/users.invite', {
+      body: {
+        token: user.getJwtToken(),
+        invites: [{ email: 'test@example.com', name: 'Test', guest: false }],
+      },
+    });
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.sent.length).toEqual(1);
+  });
+
+  it('should require authentication', async () => {
+    const res = await server.post('/api/users.invite');
+    expect(res.status).toEqual(401);
+  });
+});
+
 describe('#users.delete', async () => {
   it('should not allow deleting without confirmation', async () => {
     const user = await buildUser();
@@ -111,6 +131,27 @@ describe('#users.delete', async () => {
     expect(res.status).toEqual(200);
   });
 
+  it('should allow deleting pending user account with admin', async () => {
+    const user = await buildUser({ isAdmin: true });
+    const pending = await buildUser({
+      teamId: user.teamId,
+      lastActiveAt: null,
+    });
+    const res = await server.post('/api/users.delete', {
+      body: { token: user.getJwtToken(), id: pending.id, confirmation: true },
+    });
+    expect(res.status).toEqual(200);
+  });
+
+  it('should not allow deleting another user account', async () => {
+    const user = await buildUser({ isAdmin: true });
+    const user2 = await buildUser({ teamId: user.teamId });
+    const res = await server.post('/api/users.delete', {
+      body: { token: user.getJwtToken(), id: user2.id, confirmation: true },
+    });
+    expect(res.status).toEqual(403);
+  });
+
   it('should require authentication', async () => {
     const res = await server.post('/api/users.delete');
     const body = await res.json();
@@ -183,7 +224,7 @@ describe('#users.demote', async () => {
     expect(body).toMatchSnapshot();
   });
 
-  it("shouldn't demote admins if only one available ", async () => {
+  it('should not demote admins if only one available', async () => {
     const admin = await buildUser({ isAdmin: true });
 
     const res = await server.post('/api/users.demote', {
@@ -226,7 +267,7 @@ describe('#users.suspend', async () => {
     expect(body).toMatchSnapshot();
   });
 
-  it("shouldn't allow suspending the user themselves", async () => {
+  it('should not allow suspending the user themselves', async () => {
     const admin = await buildUser({ isAdmin: true });
     const res = await server.post('/api/users.suspend', {
       body: {