Add user invite link feature for embedded IdP

management/server/account/manager.go

@@ -30,6 +30,12 @@ type Manager interface {
 		autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error)
 	SaveSetupKey(ctx context.Context, accountID string, key *types.SetupKey, userID string) (*types.SetupKey, error)
 	CreateUser(ctx context.Context, accountID, initiatorUserID string, key *types.UserInfo) (*types.UserInfo, error)
+	CreateUserInvite(ctx context.Context, accountID, initiatorUserID string, invite *types.UserInfo, expiresIn int) (*types.UserInvite, error)
+	AcceptUserInvite(ctx context.Context, token, password string) error
+	RegenerateUserInvite(ctx context.Context, accountID, initiatorUserID, inviteID string, expiresIn int) (*types.UserInvite, error)
+	GetUserInviteInfo(ctx context.Context, token string) (*types.UserInviteInfo, error)
+	ListUserInvites(ctx context.Context, accountID, initiatorUserID string) ([]*types.UserInvite, error)
+	DeleteUserInvite(ctx context.Context, accountID, initiatorUserID, inviteID string) error
 	DeleteUser(ctx context.Context, accountID, initiatorUserID string, targetUserID string) error
 	DeleteRegularUsers(ctx context.Context, accountID, initiatorUserID string, targetUserIDs []string, userInfos map[string]*types.UserInfo) error
 	UpdateUserPassword(ctx context.Context, accountID, currentUserID, targetUserID string, oldPassword, newPassword string) error

management/server/activity/codes.go

@@ -199,6 +199,11 @@ const (
 
 	UserPasswordChanged Activity = 103
 
+	UserInviteLinkCreated     Activity = 104
+	UserInviteLinkAccepted    Activity = 105
+	UserInviteLinkRegenerated Activity = 106
+	UserInviteLinkDeleted     Activity = 107
+
 	AccountDeleted Activity = 99999
 )
 
@@ -327,6 +332,11 @@ var activityMap = map[Activity]Code{
 	JobCreatedByUser: {"Create Job for peer", "peer.job.create"},
 
 	UserPasswordChanged: {"User password changed", "user.password.change"},
+
+	UserInviteLinkCreated:     {"User invite link created", "user.invite.link.create"},
+	UserInviteLinkAccepted:    {"User invite link accepted", "user.invite.link.accept"},
+	UserInviteLinkRegenerated: {"User invite link regenerated", "user.invite.link.regenerate"},
+	UserInviteLinkDeleted:     {"User invite link deleted", "user.invite.link.delete"},
 }
 
 // StringCode returns a string code of the activity

management/server/http/handler.go

@@ -68,6 +68,13 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	if err := bypass.AddBypassPath("/api/setup"); err != nil {
 		return nil, fmt.Errorf("failed to add bypass path: %w", err)
 	}
+	// Public invite endpoints (tokens start with nbi_)
+	if err := bypass.AddBypassPath("/api/users/invites/nbi_*"); err != nil {
+		return nil, fmt.Errorf("failed to add bypass path: %w", err)
+	}
+	if err := bypass.AddBypassPath("/api/users/invites/nbi_*/accept"); err != nil {
+		return nil, fmt.Errorf("failed to add bypass path: %w", err)
+	}
 
 	var rateLimitingConfig *middleware.RateLimiterConfig
 	if os.Getenv(rateLimitingEnabledKey) == "true" {
@@ -132,6 +139,8 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	accounts.AddEndpoints(accountManager, settingsManager, embeddedIdpEnabled, router)
 	peers.AddEndpoints(accountManager, router, networkMapController)
 	users.AddEndpoints(accountManager, router)
+	users.AddInvitesEndpoints(accountManager, router)
+	users.AddPublicInvitesEndpoints(accountManager, router)
 	setup_keys.AddEndpoints(accountManager, router)
 	policies.AddEndpoints(accountManager, LocationManager, router)
 	policies.AddPostureCheckEndpoints(accountManager, LocationManager, router)
@@ -145,6 +154,7 @@ func NewAPIHandler(ctx context.Context, accountManager account.Manager, networks
 	recordsManager.RegisterEndpoints(router, rManager)
 	idp.AddEndpoints(accountManager, router)
 	instance.AddEndpoints(instanceManager, router)
+	instance.AddVersionEndpoint(instanceManager, router)
 
 	// Mount embedded IdP handler at /oauth2 path if configured
 	if embeddedIdpEnabled {

management/server/http/handlers/instance/instance_handler.go

@@ -28,6 +28,15 @@ func AddEndpoints(instanceManager nbinstance.Manager, router *mux.Router) {
 	router.HandleFunc("/setup", h.setup).Methods("POST", "OPTIONS")
 }
 
+// AddVersionEndpoint registers the authenticated version endpoint.
+func AddVersionEndpoint(instanceManager nbinstance.Manager, router *mux.Router) {
+	h := &handler{
+		instanceManager: instanceManager,
+	}
+
+	router.HandleFunc("/instance/version", h.getVersionInfo).Methods("GET", "OPTIONS")
+}
+
 // getInstanceStatus returns the instance status including whether setup is required.
 // This endpoint is unauthenticated.
 func (h *handler) getInstanceStatus(w http.ResponseWriter, r *http.Request) {
@@ -65,3 +74,29 @@ func (h *handler) setup(w http.ResponseWriter, r *http.Request) {
 		Email:  userData.Email,
 	})
 }
+
+// getVersionInfo returns version information for NetBird components.
+// This endpoint requires authentication.
+func (h *handler) getVersionInfo(w http.ResponseWriter, r *http.Request) {
+	versionInfo, err := h.instanceManager.GetVersionInfo(r.Context())
+	if err != nil {
+		log.WithContext(r.Context()).Errorf("failed to get version info: %v", err)
+		util.WriteErrorResponse("failed to get version info", http.StatusInternalServerError, w)
+		return
+	}
+
+	resp := api.InstanceVersionInfo{
+		ManagementCurrentVersion:  versionInfo.CurrentVersion,
+		ManagementUpdateAvailable: versionInfo.ManagementUpdateAvailable,
+	}
+
+	if versionInfo.DashboardVersion != "" {
+		resp.DashboardAvailableVersion = &versionInfo.DashboardVersion
+	}
+
+	if versionInfo.ManagementVersion != "" {
+		resp.ManagementAvailableVersion = &versionInfo.ManagementVersion
+	}
+
+	util.WriteJSONObject(r.Context(), w, resp)
+}

management/server/http/handlers/instance/instance_handler_test.go

@@ -25,6 +25,7 @@ type mockInstanceManager struct {
 	isSetupRequired   bool
 	isSetupRequiredFn func(ctx context.Context) (bool, error)
 	createOwnerUserFn func(ctx context.Context, email, password, name string) (*idp.UserData, error)
+	getVersionInfoFn  func(ctx context.Context) (*nbinstance.VersionInfo, error)
 }
 
 func (m *mockInstanceManager) IsSetupRequired(ctx context.Context) (bool, error) {
@@ -66,6 +67,18 @@ func (m *mockInstanceManager) CreateOwnerUser(ctx context.Context, email, passwo
 	}, nil
 }
 
+func (m *mockInstanceManager) GetVersionInfo(ctx context.Context) (*nbinstance.VersionInfo, error) {
+	if m.getVersionInfoFn != nil {
+		return m.getVersionInfoFn(ctx)
+	}
+	return &nbinstance.VersionInfo{
+		CurrentVersion:            "0.34.0",
+		DashboardVersion:          "2.0.0",
+		ManagementVersion:         "0.35.0",
+		ManagementUpdateAvailable: true,
+	}, nil
+}
+
 var _ nbinstance.Manager = (*mockInstanceManager)(nil)
 
 func setupTestRouter(manager nbinstance.Manager) *mux.Router {
@@ -279,3 +292,44 @@ func TestSetup_ManagerError(t *testing.T) {
 
 	assert.Equal(t, http.StatusInternalServerError, rec.Code)
 }
+
+func TestGetVersionInfo_Success(t *testing.T) {
+	manager := &mockInstanceManager{}
+	router := mux.NewRouter()
+	AddVersionEndpoint(manager, router)
+
+	req := httptest.NewRequest(http.MethodGet, "/instance/version", nil)
+	rec := httptest.NewRecorder()
+
+	router.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusOK, rec.Code)
+
+	var response api.InstanceVersionInfo
+	err := json.NewDecoder(rec.Body).Decode(&response)
+	require.NoError(t, err)
+
+	assert.Equal(t, "0.34.0", response.ManagementCurrentVersion)
+	assert.NotNil(t, response.DashboardAvailableVersion)
+	assert.Equal(t, "2.0.0", *response.DashboardAvailableVersion)
+	assert.NotNil(t, response.ManagementAvailableVersion)
+	assert.Equal(t, "0.35.0", *response.ManagementAvailableVersion)
+	assert.True(t, response.ManagementUpdateAvailable)
+}
+
+func TestGetVersionInfo_Error(t *testing.T) {
+	manager := &mockInstanceManager{
+		getVersionInfoFn: func(ctx context.Context) (*nbinstance.VersionInfo, error) {
+			return nil, errors.New("failed to fetch versions")
+		},
+	}
+	router := mux.NewRouter()
+	AddVersionEndpoint(manager, router)
+
+	req := httptest.NewRequest(http.MethodGet, "/instance/version", nil)
+	rec := httptest.NewRecorder()
+
+	router.ServeHTTP(rec, req)
+
+	assert.Equal(t, http.StatusInternalServerError, rec.Code)
+}