Confirm user before accepting invitation?

phs
phs
Community Member
edited May 2022 in CLI

I'm writing some scripts to automate on-boarding of new employees. During testing, I noticed it appears to be possible to confirm a new account before the user has accepted the invitation. After running op user provision --name "Testy McTestface" --email test@example.com the "state" of that account is "TRANSFER_PENDING", however I can immediately run op user confirm test@example.com and the "state" of the account changes to "TRANSFER_STARTED". Trying to confirm the account again gives an error.

Is this by design, or is there a bug/I'm doing something wrong? If this is by design, then that would greatly simplify our automation :)


1Password Version: 1Password CLI 2.0
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Hey @phs

    I've reached out to some folks that are more familiar with our user provisioning flow and will get back to you when I hear back.

  • Hey there @phs

    I've heard back from our provisioning team's developers and have received word that no you should not be able to confirm users until the invited user accepts the invitation.

    Myself and a few other developers tested your case and are not able to reproduce the bug, as I am seeing the following:

    1. op user provision --name "Wendy Appleseed" --email "wendy@acme.org" and the returned user's state isTRANSFER_PENDING`
    2. op user ls prints Wendy's state as: TRANSFER_STARTED which is different from what you're seeing of TRANSFER_PENDING right after running the provisioning command. Note that the user's state will remain in TRANSFER_PENDING until their invitation e-mail is sent out.
    3. op user confirm "wendy@acme.org" returns an error: this user cannot be confirmed
    4. Accept invitation as Wendy
    5. op user ls prints Wendy's state as TRANSFER_ACCEPTED
    6. `op user confirm "wendy@acme.org" succeeds

    I've investigated our CLI client code, and it does an explicit check that the user's state must be TRANSFER_ACCEPTED before they are able to be confirmed - could you confirm their status immediately before calling op user confirm and see if that is the case?

    Also regarding your following comment:

    If this is by design, then that would greatly simplify our automation :)

    Haha! I know people have asked for this for this exact use case, but unfortunately not.. for the sake of security.

    Thanks for reporting this, and hope to hear back from you soon.

  • phs
    phs
    Community Member

    Ah damn, thanks for clarifying, especially the meaning of TRANSFER_PENDING vs TRANSFER_STARTED. I'll code it to handle that flow.

  • @phs My pleasure! It was something I new that learned as well :)

    Please let us know if there's anything else we can help with.

This discussion has been closed.