validate token first

Author: lynnagara

src/sentry/web/frontend/accept_organization_invite_redirect.py

@@ -4,6 +4,7 @@
 from django.urls import reverse
 
 from sentry.api.endpoints.accept_organization_invite import get_invite_state
+from sentry.api.invite_helper import ApiInviteHelper
 from sentry.demo_mode.utils import is_demo_user
 from sentry.utils.http import query_string
 from sentry.web.frontend.react_page import GenericReactPageView
@@ -28,6 +29,10 @@ def handle(self, request: HttpRequest, member_id: int, token: str, **kwargs) ->
         if invite_context is None:
             return self.handle_react(request, **kwargs)
 
+        helper = ApiInviteHelper(request=request, token=token, invite_context=invite_context)
+        if not helper.valid_token:
+            return self.handle_react(request, **kwargs)
+
         redirect_url = reverse(
             "sentry-organization-accept-invite",
             kwargs={

tests/sentry/web/frontend/test_accept_organization_invite_redirect.py

@@ -27,6 +27,17 @@ def test_redirects_legacy_invite_to_org_scoped_route(self) -> None:
             + "?referrer=email"
         )
 
+    def test_invalid_token_does_not_leak_org_slug(self) -> None:
+        organization = self.create_organization()
+        member = self.create_member(organization=organization, email="newuser@example.com")
+
+        response = self.client.get(
+            reverse("sentry-accept-invite", args=[member.id, "invalidtoken"])
+        )
+
+        assert response.status_code == 200
+        self.assertTemplateUsed(response, "sentry/base-react.html")
+
     def test_unresolved_legacy_invite_falls_back_to_react_page(self) -> None:
         response = self.client.get(reverse("sentry-accept-invite", args=[123456, "invalidtoken"]))