Staging

[earzalien]

Summary by cubic

Send trip invitation emails via resend with HTML-escaped messages, and improve the invitation UI with an optional link copy and better loading states.

• New Features

  • Uses resend to email invitation links with an optional message; validates RESEND_API_KEY at boot and escapes message HTML.
  • Adds a “Copy invitation link” checkbox; copies only when checked.
  • Updates button labels and toasts; disables inputs while sending and the send button until an email is entered.

• Migration

  • Add to .env: RESEND_API_KEY and RESEND_FROM (e.g., "Your Name name@domain.com").
  • Ensure the server runs on Node 20+.
  • Install new dependency resend.

^{Written for commit 5b614d3. Summary will update on new commits.}

[cubic-dev-ai]

2 issues found across 7 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="server/src/libs/resend.ts">

<violation number="1" location="server/src/libs/resend.ts:3">
P2: Validate `RESEND_API_KEY` before constructing the Resend client to avoid creating a misconfigured singleton.</violation>
</file>

<file name="server/src/modules/invitation/invitationActions.ts">

<violation number="1" location="server/src/modules/invitation/invitationActions.ts:122">
P1: User-provided `message` is interpolated into HTML without escaping, enabling HTML injection in invitation emails.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

2 issues found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="server/src/modules/invitation/invitationActions.ts">

<violation number="1" location="server/src/modules/invitation/invitationActions.ts:122">
P2: `message` is not type-validated before calling `escapeHtml`, so non-string payloads can trigger a runtime `.replace is not a function` error.</violation>

<violation number="2" location="server/src/modules/invitation/invitationActions.ts:140">
P1: Throwing on email send failure after creating the invitation causes write-success/request-failure inconsistency and can lead to duplicate invitations on client retries.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: message is not type-validated before calling escapeHtml, so non-string payloads can trigger a runtime .replace is not a function error.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At server/src/modules/invitation/invitationActions.ts, line 122:

<comment>`message` is not type-validated before calling `escapeHtml`, so non-string payloads can trigger a runtime `.replace is not a function` error.</comment>

<file context>
@@ -110,27 +110,34 @@ const add: RequestHandler = async (req, res, next) => {
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#039;");
+
+    const safeMessage = escapeHtml(message);
 
     const { data, error } = await resend.emails.send({
</file context>

Suggested change

	const safeMessage = escapeHtml(message);
	const safeMessage = escapeHtml(typeof message === "string" ? message : String(message ?? ""));