simstudioai
diff --git a/‎apps/sim/app/api/workspaces/invitations/batch/route.ts‎
Lines changed: 132 additions & 0 deletions b/‎apps/sim/app/api/workspaces/invitations/batch/route.ts‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎apps/sim/app/api/workspaces/invitations/route.test.ts‎
Lines changed: 59 additions & 19 deletions b/‎apps/sim/app/api/workspaces/invitations/route.test.ts‎
Lines changed: 59 additions & 19 deletions
@@ -0,0 +1,132 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
+import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { normalizeEmail } from '@/lib/invitations/core'
+import {
+  createWorkspaceInvitation,
+  prepareWorkspaceInvitationContext,
+  WorkspaceInvitationError,
+  type WorkspaceInvitationResult,
+} from '@/lib/invitations/workspace-invitations'
+import { InvitationsNotAllowedError } from '@/ee/access-control/utils/permission-check'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('WorkspaceInvitationBatchAPI')
+
+interface BatchInvitationFailure {
+  email: string
+  error: string
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === 'object' && value !== null
+}
+
+function batchErrorResponse(error: unknown) {
+  if (error instanceof WorkspaceInvitationError) {
+    return NextResponse.json(
+      {
+        error: error.message,
+        ...(error.email ? { email: error.email } : {}),
+        ...(error.upgradeRequired !== undefined ? { upgradeRequired: error.upgradeRequired } : {}),
+      },
+      { status: error.status }
+    )
+  }
+
+  if (error instanceof InvitationsNotAllowedError) {
+    return NextResponse.json({ error: error.message }, { status: 403 })
+  }
+
+  logger.error('Error creating workspace invitation batch:', error)
+  return NextResponse.json({ error: 'Failed to create invitation batch' }, { status: 500 })
+}
+
+export const POST = withRouteHandler(async (req: NextRequest) => {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  try {
+    const body = (await req.json()) as { workspaceId?: unknown; invitations?: unknown }
+    if (typeof body.workspaceId !== 'string' || body.workspaceId.length === 0) {
+      return NextResponse.json({ error: 'Workspace ID is required' }, { status: 400 })
+    }
+
+    if (!Array.isArray(body.invitations) || body.invitations.length === 0) {
+      return NextResponse.json({ error: 'At least one invitation is required' }, { status: 400 })
+    }
+
+    const context = await prepareWorkspaceInvitationContext({
+      workspaceId: body.workspaceId,
+      inviterId: session.user.id,
+      inviterName: session.user.name || session.user.email || 'A user',
+      inviterEmail: session.user.email,
+    })
+
+    const successful: string[] = []
+    const failed: BatchInvitationFailure[] = []
+    const invitations: WorkspaceInvitationResult[] = []
+    const seenEmails = new Set<string>()
+
+    for (const item of body.invitations) {
+      if (!isRecord(item) || typeof item.email !== 'string') {
+        return NextResponse.json(
+          { error: 'Each invitation must include an email' },
+          { status: 400 }
+        )
+      }
+
+      if (item.permission !== undefined && typeof item.permission !== 'string') {
+        return NextResponse.json(
+          { error: 'Invitation permission must be a string when provided' },
+          { status: 400 }
+        )
+      }
+
+      const normalizedEmail = normalizeEmail(item.email)
+      if (seenEmails.has(normalizedEmail)) {
+        failed.push({
+          email: normalizedEmail,
+          error: `${normalizedEmail} appears more than once in this invitation batch`,
+        })
+        continue
+      }
+      seenEmails.add(normalizedEmail)
+
+      try {
+        const invitation = await createWorkspaceInvitation({
+          context,
+          email: item.email,
+          permission: item.permission,
+          request: req,
+        })
+        successful.push(invitation.email)
+        invitations.push(invitation)
+      } catch (error) {
+        if (error instanceof WorkspaceInvitationError) {
+          failed.push({ email: error.email ?? normalizedEmail, error: error.message })
+          continue
+        }
+
+        logger.error('Unexpected workspace invitation batch item failure:', {
+          email: normalizedEmail,
+          error,
+        })
+        throw error
+      }
+    }
+
+    return NextResponse.json({
+      success: failed.length === 0,
+      successful,
+      failed,
+      invitations,
+    })
+  } catch (error) {
+    return batchErrorResponse(error)
+  }
+})
@@ -108,9 +108,9 @@ const mockGetSession = authMockFns.mockGetSession
 const mockGetWorkspaceWithOwner = permissionsMockFns.mockGetWorkspaceWithOwner
 
 import { UPGRADE_TO_INVITE_REASON } from '@/lib/workspaces/policy-constants'
-import { POST } from '@/app/api/workspaces/invitations/route'
+import { POST } from '@/app/api/workspaces/invitations/batch/route'
 
-describe('POST /api/workspaces/invitations', () => {
+describe('POST /api/workspaces/invitations/batch', () => {
   beforeEach(() => {
     vi.clearAllMocks()
     mockDbResults.value = []
@@ -169,8 +169,7 @@ describe('POST /api/workspaces/invitations', () => {
 
     const request = createMockRequest('POST', {
       workspaceId: 'workspace-1',
-      email: 'new@example.com',
-      permission: 'read',
+      invitations: [{ email: 'new@example.com', permission: 'read' }],
     })
 
     const response = await POST(request)
@@ -201,8 +200,7 @@ describe('POST /api/workspaces/invitations', () => {
 
     const request = createMockRequest('POST', {
       workspaceId: 'workspace-1',
-      email: 'new@example.com',
-      permission: 'read',
+      invitations: [{ email: 'new@example.com', permission: 'read' }],
     })
 
     const response = await POST(request)
@@ -213,7 +211,7 @@ describe('POST /api/workspaces/invitations', () => {
     expect(mockCreatePendingInvitation).not.toHaveBeenCalled()
   })
 
-  it('rejects org-owned invites when the organization has no available seats', async () => {
+  it('reports org-owned invites as failed when the organization has no available seats', async () => {
     mockGetWorkspaceWithOwner.mockResolvedValueOnce({
       id: 'workspace-1',
       name: 'Org Workspace',
@@ -240,15 +238,20 @@ describe('POST /api/workspaces/invitations', () => {
 
     const request = createMockRequest('POST', {
       workspaceId: 'workspace-1',
-      email: 'new@example.com',
-      permission: 'read',
+      invitations: [{ email: 'new@example.com', permission: 'read' }],
     })
 
     const response = await POST(request)
     const data = await response.json()
 
-    expect(response.status).toBe(400)
-    expect(data.error).toContain('No available seats')
+    expect(response.status).toBe(200)
+    expect(data.success).toBe(false)
+    expect(data.failed).toEqual([
+      {
+        email: 'new@example.com',
+        error: 'No available seats. Currently using 5 of 5 seats.',
+      },
+    ])
     expect(mockValidateSeatAvailability).toHaveBeenCalledWith('org-1', 1)
     expect(mockCreatePendingInvitation).not.toHaveBeenCalled()
   })
@@ -281,16 +284,15 @@ describe('POST /api/workspaces/invitations', () => {
 
     const request = createMockRequest('POST', {
       workspaceId: 'workspace-1',
-      email: 'new@example.com',
-      permission: 'read',
+      invitations: [{ email: 'new@example.com', permission: 'read' }],
     })
 
     const response = await POST(request)
     const data = await response.json()
 
     expect(response.status).toBe(200)
     expect(data.success).toBe(true)
-    expect(data.invitation.membershipIntent).toBe('external')
+    expect(data.invitations[0].membershipIntent).toBe('external')
     expect(mockValidateSeatAvailability).not.toHaveBeenCalled()
     expect(mockCreatePendingInvitation).toHaveBeenCalledWith(
       expect.objectContaining({
@@ -316,8 +318,7 @@ describe('POST /api/workspaces/invitations', () => {
 
     const request = createMockRequest('POST', {
       workspaceId: 'workspace-1',
-      email: 'new@example.com',
-      permission: 'write',
+      invitations: [{ email: 'new@example.com', permission: 'write' }],
     })
 
     const response = await POST(request)
@@ -337,6 +338,40 @@ describe('POST /api/workspaces/invitations', () => {
     expect(mockValidateSeatAvailability).not.toHaveBeenCalled()
   })
 
+  it('creates multiple workspace invitations in one batch request', async () => {
+    mockDbResults.value = [[{ permissionType: 'admin' }], [], []]
+    mockCreatePendingInvitation
+      .mockResolvedValueOnce({
+        invitationId: 'inv-1',
+        token: 'tok-1',
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+      })
+      .mockResolvedValueOnce({
+        invitationId: 'inv-2',
+        token: 'tok-2',
+        expiresAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000),
+      })
+
+    const request = createMockRequest('POST', {
+      workspaceId: 'workspace-1',
+      invitations: [
+        { email: 'first@example.com', permission: 'read' },
+        { email: 'second@example.com', permission: 'write' },
+      ],
+    })
+
+    const response = await POST(request)
+    const data = await response.json()
+
+    expect(response.status).toBe(200)
+    expect(data.success).toBe(true)
+    expect(data.successful).toEqual(['first@example.com', 'second@example.com'])
+    expect(data.failed).toEqual([])
+    expect(data.invitations).toHaveLength(2)
+    expect(mockCreatePendingInvitation).toHaveBeenCalledTimes(2)
+    expect(mockSendInvitationEmail).toHaveBeenCalledTimes(2)
+  })
+
   it('rolls back the unified invitation when email delivery fails', async () => {
     mockGetWorkspaceWithOwner.mockResolvedValueOnce({
       id: 'workspace-1',
@@ -354,13 +389,18 @@ describe('POST /api/workspaces/invitations', () => {
 
     const request = createMockRequest('POST', {
       workspaceId: 'workspace-1',
-      email: 'new@example.com',
-      permission: 'read',
+      invitations: [{ email: 'new@example.com', permission: 'read' }],
     })
 
     const response = await POST(request)
 
-    expect(response.status).toBe(502)
+    expect(response.status).toBe(200)
+    await expect(response.json()).resolves.toEqual(
+      expect.objectContaining({
+        success: false,
+        failed: [{ email: 'new@example.com', error: 'mailer unavailable' }],
+      })
+    )
     expect(mockCancelPendingInvitation).toHaveBeenCalledWith('inv-1')
   })
 })