Security for the invitation endpoint in Invitation System

Hey folks!

I’m designing Invitation System and want to hear your thoughts about security concerns and best practices.

From email user will be landed to the webapp endpoint:

GET /accept-invitations/:invitation_id?token=:secret_token

From this webapp page guest’s client will call an API endpoint to fetch information about the invitation. By strictly following json:api specification it might be:

GET /api/invitations/:invitation_id?include=team,inviter

Accepting\declining an invitation will require secret token which will be present in invitation email only, but bad people could bruteforce an API endpoint to try to find working ids and get access to the private team & inviter resources. Isn’t it a security breach then?

Pinging @sled as author of the topic about modelling an invitation system.

It’s always a security tradeoff when exposing information to the wider internet in a way that allows semi-anonymous access.

You can mitigate the issue by adding rate limiting to the API. E.i. after a specific invitation ID has been called more than 5 times with an invalid secret that invitation ID is locked for an hour.

What is insecure if you use have secret token? (Here I’m assuming it is strong enough)

What is the JSON:API question here?

JSON:API question because it defines that access to every resource should have its ID in address bar, but usually invitation systems don’t exposure ids of secret tokens.