Confirm user before accepting invitation?

phsphs
Community Member
edited May 26 in CLI

I'm writing some scripts to automate on-boarding of new employees. During testing, I noticed it appears to be possible to confirm a new account before the user has accepted the invitation. After running op user provision --name "Testy McTestface" --email [email protected] the "state" of that account is "TRANSFER_PENDING", however I can immediately run op user confirm [email protected] and the "state" of the account changes to "TRANSFER_STARTED". Trying to confirm the account again gives an error.

Is this by design, or is there a bug/I'm doing something wrong? If this is by design, then that would greatly simplify our automation :)


1Password Version: 1Password CLI 2.0
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Justin.Yoon_1PJustin.Yoon_1P

    Team Member

    Hey @phs

    I've reached out to some folks that are more familiar with our user provisioning flow and will get back to you when I hear back.

  • Justin.Yoon_1PJustin.Yoon_1P

    Team Member

    Hey there @phs

    I've heard back from our provisioning team's developers and have received word that no you should not be able to confirm users until the invited user accepts the invitation.

    Myself and a few other developers tested your case and are not able to reproduce the bug, as I am seeing the following:

    1. op user provision --name "Wendy Appleseed" --email "[email protected]" and the returned user's state isTRANSFER_PENDING`
    2. op user ls prints Wendy's state as: TRANSFER_STARTED which is different from what you're seeing of TRANSFER_PENDING right after running the provisioning command. Note that the user's state will remain in TRANSFER_PENDING until their invitation e-mail is sent out.
    3. op user confirm "[email protected]" returns an error: this user cannot be confirmed
    4. Accept invitation as Wendy
    5. op user ls prints Wendy's state as TRANSFER_ACCEPTED
    6. `op user confirm "[email protected]" succeeds

    I've investigated our CLI client code, and it does an explicit check that the user's state must be TRANSFER_ACCEPTED before they are able to be confirmed - could you confirm their status immediately before calling op user confirm and see if that is the case?

    Also regarding your following comment:

    If this is by design, then that would greatly simplify our automation :)

    Haha! I know people have asked for this for this exact use case, but unfortunately not.. for the sake of security.

    Thanks for reporting this, and hope to hear back from you soon.

  • phsphs
    Community Member

    Ah damn, thanks for clarifying, especially the meaning of TRANSFER_PENDING vs TRANSFER_STARTED. I'll code it to handle that flow.

  • Justin.Yoon_1PJustin.Yoon_1P

    Team Member

    @phs My pleasure! It was something I new that learned as well :)

    Please let us know if there's anything else we can help with.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file