Skip to content

Group and Project Invitation Links should Expire if not Accepted during a Sufficient Time Window

Summary

Unlike password-reset links, namespace invitation links do not expire. In case a given user doesn't accept an invitation right away, the invitation will remain valid for an unlimited amount of time. This behavior can lead to a build-up of unaccepted group/project invitations over time. Furthermore, confused maintainers/owners/administrators will fail to appropriately remove access once the member/employee has been off-boarded, as e-mail invitations for a not-yet-existing user are not listed under memberships in the user's admin interface.

Introduction

Let's consider a group or project N, a project owner O and a user U with e-mail user@domain.com without an account on a given GitLab instance. When O invites user@domain.com to join N by e-mail as shown below:

image

user@domain.com will receive an invitation that does not seem to expire:

https://gitlab.com/-/invites/<token>

image

Once user@domain.com creates their account, they'll be able to accept the invitation:

image

Once accepted, the invitation will cease to exist:

image

Bug Behavior

However, if the user doesn't accept the invitation right away, it will remain valid for an unlimited amount of time. This behavior can lead to a build-up of unaccepted group/project invitations over time as shown below:

image

In the case of companies or teams within companies, this is problematic, as off-boarded members will retain access to the respective projects, by virtue of their invitations being in a pending state.

Owners, maintainers and admins may fail to review pending invitations during off-boarded of said employees, which would effectively retain access to projects.

Moreover, a malicious member could try to trick O by requesting to be invited via similar-looking e-mail addresses

image

Then gain access through one, which will thus become unusable, and keep the other one(s) to regain access at a later point in time, even after they have been off-boarded.

Steps to reproduce

As described above

What is the current bug behavior?

Group and project invitation links do not expire automatically if not accepted after a certain amount of time.

What is the expected correct behavior?

Group and project invitation links should expire automatically if not accepted after a certain amount of time (7 days?)

Relevant logs and/or screenshots

See above

Output of checks

This bug happens on GitLab.com

Possible fixes

Same as memberships can expire, and this is regularly enforced by going over the project memberships table, stale invitations should be purged as well.

cc @jeremymatos @ifarkas for visibility

Edited by Jayson Salazar Rodriguez