From 58d512d37326b9e4eebf31b442c7b009a7cbbd24 Mon Sep 17 00:00:00 2001
From: Zai Shi <zaishi00@outlook.com>
Date: Sun, 4 Aug 2024 14:16:12 -0700
Subject: [PATCH 01/10] Team invitation (#171)

* team invitation wip

* implemented handler

* team invitation callback wip

* added team invitation frontend

* fixed listCurrentUserTeamPermissions

* added team invitation email template

* fixed bugs

* fixed verification code handler

* added more checks to team invitation verification

* fixed team invitation page

* restructured verification code handler

* fixed frontend

* fixed team invitation tests

* added more team invitation test

* fixed bug

* added migration file

* removed unused code
---
 .../migration.sql                             |   5 +
 apps/backend/prisma/schema.prisma             |   2 +
 .../accept/check-code/route.tsx               |   3 +
 .../team-invitations/accept/details/route.tsx |   3 +
 .../api/v1/team-invitations/accept/route.tsx  |   3 +
 .../accept/verification-code-handler.tsx      |  99 +++++++++++++
 .../v1/team-invitations/send-code/route.tsx   |  60 ++++++++
 .../verification-code-handler.tsx             | 110 +++++++++------
 apps/dashboard/prisma/schema.prisma           |   2 +
 apps/e2e/tests/backend/backend-helpers.ts     |  40 ++++++
 .../endpoints/api/v1/team-invitations.test.ts |  80 +++++++++++
 .../api/v1/team-member-profiles.test.ts       |   4 +-
 examples/demo/src/app/teams/[teamId]/page.tsx |   2 +
 .../app/teams/[teamId]/team-invitation.tsx    |  35 +++++
 .../src/templates/team-invitation.tsx         | 131 ++++++++++++++++++
 packages/stack-emails/src/utils.tsx           |  13 ++
 .../src/interface/clientInterface.ts          |  61 ++++++++
 .../crud-deprecated/email-templates.ts        |   2 +-
 .../src/interface/crud/email-templates.ts     |   2 +-
 .../interface/crud/team-invitation-details.ts |  22 +++
 .../src/interface/serverInterface.ts          |  18 +--
 packages/stack-shared/src/schema-fields.ts    |   2 +
 .../src/components-page/forgot-password.tsx   |  57 +++++++-
 .../src/components-page/password-reset.tsx    | 121 ++++++++++++++--
 .../src/components-page/stack-handler.tsx     |  20 +--
 .../src/components-page/team-invitation.tsx   | 124 +++++++++++++++++
 .../src/components/forgot-password-form.tsx   |  55 --------
 .../src/components/password-reset-form.tsx    | 111 ---------------
 packages/stack/src/lib/stack-app.ts           |  71 +++++++++-
 29 files changed, 1011 insertions(+), 247 deletions(-)
 create mode 100644 apps/backend/prisma/migrations/20240804210316_team_invitation/migration.sql
 create mode 100644 apps/backend/src/app/api/v1/team-invitations/accept/check-code/route.tsx
 create mode 100644 apps/backend/src/app/api/v1/team-invitations/accept/details/route.tsx
 create mode 100644 apps/backend/src/app/api/v1/team-invitations/accept/route.tsx
 create mode 100644 apps/backend/src/app/api/v1/team-invitations/accept/verification-code-handler.tsx
 create mode 100644 apps/backend/src/app/api/v1/team-invitations/send-code/route.tsx
 create mode 100644 apps/e2e/tests/backend/endpoints/api/v1/team-invitations.test.ts
 create mode 100644 examples/demo/src/app/teams/[teamId]/team-invitation.tsx
 create mode 100644 packages/stack-emails/src/templates/team-invitation.tsx
 create mode 100644 packages/stack-shared/src/interface/crud/team-invitation-details.ts
 create mode 100644 packages/stack/src/components-page/team-invitation.tsx
 delete mode 100644 packages/stack/src/components/forgot-password-form.tsx
 delete mode 100644 packages/stack/src/components/password-reset-form.tsx

diff --git a/apps/backend/prisma/migrations/20240804210316_team_invitation/migration.sql b/apps/backend/prisma/migrations/20240804210316_team_invitation/migration.sql
new file mode 100644
index 0000000000..c2b503bf63
--- /dev/null
+++ b/apps/backend/prisma/migrations/20240804210316_team_invitation/migration.sql
@@ -0,0 +1,5 @@
+-- AlterEnum
+ALTER TYPE "EmailTemplateType" ADD VALUE 'TEAM_INVITATION';
+
+-- AlterEnum
+ALTER TYPE "VerificationCodeType" ADD VALUE 'TEAM_INVITATION';
diff --git a/apps/backend/prisma/schema.prisma b/apps/backend/prisma/schema.prisma
index 7e66f2fb1b..0be678afd0 100644
--- a/apps/backend/prisma/schema.prisma
+++ b/apps/backend/prisma/schema.prisma
@@ -370,6 +370,7 @@ enum VerificationCodeType {
   ONE_TIME_PASSWORD
   PASSWORD_RESET
   CONTACT_CHANNEL_VERIFICATION
+  TEAM_INVITATION
 }
 
 // @deprecated
@@ -463,6 +464,7 @@ enum EmailTemplateType {
   EMAIL_VERIFICATION
   PASSWORD_RESET
   MAGIC_LINK
+  TEAM_INVITATION
 }
 
 model EmailTemplate {
diff --git a/apps/backend/src/app/api/v1/team-invitations/accept/check-code/route.tsx b/apps/backend/src/app/api/v1/team-invitations/accept/check-code/route.tsx
new file mode 100644
index 0000000000..54f90fa985
--- /dev/null
+++ b/apps/backend/src/app/api/v1/team-invitations/accept/check-code/route.tsx
@@ -0,0 +1,3 @@
+import { teamInvitationCodeHandler } from "../verification-code-handler";
+
+export const POST = teamInvitationCodeHandler.checkHandler;
diff --git a/apps/backend/src/app/api/v1/team-invitations/accept/details/route.tsx b/apps/backend/src/app/api/v1/team-invitations/accept/details/route.tsx
new file mode 100644
index 0000000000..2262707919
--- /dev/null
+++ b/apps/backend/src/app/api/v1/team-invitations/accept/details/route.tsx
@@ -0,0 +1,3 @@
+import { teamInvitationCodeHandler } from "../verification-code-handler";
+
+export const POST = teamInvitationCodeHandler.detailsHandler;
diff --git a/apps/backend/src/app/api/v1/team-invitations/accept/route.tsx b/apps/backend/src/app/api/v1/team-invitations/accept/route.tsx
new file mode 100644
index 0000000000..aa305d0179
--- /dev/null
+++ b/apps/backend/src/app/api/v1/team-invitations/accept/route.tsx
@@ -0,0 +1,3 @@
+import { teamInvitationCodeHandler } from "./verification-code-handler";
+
+export const POST = teamInvitationCodeHandler.postHandler;
diff --git a/apps/backend/src/app/api/v1/team-invitations/accept/verification-code-handler.tsx b/apps/backend/src/app/api/v1/team-invitations/accept/verification-code-handler.tsx
new file mode 100644
index 0000000000..b888adff2c
--- /dev/null
+++ b/apps/backend/src/app/api/v1/team-invitations/accept/verification-code-handler.tsx
@@ -0,0 +1,99 @@
+import { teamMembershipsCrudHandlers } from "@/app/api/v1/team-memberships/crud";
+import { sendEmailFromTemplate } from "@/lib/emails";
+import { prismaClient } from "@/prisma-client";
+import { createVerificationCodeHandler } from "@/route-handlers/verification-code-handler";
+import { VerificationCodeType } from "@prisma/client";
+import { UsersCrud } from "@stackframe/stack-shared/dist/interface/crud/users";
+import { yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { teamsCrudHandlers } from "../../teams/crud";
+
+export const teamInvitationCodeHandler = createVerificationCodeHandler({
+  metadata: {
+    post: {
+      summary: "Invite a user to a team",
+      description: "Send an email to a user to invite them to a team",
+      tags: ["Teams"],
+    },
+    check: {
+      summary: "Check if a team invitation code is valid",
+      description: "Check if a team invitation code is valid without using it",
+      tags: ["Teams"],
+    },
+  },
+  userRequired: true,
+  type: VerificationCodeType.TEAM_INVITATION,
+  data: yupObject({
+    team_id: yupString().required(),
+  }).required(),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).required(),
+    bodyType: yupString().oneOf(["json"]).required(),
+    body: yupObject({}).required(),
+  }),
+  detailsResponse: yupObject({
+    statusCode: yupNumber().oneOf([200]).required(),
+    bodyType: yupString().oneOf(["json"]).required(),
+    body: yupObject({
+      team_id: yupString().required(),
+      team_display_name: yupString().required(),
+    }).required(),
+  }),
+  async send(codeObj, createOptions, sendOptions: { user: UsersCrud["Admin"]["Read"] }) {
+    const team = await teamsCrudHandlers.adminRead({
+      project: createOptions.project,
+      team_id: createOptions.data.team_id,
+    });
+
+    await sendEmailFromTemplate({
+      project: createOptions.project,
+      user: sendOptions.user,
+      email: createOptions.method.email,
+      templateType: "team_invitation",
+      extraVariables: {
+        teamInvitationLink: codeObj.link.toString(),
+        teamDisplayName: team.display_name,
+      },
+    });
+  },
+  async handler(project, {}, data, body, user) {
+    const oldMembership = await prismaClient.teamMember.findUnique({
+      where: {
+        projectId_projectUserId_teamId: {
+          projectId: project.id,
+          projectUserId: user.id,
+          teamId: data.team_id,
+        },
+      },
+    });
+
+    if (!oldMembership) {
+      await teamMembershipsCrudHandlers.adminCreate({
+        project,
+        team_id: data.team_id,
+        user_id: user.id,
+        data: {},
+      });
+    }
+
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: {}
+    };
+  },
+  async details(project, {}, data, body, user) {
+    const team = await teamsCrudHandlers.adminRead({
+      project,
+      team_id: data.team_id,
+    });
+
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: {
+        team_id: team.id,
+        team_display_name: team.display_name,
+      },
+    };
+  }
+});
diff --git a/apps/backend/src/app/api/v1/team-invitations/send-code/route.tsx b/apps/backend/src/app/api/v1/team-invitations/send-code/route.tsx
new file mode 100644
index 0000000000..b5a3d2f8df
--- /dev/null
+++ b/apps/backend/src/app/api/v1/team-invitations/send-code/route.tsx
@@ -0,0 +1,60 @@
+import { ensureUserHasTeamPermission } from "@/lib/request-checks";
+import { prismaClient } from "@/prisma-client";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { adaptSchema, clientOrHigherAuthTypeSchema, teamIdSchema, teamInvitationCallbackUrlSchema, teamInvitationEmailSchema, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { teamInvitationCodeHandler } from "../accept/verification-code-handler";
+import { listUserTeamPermissions } from "@/lib/permissions";
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    summary: "Send an email to invite a user to a team",
+    description: "The user receiving this email can join the team by clicking on the link in the email. If the user does not have an account yet, they will be prompted to create one.",
+    tags: ["Emails"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: clientOrHigherAuthTypeSchema,
+      project: adaptSchema.required(),
+      user: adaptSchema.required(),
+    }).required(),
+    body: yupObject({
+      team_id: teamIdSchema.required(),
+      email: teamInvitationEmailSchema.required(),
+      callback_url: teamInvitationCallbackUrlSchema.required(),
+    }).required(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).required(),
+    bodyType: yupString().oneOf(["success"]).required(),
+  }),
+  async handler({ auth, body }) {
+    await prismaClient.$transaction(async (tx) => {
+      if (auth.type === "client") {
+        await ensureUserHasTeamPermission(tx, {
+          project: auth.project,
+          userId: auth.user.id,
+          teamId: body.team_id,
+          permissionId: "$invite_members"
+        });
+      }
+    });
+
+    await teamInvitationCodeHandler.sendCode({
+      project: auth.project,
+      data: {
+        team_id: body.team_id,
+      },
+      method: {
+        email: body.email,
+      },
+      callbackUrl: body.callback_url,
+    }, {
+      user: auth.user,
+    });
+
+    return {
+      statusCode: 200,
+      bodyType: "success",
+    };
+  },
+});
diff --git a/apps/backend/src/route-handlers/verification-code-handler.tsx b/apps/backend/src/route-handlers/verification-code-handler.tsx
index 0c1c4dec80..1bda01d73c 100644
--- a/apps/backend/src/route-handlers/verification-code-handler.tsx
+++ b/apps/backend/src/route-handlers/verification-code-handler.tsx
@@ -3,7 +3,7 @@ import { SmartRouteHandler, SmartRouteHandlerOverloadMetadata, createSmartRouteH
 import { SmartResponse } from "./smart-response";
 import { KnownErrors } from "@stackframe/stack-shared";
 import { prismaClient } from "@/prisma-client";
-import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { validateRedirectUrl } from "@/lib/redirect-urls";
 import { generateSecureRandomString } from "@stackframe/stack-shared/dist/utils/crypto";
 import { adaptSchema, yupBoolean, yupNumber, yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
@@ -11,6 +11,7 @@ import { VerificationCodeType } from "@prisma/client";
 import { SmartRequest } from "./smart-request";
 import { DeepPartial } from "@stackframe/stack-shared/dist/utils/objects";
 import { ProjectsCrud } from "@stackframe/stack-shared/dist/interface/crud/projects";
+import { UsersCrud } from "@stackframe/stack-shared/dist/interface/crud/users";
 
 type Method = {
   email: string,
@@ -30,11 +31,12 @@ type CodeObject = {
   expiresAt: Date,
 };
 
-type VerificationCodeHandler<Data, SendCodeExtraOptions extends {}> = {
+type VerificationCodeHandler<Data, SendCodeExtraOptions extends {}, HasDetails extends boolean> = {
   createCode<CallbackUrl extends string | URL>(options: CreateCodeOptions<Data, CallbackUrl>): Promise<CodeObject>,
   sendCode(options: CreateCodeOptions<Data>, sendOptions: SendCodeExtraOptions): Promise<void>,
   postHandler: SmartRouteHandler<any, any, any>,
   checkHandler: SmartRouteHandler<any, any, any>,
+  detailsHandler: HasDetails extends true ? SmartRouteHandler<any, any, any> : undefined,
 };
 
 /**
@@ -44,42 +46,65 @@ export function createVerificationCodeHandler<
   Data,
   RequestBody extends {} & DeepPartial<SmartRequest["body"]>,
   Response extends SmartResponse,
+  DetailsResponse extends SmartResponse | undefined,
+  UserRequired extends boolean,
   SendCodeExtraOptions extends {},
 >(options: {
   metadata?: {
     post?: SmartRouteHandlerOverloadMetadata,
     check?: SmartRouteHandlerOverloadMetadata,
+    details?: SmartRouteHandlerOverloadMetadata,
   },
   type: VerificationCodeType,
   data: yup.Schema<Data>,
   requestBody?: yup.ObjectSchema<RequestBody>,
+  userRequired?: UserRequired,
+  detailsResponse?: yup.Schema<DetailsResponse>,
   response: yup.Schema<Response>,
-  send: (
+  send(
     codeObject: CodeObject,
     createOptions: CreateCodeOptions<Data>,
     sendOptions: SendCodeExtraOptions,
-  ) => Promise<void>,
-  handler(project: ProjectsCrud["Admin"]["Read"], method: Method, data: Data, body: RequestBody): Promise<Response>,
-}): VerificationCodeHandler<Data, SendCodeExtraOptions> {
-  const createHandler = (verifyOnly: boolean) => createSmartRouteHandler({
-    metadata: verifyOnly ? options.metadata?.check : options.metadata?.post,
+  ): Promise<void>,
+  handler(
+    project: ProjectsCrud["Admin"]["Read"],
+    method: Method,
+    data: Data,
+    body: RequestBody,
+    user: UserRequired extends true ? UsersCrud["Admin"]["Read"] : undefined
+  ): Promise<Response>,
+  details?: DetailsResponse extends SmartResponse ? ((
+    project: ProjectsCrud["Admin"]["Read"],
+    method: Method,
+    data: Data,
+    body: RequestBody,
+    user: UserRequired extends true ? UsersCrud["Admin"]["Read"] : undefined
+  ) => Promise<DetailsResponse>) : undefined,
+}): VerificationCodeHandler<Data, SendCodeExtraOptions, DetailsResponse extends SmartResponse ? true : false> {
+  const createHandler = (type: 'post' | 'check' | 'details') => createSmartRouteHandler({
+    metadata: options.metadata?.[type],
     request: yupObject({
       auth: yupObject({
         project: adaptSchema.required(),
+        user: options.userRequired ? adaptSchema.required() : adaptSchema,
       }).required(),
       body: yupObject({
         code: yupString().required(),
       // we cast to undefined as a typehack because the types are a bit icky
       // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
-      }).concat((verifyOnly ? undefined : options.requestBody) as undefined ?? yupObject({})).required(),
+      }).concat((type === 'post' ? options.requestBody : undefined) as undefined ?? yupObject({})).required(),
     }),
-    response: verifyOnly ? yupObject({
-      statusCode: yupNumber().oneOf([200]).required(),
-      bodyType: yupString().oneOf(["json"]).required(),
-      body: yupObject({
-        "is_code_valid": yupBoolean().oneOf([true]).required(),
-      }).required(),
-    }).required() as yup.ObjectSchema<any> : options.response,
+    response: type === 'check' ?
+      yupObject({
+        statusCode: yupNumber().oneOf([200]).required(),
+        bodyType: yupString().oneOf(["json"]).required(),
+        body: yupObject({
+          "is_code_valid": yupBoolean().oneOf([true]).required(),
+        }).required(),
+      }).required() as yup.ObjectSchema<any> :
+      type === 'details' ?
+        options.detailsResponse || throwErr('detailsResponse is required') :
+        options.response,
     async handler({ body: { code, ...requestBody }, auth }) {
       const verificationCode = await prismaClient.verificationCode.findUnique({
         where: {
@@ -98,28 +123,34 @@ export function createVerificationCodeHandler<
         strict: true,
       });
 
-      if (verifyOnly) {
-        return {
-          statusCode: 200,
-          bodyType: "json",
-          body: {
-            is_code_valid: true,
-          },
-        };
-      } else {
-        await prismaClient.verificationCode.update({
-          where: {
-            projectId_code: {
-              projectId: auth.project.id,
-              code,
+      switch (type) {
+        case 'post': {
+          await prismaClient.verificationCode.update({
+            where: {
+              projectId_code: {
+                projectId: auth.project.id,
+                code,
+              },
             },
-          },
-          data: {
-            usedAt: new Date(),
-          },
-        });
+            data: {
+              usedAt: new Date(),
+            },
+          });
 
-        return await options.handler(auth.project, { email: verificationCode.email }, validatedData as any, requestBody as any);
+          return await options.handler(auth.project, { email: verificationCode.email }, validatedData as any, requestBody as any, auth.user as any);
+        }
+        case 'check': {
+          return {
+            statusCode: 200,
+            bodyType: "json",
+            body: {
+              is_code_valid: true,
+            },
+          };
+        }
+        case 'details': {
+          return await options.details?.(auth.project, { email: verificationCode.email }, validatedData as any, requestBody as any, auth.user as any) as any;
+        }
       }
     },
   });
@@ -166,7 +197,8 @@ export function createVerificationCodeHandler<
       const codeObj = await this.createCode(createOptions);
       await options.send(codeObj, createOptions, sendOptions);
     },
-    postHandler: createHandler(false),
-    checkHandler: createHandler(true),
+    postHandler: createHandler('post'),
+    checkHandler: createHandler('check'),
+    detailsHandler: (options.detailsResponse ? createHandler('details') : undefined) as any,
   };
-}
+}
\ No newline at end of file
diff --git a/apps/dashboard/prisma/schema.prisma b/apps/dashboard/prisma/schema.prisma
index 7e66f2fb1b..0be678afd0 100644
--- a/apps/dashboard/prisma/schema.prisma
+++ b/apps/dashboard/prisma/schema.prisma
@@ -370,6 +370,7 @@ enum VerificationCodeType {
   ONE_TIME_PASSWORD
   PASSWORD_RESET
   CONTACT_CHANNEL_VERIFICATION
+  TEAM_INVITATION
 }
 
 // @deprecated
@@ -463,6 +464,7 @@ enum EmailTemplateType {
   EMAIL_VERIFICATION
   PASSWORD_RESET
   MAGIC_LINK
+  TEAM_INVITATION
 }
 
 model EmailTemplate {
diff --git a/apps/e2e/tests/backend/backend-helpers.ts b/apps/e2e/tests/backend/backend-helpers.ts
index d58946a824..776abb2bc1 100644
--- a/apps/e2e/tests/backend/backend-helpers.ts
+++ b/apps/e2e/tests/backend/backend-helpers.ts
@@ -607,4 +607,44 @@ export namespace Team {
       teamId: response.body.id,
     };
   }
+
+  export async function sendInvitation(receiveMailbox: Mailbox, teamId: string) {
+    const response = await niceBackendFetch("/api/v1/team-invitations/send-code", {
+      method: "POST",
+      accessType: "client",
+      body: {
+        email: receiveMailbox.emailAddress,
+        team_id: teamId,
+        callback_url: "http://localhost:12345/some-callback-url",
+      },
+    });
+
+    return {
+      sendTeamInvitationResponse: response,
+    };
+  }
+
+  export async function acceptInvitation() {
+    const mailbox = backendContext.value.mailbox;
+    const messages = await mailbox.fetchMessages();
+    const message = messages.findLast((message) => message.subject.includes("join")) ?? throwErr("Team invitation message not found");
+    const code = message.body?.text.match(/http:\/\/localhost:12345\/some-callback-url\?code=([a-zA-Z0-9]+)/)?.[1] ?? throwErr("Team invitation code not found");
+    const response = await niceBackendFetch("/api/v1/team-invitations/accept", {
+      method: "POST",
+      accessType: "client",
+      body: {
+        code,
+      },
+    });
+    expect(response).toMatchInlineSnapshot(`
+      NiceResponse {
+        "status": 200,
+        "body": {},
+        "headers": Headers { <some fields may have been hidden> },
+      }
+    `);
+    return {
+      acceptTeamInvitationResponse: response,
+    };
+  }
 }
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/team-invitations.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/team-invitations.test.ts
new file mode 100644
index 0000000000..2ef4547ca0
--- /dev/null
+++ b/apps/e2e/tests/backend/endpoints/api/v1/team-invitations.test.ts
@@ -0,0 +1,80 @@
+import { createMailbox, it } from "../../../../helpers";
+import { Auth, Team, backendContext, niceBackendFetch } from "../../../backend-helpers";
+
+it("is not allowed to send invitation without permission", async ({ expect }) => {
+  const { userId: userId1 } = await Auth.Otp.signIn();
+  const { teamId } = await Team.create();
+
+  const receiveMailbox = createMailbox();
+  const { sendTeamInvitationResponse } = await Team.sendInvitation(receiveMailbox, teamId);
+
+  expect(sendTeamInvitationResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 401,
+      "body": {
+        "code": "TEAM_PERMISSION_REQUIRED",
+        "details": {
+          "permission_id": "$invite_members",
+          "team_id": "<stripped UUID>",
+          "user_id": "<stripped UUID>",
+        },
+        "error": "User <stripped UUID> does not have permission $invite_members in team <stripped UUID>.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "TEAM_PERMISSION_REQUIRED",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("invites a user to a team", async ({ expect }) => {
+  const { userId: userId1 } = await Auth.Otp.signIn();
+  const { teamId } = await Team.create();
+
+  const receiveMailbox = createMailbox();
+
+  await niceBackendFetch(`/api/v1/team-permissions/${teamId}/${userId1}/$invite_members`, {
+    accessType: "server",
+    method: "POST",
+    body: {},
+  });
+
+
+  const { sendTeamInvitationResponse } = await Team.sendInvitation(receiveMailbox, teamId);
+
+  expect(sendTeamInvitationResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": { "success": true },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+
+  backendContext.set({ mailbox: receiveMailbox });
+  await Auth.Otp.signIn();
+
+  await Team.acceptInvitation();
+
+  const response = await niceBackendFetch(`/api/v1/teams?user_id=me`, {
+    accessType: "server",
+    method: "GET",
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 200,
+      "body": {
+        "is_paginated": false,
+        "items": [
+          {
+            "created_at_millis": <stripped field 'created_at_millis'>,
+            "display_name": "New Team",
+            "id": "<stripped UUID>",
+            "profile_image_url": null,
+          },
+        ],
+      },
+      "headers": Headers { <some fields may have been hidden> },
+    }
+  `);
+});
\ No newline at end of file
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/team-member-profiles.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/team-member-profiles.test.ts
index 3d136a6981..f5bfad9984 100644
--- a/apps/e2e/tests/backend/endpoints/api/v1/team-member-profiles.test.ts
+++ b/apps/e2e/tests/backend/endpoints/api/v1/team-member-profiles.test.ts
@@ -3,11 +3,11 @@ import { Auth, Team, backendContext, niceBackendFetch } from "../../../backend-h
 
 async function signInAndCreateTeam() {
   const { userId: userId1 } = await Auth.Otp.signIn();
-  backendContext.set({ mailbox: createMailbox() });
 
-  const { userId: userId2 } = await Auth.Otp.signIn();
   backendContext.set({ mailbox: createMailbox() });
+  const { userId: userId2 } = await Auth.Otp.signIn();
 
+  backendContext.set({ mailbox: createMailbox() });
   const { userId: userId3 } = await Auth.Otp.signIn();
 
   // update names of users
diff --git a/examples/demo/src/app/teams/[teamId]/page.tsx b/examples/demo/src/app/teams/[teamId]/page.tsx
index 8004f3381a..21b2ad2c5e 100644
--- a/examples/demo/src/app/teams/[teamId]/page.tsx
+++ b/examples/demo/src/app/teams/[teamId]/page.tsx
@@ -3,6 +3,7 @@ import Image from 'next/image';
 import { stackServerApp } from "src/stack";
 import TeamActions from "./team-actions";
 import { ProfileImageUpload } from "./profile-image-upload";
+import TeamInvitation from "./team-invitation";
 
 export default async function Page({ params }: { params: { teamId: string } }) {
   const team = await stackServerApp.getTeam(params.teamId);
@@ -56,5 +57,6 @@ export default async function Page({ params }: { params: { teamId: string } }) {
     <div className="mb-10"></div>
 
     <TeamActions teamId={team.id} />
+    <TeamInvitation teamId={team.id} />
   </div>;
 }
diff --git a/examples/demo/src/app/teams/[teamId]/team-invitation.tsx b/examples/demo/src/app/teams/[teamId]/team-invitation.tsx
new file mode 100644
index 0000000000..cd8741c9d6
--- /dev/null
+++ b/examples/demo/src/app/teams/[teamId]/team-invitation.tsx
@@ -0,0 +1,35 @@
+'use client';
+
+import { useStackApp, useUser } from "@stackframe/stack";
+import { Button, Input } from "@stackframe/stack-ui";
+import React from 'react';
+
+export default function TeamInvitation(props: { teamId: string }) {
+  const app = useStackApp();
+  const user = useUser({ or: 'redirect' });
+  const team = user.useTeam(props.teamId);
+  const [email, setEmail] = React.useState('');
+
+  if (!team) {
+    return null;
+  }
+
+  const permission = user.usePermission(team, '$invite_members');
+
+  if (!permission) {
+    return "You don't have permission to invite members";
+  }
+
+  return (
+    <div>
+      <Input value={email} onChange={e => setEmail(e.target.value)} />
+      <Button
+        onClick={async () => {
+          await team.inviteUser({ email });
+        }}
+      >
+        {'Invite'}
+      </Button>
+    </div>
+  );
+}
\ No newline at end of file
diff --git a/packages/stack-emails/src/templates/team-invitation.tsx b/packages/stack-emails/src/templates/team-invitation.tsx
new file mode 100644
index 0000000000..c8b374a030
--- /dev/null
+++ b/packages/stack-emails/src/templates/team-invitation.tsx
@@ -0,0 +1,131 @@
+import { TEditorConfiguration } from "@stackframe/stack-emails/dist/editor/documents/editor/core";
+
+export const teamInvitationTemplate: TEditorConfiguration = {
+  "root": {
+    "data": {
+      "textColor": "#242424",
+      "fontFamily": "MODERN_SANS",
+      "canvasColor": "#FFFFFF",
+      "childrenIds": [
+        "block_BjpQ7DGTtvaEuYRMd7VE7w",
+        "block_xyg4GWmgGbJJEDRQc76bC",
+        "block_76VptLCZ47t3EkAarUufEJ",
+        "block_Gtk3kDYwsJqEmQf2XGWPRc",
+        "block_LACDCzUS2bsvEbmnq1KHuW"
+      ],
+      "backdropColor": "#F2F5F7"
+    },
+    "type": "EmailLayout"
+  },
+  "block_xyg4GWmgGbJJEDRQc76bC": {
+    "type": "Text",
+    "data": {
+      "style": {
+        "color": "#474849",
+        "backgroundColor": null,
+        "fontSize": 14,
+        "fontFamily": null,
+        "fontWeight": "normal",
+        "textAlign": "left",
+        "padding": {
+          "top": 8,
+          "bottom": 16,
+          "right": 24,
+          "left": 24
+        }
+      },
+      "props": {
+        "text": "Hi{{#if userDisplayName}}, {{ userDisplayName }}{{/if}}! Please click on the following button to join the team {{ teamDisplayName }}\n"
+      }
+    }
+  },
+  "block_76VptLCZ47t3EkAarUufEJ": {
+    "type": "Button",
+    "data": {
+      "style": {
+        "backgroundColor": null,
+        "fontSize": 14,
+        "fontFamily": null,
+        "fontWeight": "bold",
+        "textAlign": "left",
+        "padding": {
+          "top": 12,
+          "bottom": 12,
+          "right": 24,
+          "left": 24
+        }
+      },
+      "props": {
+        "buttonBackgroundColor": "#000000",
+        "buttonStyle": "rounded",
+        "buttonTextColor": "#FFFFFF",
+        "fullWidth": false,
+        "size": "medium",
+        "text": "Join team",
+        "url": "{{ teamInvitationLink }}"
+      }
+    }
+  },
+  "block_BjpQ7DGTtvaEuYRMd7VE7w": {
+    "type": "Heading",
+    "data": {
+      "props": {
+        "text": "You are invited to {{ teamDisplayName }}",
+        "level": "h3"
+      },
+      "style": {
+        "color": "#000000",
+        "backgroundColor": null,
+        "fontFamily": null,
+        "fontWeight": "bold",
+        "textAlign": "left",
+        "padding": {
+          "top": 32,
+          "bottom": 0,
+          "right": 24,
+          "left": 24
+        }
+      }
+    }
+  },
+  "block_Gtk3kDYwsJqEmQf2XGWPRc": {
+    "data": {
+      "props": {
+        "lineColor": "#EEEEEE",
+        "lineHeight": 1
+      },
+      "style": {
+        "padding": {
+          "top": 16,
+          "left": 24,
+          "right": 24,
+          "bottom": 16
+        },
+        "backgroundColor": null
+      }
+    },
+    "type": "Divider"
+  },
+  "block_LACDCzUS2bsvEbmnq1KHuW": {
+    "data": {
+      "props": {
+        "text": "If you were not expecting this email, you can safely ignore it."
+      },
+      "style": {
+        "color": "#474849",
+        "padding": {
+          "top": 4,
+          "left": 24,
+          "right": 24,
+          "bottom": 24
+        },
+        "fontSize": 12,
+        "textAlign": "left",
+        "fontFamily": null,
+        "fontWeight": "normal",
+        "backgroundColor": null
+      }
+    },
+    "type": "Text"
+  }
+};
\ No newline at end of file
diff --git a/packages/stack-emails/src/utils.tsx b/packages/stack-emails/src/utils.tsx
index f2efb09c4d..677c1ec341 100644
--- a/packages/stack-emails/src/utils.tsx
+++ b/packages/stack-emails/src/utils.tsx
@@ -10,6 +10,7 @@ import * as Handlebars from 'handlebars/dist/handlebars.js';
 import _ from 'lodash';
 import { type ClassValue, clsx } from "clsx";
 import { twMerge } from "tailwind-merge";
+import { teamInvitationTemplate } from "./templates/team-invitation";
 
 
 // TODO remove this one
@@ -76,6 +77,18 @@ export const EMAIL_TEMPLATES_METADATA = {
       { name: 'magicLink', label: 'Magic Link', defined: true, example: '<magic link>' },
     ],
   } satisfies EmailTemplateMetadata,
+  'team_invitation': {
+    label: "Team Invitation",
+    description: "Will be sent to the user when they are invited to a team",
+    defaultContent: teamInvitationTemplate,
+    defaultSubject: "You have been invited to join {{ teamDisplayName }}",
+    variables: [
+      ...userVars,
+      ...projectVars,
+      { name: 'teamDisplayName', label: 'Team Display Name', defined: true, example: 'My Team' },
+      { name: 'teamInvitationLink', label: 'Team Invitation Link', defined: true, example: '<team invitation link>' },
+    ],
+  } satisfies EmailTemplateMetadata,
 } as const;
 
 export function validateEmailTemplateContent(content: any): content is TEditorConfiguration {
diff --git a/packages/stack-shared/src/interface/clientInterface.ts b/packages/stack-shared/src/interface/clientInterface.ts
index 3af0da00d7..5c1f4c78b8 100644
--- a/packages/stack-shared/src/interface/clientInterface.ts
+++ b/packages/stack-shared/src/interface/clientInterface.ts
@@ -535,6 +535,67 @@ export class StackClientInterface {
     }
   }
 
+  async sendTeamInvitation(options: {
+    email: string,
+    teamId: string,
+    callbackUrl: string,
+    session: InternalSession | null,
+  }): Promise<Result<undefined, KnownErrors["TeamPermissionRequired"]>> {
+    const res = await this.sendClientRequestAndCatchKnownError(
+      "/team-invitations/send-code",
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          email: options.email,
+          team_id: options.teamId,
+          callback_url: options.callbackUrl,
+        }),
+      },
+      options.session,
+      [KnownErrors.TeamPermissionRequired]
+    );
+
+    if (res.status === "error") {
+      return Result.error(res.error);
+    } else {
+      return Result.ok(undefined);
+    }
+  }
+
+  async acceptTeamInvitation<T extends 'use' | 'details' | 'check'>(options: {
+    code: string,
+    session: InternalSession,
+    type: T,
+  }): Promise<Result<T extends 'details' ? { team_display_name: string } : undefined, KnownErrors["VerificationCodeError"]>> {
+    const res = await this.sendClientRequestAndCatchKnownError(
+      options.type === 'check' ?
+        "/team-invitations/accept/check-code" :
+        options.type === 'details' ?
+          "/team-invitations/accept/details" :
+          "/team-invitations/accept",
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          code: options.code,
+        }),
+      },
+      options.session,
+      [KnownErrors.VerificationCodeError]
+    );
+
+    if (res.status === "error") {
+      return Result.error(res.error);
+    } else {
+      return Result.ok(await res.data.json());
+    }
+  }
+
   async signInWithCredential(
     email: string,
     password: string,
diff --git a/packages/stack-shared/src/interface/crud-deprecated/email-templates.ts b/packages/stack-shared/src/interface/crud-deprecated/email-templates.ts
index 3ab344a5bb..9cbe983b61 100644
--- a/packages/stack-shared/src/interface/crud-deprecated/email-templates.ts
+++ b/packages/stack-shared/src/interface/crud-deprecated/email-templates.ts
@@ -2,7 +2,7 @@ import { CrudTypeOf, createCrud } from "../../crud";
 import { jsonSchema, yupMixed, yupObject, yupString } from "../../schema-fields";
 
 export type EmailTemplateType = typeof emailTemplateTypes[number];
-export const emailTemplateTypes = ['EMAIL_VERIFICATION', 'PASSWORD_RESET', 'MAGIC_LINK'] as const;
+export const emailTemplateTypes = ['EMAIL_VERIFICATION', 'PASSWORD_RESET', 'MAGIC_LINK', 'TEAM_INVITATION'] as const;
 
 export const emailTemplateServerReadSchema = yupObject({
   type: yupString().oneOf(emailTemplateTypes).required(),
diff --git a/packages/stack-shared/src/interface/crud/email-templates.ts b/packages/stack-shared/src/interface/crud/email-templates.ts
index cff718dc11..d8d070486c 100644
--- a/packages/stack-shared/src/interface/crud/email-templates.ts
+++ b/packages/stack-shared/src/interface/crud/email-templates.ts
@@ -2,7 +2,7 @@ import { CrudTypeOf, createCrud } from "../../crud";
 import { jsonSchema, yupBoolean, yupMixed, yupObject, yupString } from "../../schema-fields";
 
 export type EmailTemplateType = typeof emailTemplateTypes[number];
-export const emailTemplateTypes = ['email_verification', 'password_reset', 'magic_link'] as const;
+export const emailTemplateTypes = ['email_verification', 'password_reset', 'magic_link', 'team_invitation'] as const;
 
 export const emailTemplateAdminReadSchema = yupObject({
   type: yupString().oneOf(emailTemplateTypes).required(),
diff --git a/packages/stack-shared/src/interface/crud/team-invitation-details.ts b/packages/stack-shared/src/interface/crud/team-invitation-details.ts
new file mode 100644
index 0000000000..a7e384ea0e
--- /dev/null
+++ b/packages/stack-shared/src/interface/crud/team-invitation-details.ts
@@ -0,0 +1,22 @@
+import { CrudTypeOf, createCrud } from "../../crud";
+import * as schemaFields from "../../schema-fields";
+import { yupObject } from "../../schema-fields";
+
+
+export const teamInvitationDetailsClientReadSchema = yupObject({
+  team_id: schemaFields.teamIdSchema.required(),
+  team_display_name: schemaFields.teamDisplayNameSchema.required(),
+}).required();
+
+export const teamInvitationDetailsCrud = createCrud({
+  clientReadSchema: teamInvitationDetailsClientReadSchema,
+  docs: {
+    clientRead: {
+      summary: "Get the team details with invitation code",
+      description: "",
+      tags: ["Teams"],
+    },
+  },
+});
+
+export type TeamInvitationDetailsCrud = CrudTypeOf<typeof teamInvitationDetailsCrud>;
\ No newline at end of file
diff --git a/packages/stack-shared/src/interface/serverInterface.ts b/packages/stack-shared/src/interface/serverInterface.ts
index b41ac717d1..5fd86eb499 100644
--- a/packages/stack-shared/src/interface/serverInterface.ts
+++ b/packages/stack-shared/src/interface/serverInterface.ts
@@ -109,7 +109,7 @@ export class StackServerInterface extends StackClientInterface {
       teamId?: string,
       recursive: boolean,
     },
-    session: InternalSession
+    session: InternalSession | null,
   ): Promise<TeamPermissionsCrud['Server']['Read'][]> {
     const response = await this.sendServerRequest(
       "/team-permissions?" + new URLSearchParams(filterUndefined({
@@ -280,22 +280,6 @@ export class StackServerInterface extends StackClientInterface {
     };
   }
 
-  async listServerTeamMemberPermissions(
-    options: {
-      teamId: string,
-      userId: string,
-      recursive: boolean,
-    }
-  ): Promise<TeamPermissionsCrud['Server']['Read'][]> {
-    const response = await this.sendServerRequest(
-      `/team-permissions?team_id=${options.teamId}&user_id=${options.userId}&recursive=${options.recursive}`,
-      {},
-      null
-    );
-    const result = await response.json() as TeamPermissionsCrud['Server']['List'];
-    return result.items;
-  }
-
   async grantServerTeamUserPermission(teamId: string, userId: string, permissionId: string) {
     await this.sendServerRequest(
       `/team-permissions/${teamId}/${userId}/${permissionId}`,
diff --git a/packages/stack-shared/src/schema-fields.ts b/packages/stack-shared/src/schema-fields.ts
index 56c05cc1fb..1523f3ba99 100644
--- a/packages/stack-shared/src/schema-fields.ts
+++ b/packages/stack-shared/src/schema-fields.ts
@@ -239,6 +239,8 @@ export const teamProfileImageUrlSchema = yupString().meta({ openapiField: { desc
 export const teamClientMetadataSchema = jsonSchema.meta({ openapiField: { description: _clientMetaDataDescription('team'), exampleValue: { key: 'value' } } });
 export const teamServerMetadataSchema = jsonSchema.meta({ openapiField: { description: _serverMetaDataDescription('team'), exampleValue: { key: 'value' } } });
 export const teamCreatedAtMillisSchema = yupNumber().meta({ openapiField: { description: _createdAtMillisDescription('team'), exampleValue: 1630000000000 } });
+export const teamInvitationEmailSchema = emailSchema.meta({ openapiField: { description: 'The email to sign in with.', exampleValue: 'johndoe@example.com' } });
+export const teamInvitationCallbackUrlSchema = urlSchema.meta({ openapiField: { description: 'The base callback URL to construct a verification link for the verification e-mail. A query argument `code` with the verification code will be appended to it. The page should then make a request to the `/contact-channels/verify` endpoint.', exampleValue: 'https://example.com/handler/email-verification' } });
 
 // Team member profiles
 export const teamMemberDisplayNameSchema = yupString().meta({ openapiField: { description: _displayNameDescription('team member') + ' Note that this is separate from the display_name of the user.', exampleValue: 'John Doe' } });
diff --git a/packages/stack/src/components-page/forgot-password.tsx b/packages/stack/src/components-page/forgot-password.tsx
index 4368c5dece..2e41d993ab 100644
--- a/packages/stack/src/components-page/forgot-password.tsx
+++ b/packages/stack/src/components-page/forgot-password.tsx
@@ -1,11 +1,60 @@
 'use client';
 
-import { ForgotPasswordForm } from "../components/forgot-password-form";
+import { yupResolver } from "@hookform/resolvers/yup";
+import { yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { runAsynchronouslyWithAlert } from "@stackframe/stack-shared/dist/utils/promises";
+import { Button, Input, Label, StyledLink, Typography } from "@stackframe/stack-ui";
+import { useState } from "react";
+import { useForm } from "react-hook-form";
+import * as yup from "yup";
+import { useStackApp, useUser } from "..";
+import { FormWarningText } from "../components/elements/form-warning";
 import { MaybeFullPage } from "../components/elements/maybe-full-page";
-import { useUser, useStackApp } from "..";
 import { PredefinedMessageCard } from "../components/message-cards/predefined-message-card";
-import { useState } from "react";
-import { StyledLink, Typography } from "@stackframe/stack-ui";
+
+const schema = yupObject({
+  email: yupString().email('Please enter a valid email').required('Please enter your email')
+});
+
+export function ForgotPasswordForm({ onSent }: { onSent?: () => void }) {
+  const { register, handleSubmit, formState: { errors }, clearErrors } = useForm({
+    resolver: yupResolver(schema)
+  });
+  const stackApp = useStackApp();
+  const [loading, setLoading] = useState(false);
+
+  const onSubmit = async (data: yup.InferType<typeof schema>) => {
+    setLoading(true);
+    try {
+      const { email } = data;
+      await stackApp.sendForgotPasswordEmail(email);
+    onSent?.();
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  return (
+    <form
+      className="flex flex-col items-stretch stack-scope"
+      onSubmit={e => runAsynchronouslyWithAlert(handleSubmit(onSubmit)(e))}
+      noValidate
+    >
+      <Label htmlFor="email" className="mb-1">Your Email</Label>
+      <Input
+        id="email"
+        type="email"
+        {...register('email')}
+        onChange={() => clearErrors('email')}
+      />
+      <FormWarningText text={errors.email?.message?.toString()} />
+
+      <Button type="submit" className="mt-6" loading={loading}>
+        Send Email
+      </Button>
+    </form>
+  );
+}
 
 
 export function ForgotPassword({ fullPage=false }: { fullPage?: boolean }) {
diff --git a/packages/stack/src/components-page/password-reset.tsx b/packages/stack/src/components-page/password-reset.tsx
index 512233bec9..a2f3260663 100644
--- a/packages/stack/src/components-page/password-reset.tsx
+++ b/packages/stack/src/components-page/password-reset.tsx
@@ -1,12 +1,117 @@
 'use client';
 
-import { MessageCard } from "../components/message-cards/message-card";
-import { StackClientApp, useStackApp } from "..";
-import React from "react";
-import PasswordResetForm from "../components/password-reset-form";
-import { cacheFunction } from "@stackframe/stack-shared/dist/utils/caches";
+import { yupResolver } from "@hookform/resolvers/yup";
 import { KnownErrors } from "@stackframe/stack-shared";
-import { Typography } from "@stackframe/stack-ui";
+import { getPasswordError } from "@stackframe/stack-shared/dist/helpers/password";
+import { yupObject, yupString } from "@stackframe/stack-shared/dist/schema-fields";
+import { cacheFunction } from "@stackframe/stack-shared/dist/utils/caches";
+import { runAsynchronouslyWithAlert } from "@stackframe/stack-shared/dist/utils/promises";
+import { Button, Label, PasswordInput, Typography } from "@stackframe/stack-ui";
+import React, { useState } from "react";
+import { useForm } from "react-hook-form";
+import * as yup from "yup";
+import { StackClientApp, useStackApp } from "..";
+import { FormWarningText } from "../components/elements/form-warning";
+import { MaybeFullPage } from "../components/elements/maybe-full-page";
+import { MessageCard } from "../components/message-cards/message-card";
+import { PredefinedMessageCard } from "../components/message-cards/predefined-message-card";
+
+const schema = yupObject({
+  password: yupString().required('Please enter your password').test({
+    name: 'is-valid-password',
+    test: (value, ctx) => {
+      const error = getPasswordError(value);
+      if (error) {
+        return ctx.createError({ message: error.message });
+      } else {
+        return true;
+      }
+    }
+  }),
+  passwordRepeat: yupString().nullable().oneOf([yup.ref('password'), null], 'Passwords do not match').required('Please repeat your password')
+});
+
+export default function PasswordResetForm(
+  { code, fullPage = false }:
+  { code: string, fullPage?: boolean }
+) {
+  const { register, handleSubmit, formState: { errors }, clearErrors } = useForm({
+    resolver: yupResolver(schema)
+  });
+  const stackApp = useStackApp();
+  const [finished, setFinished] = useState(false);
+  const [resetError, setResetError] = useState(false);
+  const [loading, setLoading] = useState(false);
+
+  const onSubmit = async (data: yup.InferType<typeof schema>) => {
+    setLoading(true);
+    try {
+      const { password } = data;
+      const errorCode = await stackApp.resetPassword({ password, code });
+      if (errorCode) {
+        setResetError(true);
+        return;
+      }
+
+      setFinished(true);
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  if (finished) {
+    return <PredefinedMessageCard type='passwordReset' fullPage={fullPage} />;
+  }
+
+  if (resetError) {
+    return (
+      <MessageCard title="Failed to reset password" fullPage={fullPage}>
+        Failed to reset password. Please request a new password reset link
+      </MessageCard>
+    );
+  }
+
+  return (
+    <MaybeFullPage fullPage={fullPage}>
+      <div className="text-center mb-6">
+        <Typography type='h2'>Reset Your Password</Typography>
+      </div>
+
+      <form
+        style={{ display: 'flex', flexDirection: 'column', alignItems: 'stretch' }}
+        onSubmit={e => runAsynchronouslyWithAlert(handleSubmit(onSubmit)(e))}
+        noValidate
+      >
+        <Label htmlFor="password" className="mb-1">New Password</Label>
+        <PasswordInput
+          id="password"
+          {...register('password')}
+          onChange={() => {
+            clearErrors('password');
+            clearErrors('passwordRepeat');
+          }}
+        />
+        <FormWarningText text={errors.password?.message?.toString()} />
+
+        <Label htmlFor="repeat-password" className="mt-4 mb-1">Repeat New Password</Label>
+        <PasswordInput
+          id="repeat-password"
+          {...register('passwordRepeat')}
+          onChange={() => {
+            clearErrors('password');
+            clearErrors('passwordRepeat');
+          }}
+        />
+        <FormWarningText text={errors.passwordRepeat?.message?.toString()} />
+
+        <Button type="submit" className="mt-6" loading={loading}>
+          Reset Password
+        </Button>
+      </form>
+    </MaybeFullPage>
+  );
+}
+
 
 const cachedVerifyPasswordResetCode = cacheFunction(async (stackApp: StackClientApp<true>, code: string) => {
   return await stackApp.verifyPasswordResetCode(code);
@@ -16,7 +121,7 @@ export function PasswordReset({
   searchParams,
   fullPage = false,
 }: {
-  searchParams?: Record<string, string>,
+  searchParams: Record<string, string>,
   fullPage?: boolean,
 }) {
   const stackApp = useStackApp();
@@ -39,7 +144,7 @@ export function PasswordReset({
     </MessageCard>
   );
 
-  const code = searchParams?.code;
+  const code = searchParams.code;
   if (!code) {
     return invalidJsx;
   }
diff --git a/packages/stack/src/components-page/stack-handler.tsx b/packages/stack/src/components-page/stack-handler.tsx
index d57c67509d..f9788895c3 100644
--- a/packages/stack/src/components-page/stack-handler.tsx
+++ b/packages/stack/src/components-page/stack-handler.tsx
@@ -1,18 +1,17 @@
-import { SignUp } from "./sign-up";
-import { SignIn } from "./sign-in";
+import { getRelativePart } from "@stackframe/stack-shared/dist/utils/urls";
 import { RedirectType, notFound, redirect } from 'next/navigation';
-import { EmailVerification } from "./email-verification";
 import { AuthPage, StackServerApp } from "..";
 import { MessageCard } from "../components/message-cards/message-card";
 import { HandlerUrls } from "../lib/stack-app";
-import { SignOut } from "./sign-out";
-import { ForgotPassword } from "./forgot-password";
-import { OAuthCallback } from "./oauth-callback";
 import { AccountSettings } from "./account-settings";
-import { MagicLinkCallback } from "./magic-link-callback";
+import { EmailVerification } from "./email-verification";
 import { ErrorPage } from "./error-page";
+import { ForgotPassword } from "./forgot-password";
+import { MagicLinkCallback } from "./magic-link-callback";
+import { OAuthCallback } from "./oauth-callback";
 import { PasswordReset } from "./password-reset";
-import { getRelativePart } from "@stackframe/stack-shared/dist/utils/urls";
+import { SignOut } from "./sign-out";
+import { TeamInvitation } from "./team-invitation";
 
 export default async function StackHandler<HasTokenStore extends boolean>({
   app,
@@ -60,6 +59,7 @@ export default async function StackHandler<HasTokenStore extends boolean>({
     oauthCallback: 'oauth-callback',
     accountSettings: 'account-settings',
     magicLinkCallback: 'magic-link-callback',
+    teamInvitation: 'team-invitation',
     error: 'error',
   };
 
@@ -101,6 +101,10 @@ export default async function StackHandler<HasTokenStore extends boolean>({
       redirectIfNotHandler('magicLinkCallback');
       return <MagicLinkCallback searchParams={searchParams} fullPage={fullPage} />;
     }
+    case availablePaths.teamInvitation: {
+      redirectIfNotHandler('teamInvitation');
+      return <TeamInvitation searchParams={searchParams} fullPage={fullPage} />;
+    }
     case availablePaths.error: {
       return <ErrorPage searchParams={searchParams} fullPage={fullPage} />;
     }
diff --git a/packages/stack/src/components-page/team-invitation.tsx b/packages/stack/src/components-page/team-invitation.tsx
new file mode 100644
index 0000000000..7ffa222c2c
--- /dev/null
+++ b/packages/stack/src/components-page/team-invitation.tsx
@@ -0,0 +1,124 @@
+'use client';
+
+import { KnownErrors } from "@stackframe/stack-shared";
+import { cacheFunction } from "@stackframe/stack-shared/dist/utils/caches";
+import { runAsynchronouslyWithAlert } from "@stackframe/stack-shared/dist/utils/promises";
+import { Typography } from "@stackframe/stack-ui";
+import React from "react";
+import { MessageCard, StackClientApp, useStackApp, useUser } from "..";
+import { PredefinedMessageCard } from "../components/message-cards/predefined-message-card";
+
+const cachedVerifyInvitation = cacheFunction(async (stackApp: StackClientApp<true>, code: string) => {
+  return await stackApp.verifyTeamInvitationCode(code);
+});
+
+const cachedGetInvitationDetails = cacheFunction(async (stackApp: StackClientApp<true>, code: string) => {
+  return await stackApp.getTeamInvitationDetails(code);
+});
+
+function TeamInvitationInner(props: { fullPage?: boolean, searchParams: Record<string, string> }) {
+  const stackApp = useStackApp();
+  const [success, setSuccess] = React.useState(false);
+  const [errorMessage, setErrorMessage] = React.useState<string | null>(null);
+  const details = React.use(cachedGetInvitationDetails(stackApp, props.searchParams.code || ''));
+
+  if (errorMessage || details.status === 'error') {
+    return (
+      <PredefinedMessageCard type="unknownError" fullPage={props.fullPage} />
+    );
+  }
+
+  if (success) {
+    return (
+      <MessageCard
+        title="Team invitation"
+        fullPage={props.fullPage}
+        primaryButtonText="Go to home"
+        primaryAction={() => stackApp.redirectToHome()}
+      >
+        <Typography>You have successfully joined {details.data.teamDisplayName}</Typography>
+      </MessageCard>
+    );
+  }
+
+
+  return (
+    <MessageCard
+      title="Team invitation"
+      fullPage={props.fullPage}
+      primaryButtonText="Join"
+      primaryAction={() => runAsynchronouslyWithAlert(async () => {
+        const result = await stackApp.acceptTeamInvitation(props.searchParams.code || '');
+        if (result.status === 'error') {
+        setErrorMessage(result.error.message);
+        } else {
+        setSuccess(true);
+        }
+      })}
+      secondaryButtonText="Ignore"
+      secondaryAction={() => stackApp.redirectToHome()}
+    >
+      <Typography>You are invited to join {details.data.teamDisplayName}</Typography>
+    </MessageCard>
+  );
+}
+
+export function TeamInvitation({ fullPage=false, searchParams }: { fullPage?: boolean, searchParams: Record<string, string> }) {
+  const user = useUser();
+  const stackApp = useStackApp();
+
+  const invalidJsx = (
+    <MessageCard title="Invalid Team Invitation Link" fullPage={fullPage}>
+      <Typography>Please double check if you have the correct team invitation link.</Typography>
+    </MessageCard>
+  );
+
+  const expiredJsx = (
+    <MessageCard title="Expired Team Invitation Link" fullPage={fullPage}>
+      <Typography>Your team invitation link has expired. Please request a new team invitation link </Typography>
+    </MessageCard>
+  );
+
+  const usedJsx = (
+    <MessageCard title="Used Team Invitation Link" fullPage={fullPage}>
+      <Typography>This team invitation link has already been used.</Typography>
+    </MessageCard>
+  );
+
+  const code = searchParams.code;
+  if (!code) {
+    return invalidJsx;
+  }
+
+  if (!user) {
+    return (
+      <MessageCard
+        title="Team invitation"
+        fullPage={fullPage}
+        primaryButtonText="Go to sign in"
+        primaryAction={() => stackApp.redirectToSignIn()}
+        secondaryButtonText="Cancel"
+        secondaryAction={() => stackApp.redirectToHome()}
+      >
+        <Typography>Sign in or create an account to join the team.</Typography>
+      </MessageCard>
+    );
+  }
+
+  const verificationResult = React.use(cachedVerifyInvitation(stackApp, searchParams.code || ''));
+
+  if (verificationResult.status === 'error') {
+    const error = verificationResult.error;
+    if (error instanceof KnownErrors.VerificationCodeNotFound) {
+      return invalidJsx;
+    } else if (error instanceof KnownErrors.VerificationCodeExpired) {
+      return expiredJsx;
+    } else if (error instanceof KnownErrors.VerificationCodeAlreadyUsed) {
+      return usedJsx;
+    } else {
+      throw error;
+    }
+  }
+
+  return <TeamInvitationInner fullPage={fullPage} searchParams={searchParams} />;
+};
diff --git a/packages/stack/src/components/forgot-password-form.tsx b/packages/stack/src/components/forgot-password-form.tsx
deleted file mode 100644
index f2fa4cc15c..0000000000
--- a/packages/stack/src/components/forgot-password-form.tsx
+++ /dev/null
@@ -1,55 +0,0 @@
-'use client';
-
-import { useForm } from "react-hook-form";
-import { yupResolver } from "@hookform/resolvers/yup";
-import * as yup from "yup";
-import { FormWarningText } from "./elements/form-warning";
-import { useStackApp } from "..";
-import { runAsynchronouslyWithAlert } from "@stackframe/stack-shared/dist/utils/promises";
-import { Button, Input, Label } from "@stackframe/stack-ui";
-import { useState } from "react";
-import { yupObject, yupString, yupNumber, yupBoolean, yupArray, yupMixed } from "@stackframe/stack-shared/dist/schema-fields";
-
-const schema = yupObject({
-  email: yupString().email('Please enter a valid email').required('Please enter your email')
-});
-
-export function ForgotPasswordForm({ onSent }: { onSent?: () => void }) {
-  const { register, handleSubmit, formState: { errors }, clearErrors } = useForm({
-    resolver: yupResolver(schema)
-  });
-  const stackApp = useStackApp();
-  const [loading, setLoading] = useState(false);
-
-  const onSubmit = async (data: yup.InferType<typeof schema>) => {
-    setLoading(true);
-    try {
-      const { email } = data;
-      await stackApp.sendForgotPasswordEmail(email);
-    onSent?.();
-    } finally {
-      setLoading(false);
-    }
-  };
-
-  return (
-    <form
-      className="flex flex-col items-stretch stack-scope"
-      onSubmit={e => runAsynchronouslyWithAlert(handleSubmit(onSubmit)(e))}
-      noValidate
-    >
-      <Label htmlFor="email" className="mb-1">Your Email</Label>
-      <Input
-        id="email"
-        type="email"
-        {...register('email')}
-        onChange={() => clearErrors('email')}
-      />
-      <FormWarningText text={errors.email?.message?.toString()} />
-
-      <Button type="submit" className="mt-6" loading={loading}>
-        Send Email
-      </Button>
-    </form>
-  );
-}
diff --git a/packages/stack/src/components/password-reset-form.tsx b/packages/stack/src/components/password-reset-form.tsx
deleted file mode 100644
index 5defdb89cf..0000000000
--- a/packages/stack/src/components/password-reset-form.tsx
+++ /dev/null
@@ -1,111 +0,0 @@
-'use client';
-
-import { useState } from "react";
-import { useForm } from "react-hook-form";
-import { yupResolver } from "@hookform/resolvers/yup";
-import * as yup from "yup";
-import { getPasswordError } from "@stackframe/stack-shared/dist/helpers/password";
-import { useStackApp } from "..";
-import { FormWarningText } from "./elements/form-warning";
-import { PredefinedMessageCard } from "./message-cards/predefined-message-card";
-import { MessageCard } from "./message-cards/message-card";
-import { MaybeFullPage } from "./elements/maybe-full-page";
-import { runAsynchronouslyWithAlert } from "@stackframe/stack-shared/dist/utils/promises";
-import { Button, Label, PasswordInput, Typography } from "@stackframe/stack-ui";
-import { yupObject, yupString, yupNumber, yupBoolean, yupArray, yupMixed } from "@stackframe/stack-shared/dist/schema-fields";
-
-const schema = yupObject({
-  password: yupString().required('Please enter your password').test({
-    name: 'is-valid-password',
-    test: (value, ctx) => {
-      const error = getPasswordError(value);
-      if (error) {
-        return ctx.createError({ message: error.message });
-      } else {
-        return true;
-      }
-    }
-  }),
-  passwordRepeat: yupString().nullable().oneOf([yup.ref('password'), null], 'Passwords do not match').required('Please repeat your password')
-});
-
-export default function PasswordResetForm(
-  { code, fullPage = false }:
-  { code: string, fullPage?: boolean }
-) {
-  const { register, handleSubmit, formState: { errors }, clearErrors } = useForm({
-    resolver: yupResolver(schema)
-  });
-  const stackApp = useStackApp();
-  const [finished, setFinished] = useState(false);
-  const [resetError, setResetError] = useState(false);
-  const [loading, setLoading] = useState(false);
-
-  const onSubmit = async (data: yup.InferType<typeof schema>) => {
-    setLoading(true);
-    try {
-      const { password } = data;
-      const errorCode = await stackApp.resetPassword({ password, code });
-      if (errorCode) {
-        setResetError(true);
-        return;
-      }
-
-      setFinished(true);
-    } finally {
-      setLoading(false);
-    }
-  };
-
-  if (finished) {
-    return <PredefinedMessageCard type='passwordReset' fullPage={fullPage} />;
-  }
-
-  if (resetError) {
-    return (
-      <MessageCard title="Failed to reset password" fullPage={fullPage}>
-        Failed to reset password. Please request a new password reset link
-      </MessageCard>
-    );
-  }
-
-  return (
-    <MaybeFullPage fullPage={fullPage}>
-      <div className="text-center mb-6">
-        <Typography type='h2'>Reset Your Password</Typography>
-      </div>
-
-      <form
-        style={{ display: 'flex', flexDirection: 'column', alignItems: 'stretch' }}
-        onSubmit={e => runAsynchronouslyWithAlert(handleSubmit(onSubmit)(e))}
-        noValidate
-      >
-        <Label htmlFor="password" className="mb-1">New Password</Label>
-        <PasswordInput
-          id="password"
-          {...register('password')}
-          onChange={() => {
-            clearErrors('password');
-            clearErrors('passwordRepeat');
-          }}
-        />
-        <FormWarningText text={errors.password?.message?.toString()} />
-
-        <Label htmlFor="repeat-password" className="mt-4 mb-1">Repeat New Password</Label>
-        <PasswordInput
-          id="repeat-password"
-          {...register('passwordRepeat')}
-          onChange={() => {
-            clearErrors('password');
-            clearErrors('passwordRepeat');
-          }}
-        />
-        <FormWarningText text={errors.passwordRepeat?.message?.toString()} />
-
-        <Button type="submit" className="mt-6" loading={loading}>
-          Reset Password
-        </Button>
-      </form>
-    </MaybeFullPage>
-  );
-}
diff --git a/packages/stack/src/lib/stack-app.ts b/packages/stack/src/lib/stack-app.ts
index 8f97753838..aa71f6cae3 100644
--- a/packages/stack/src/lib/stack-app.ts
+++ b/packages/stack/src/lib/stack-app.ts
@@ -69,6 +69,7 @@ export type HandlerUrls = {
   oauthCallback: string,
   magicLinkCallback: string,
   accountSettings: string,
+  teamInvitation: string,
   error: string,
 }
 
@@ -100,6 +101,7 @@ function getUrls(partial: Partial<HandlerUrls>): HandlerUrls {
     home: home,
     accountSettings: `${handler}/account-settings`,
     error: `${handler}/error`,
+    teamInvitation: `${handler}/team-invitation`,
     ...filterUndefined(partial),
   };
 }
@@ -689,10 +691,20 @@ class _StackClientAppImpl<HasTokenStore extends boolean, ProjectId extends strin
   }
 
   protected _clientTeamFromCrud(crud: TeamsCrud['Client']['Read']): Team {
+    const app = this;
     return {
       id: crud.id,
       displayName: crud.display_name,
       profileImageUrl: crud.profile_image_url,
+
+      async inviteUser(options: { email: string }) {
+        return await app._interface.sendTeamInvitation({
+          teamId: crud.id,
+          email: options.email,
+          session: app._getSession(),
+          callbackUrl: constructRedirectUrl(app.urls.teamInvitation),
+        });
+      }
     };
   }
 
@@ -944,6 +956,7 @@ class _StackClientAppImpl<HasTokenStore extends boolean, ProjectId extends strin
   async redirectToAfterSignOut(options?: RedirectToOptions) { return await this._redirectToHandler("afterSignOut", options); }
   async redirectToAccountSettings(options?: RedirectToOptions) { return await this._redirectToHandler("accountSettings", options); }
   async redirectToError(options?: RedirectToOptions) { return await this._redirectToHandler("error", options); }
+  async redirectToTeamInvitation(options?: RedirectToOptions) { return await this._redirectToHandler("teamInvitation", options); }
 
   async sendForgotPasswordEmail(email: string): Promise<KnownErrors["UserNotFound"] | void> {
     const redirectUrl = constructRedirectUrl(this.urls.passwordReset);
@@ -966,6 +979,48 @@ class _StackClientAppImpl<HasTokenStore extends boolean, ProjectId extends strin
     return await this._interface.verifyPasswordResetCode(code);
   }
 
+  async verifyTeamInvitationCode(code: string): Promise<Result<undefined, KnownErrors["VerificationCodeError"]>> {
+    const result = await this._interface.acceptTeamInvitation({
+      type: 'check',
+      code,
+      session: this._getSession(),
+    });
+
+    if (result.status === 'ok') {
+      return Result.ok(undefined);
+    } else {
+      return Result.error(result.error);
+    }
+  }
+
+  async acceptTeamInvitation(code: string): Promise<Result<undefined, KnownErrors["VerificationCodeError"]>> {
+    const result = await this._interface.acceptTeamInvitation({
+      type: 'use',
+      code,
+      session: this._getSession(),
+    });
+
+    if (result.status === 'ok') {
+      return Result.ok(undefined);
+    } else {
+      return Result.error(result.error);
+    }
+  }
+
+  async getTeamInvitationDetails(code: string): Promise<Result<{ teamDisplayName: string }, KnownErrors["VerificationCodeError"]>> {
+    const result = await this._interface.acceptTeamInvitation({
+      type: 'details',
+      code,
+      session: this._getSession(),
+    });
+
+    if (result.status === 'ok') {
+      return Result.ok({ teamDisplayName: result.data.team_display_name });
+    } else {
+      return Result.error(result.error);
+    }
+  }
+
   async verifyEmail(code: string): Promise<KnownErrors["VerificationCodeError"] | void> {
     return await this._interface.verifyEmail(code);
   }
@@ -1273,7 +1328,7 @@ class _StackServerAppImpl<HasTokenStore extends boolean, ProjectId extends strin
     [string, string, boolean],
     TeamPermissionsCrud['Server']['Read'][]
   >(async ([teamId, userId, recursive]) => {
-    return await this._interface.listServerTeamMemberPermissions({ teamId, userId, recursive });
+    return await this._interface.listServerTeamPermissions({ teamId, userId, recursive }, null);
   });
   private readonly _serverUserOAuthConnectionAccessTokensCache = createCache<[string, string, string], { accessToken: string } | null>(
     async ([userId, providerId, scope]) => {
@@ -1502,6 +1557,14 @@ class _StackServerAppImpl<HasTokenStore extends boolean, ProjectId extends strin
         });
         await app._serverTeamUsersCache.refresh([crud.id]);
       },
+      async inviteUser(options: { email: string }) {
+        return await app._interface.sendTeamInvitation({
+          teamId: crud.id,
+          email: options.email,
+          session: null,
+          callbackUrl: constructRedirectUrl(app.urls.teamInvitation),
+        });
+      },
     };
   }
 
@@ -2387,6 +2450,8 @@ export type Team = {
   id: string,
   displayName: string,
   profileImageUrl: string | null,
+
+  inviteUser(options: { email: string }): Promise<Result<undefined, KnownErrors["TeamPermissionRequired"]>>,
 };
 
 export type TeamCreateOptions = {
@@ -2410,6 +2475,7 @@ export type ServerTeam = {
   update(update: ServerTeamUpdateOptions): Promise<void>,
   delete(): Promise<void>,
   addUser(userId: string): Promise<void>,
+  inviteUser(options: { email: string }): Promise<Result<undefined, KnownErrors["TeamPermissionRequired"]>>,
   removeUser(userId: string): Promise<void>,
 } & Team;
 
@@ -2504,6 +2570,9 @@ export type StackClientApp<HasTokenStore extends boolean = boolean, ProjectId ex
     sendMagicLinkEmail(email: string): Promise<KnownErrors["RedirectUrlNotWhitelisted"] | void>,
     resetPassword(options: { code: string, password: string }): Promise<KnownErrors["VerificationCodeError"] | void>,
     verifyPasswordResetCode(code: string): Promise<KnownErrors["VerificationCodeError"] | void>,
+    verifyTeamInvitationCode(code: string): Promise<Result<undefined, KnownErrors["VerificationCodeError"]>>,
+    acceptTeamInvitation(code: string): Promise<Result<undefined, KnownErrors["VerificationCodeError"]>>,
+    getTeamInvitationDetails(code: string): Promise<Result<{ teamDisplayName: string }, KnownErrors["VerificationCodeError"]>>,
     verifyEmail(code: string): Promise<KnownErrors["VerificationCodeError"] | void>,
     signInWithMagicLink(code: string): Promise<KnownErrors["VerificationCodeError"] | void>,
 

From b766e4e23c944c044317bf6a957a22f3a2ebf456 Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Sun, 4 Aug 2024 15:19:31 -0700
Subject: [PATCH 02/10] Allow Next.js version `latest` in package.json

---
 packages/init-stack/index.mjs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/init-stack/index.mjs b/packages/init-stack/index.mjs
index 17725aa3cb..84d7ceb3d6 100644
--- a/packages/init-stack/index.mjs
+++ b/packages/init-stack/index.mjs
@@ -81,7 +81,8 @@ async function main() {
       `The project at ${projectPath} does not appear to be a Next.js project, or does not have 'next' installed as a dependency. Only Next.js projects are currently supported.`
     );
   }
-  if (!packageJson.dependencies["next"].includes("14")) {
+  const nextPackageJsonVersion = packageJson.dependencies["next"];
+  if (!nextPackageJsonVersion.includes("14") && nextPackageJsonVersion !== "latest") {
     throw new UserError(
       `The project at ${projectPath} is using an unsupported version of Next.js (found ${packageJson.dependencies["next"]}).\n\nOnly Next.js 14 projects are currently supported. See Next's upgrade guide: https://nextjs.org/docs/app/building-your-application/upgrading/version-14`
     );

From 60115655745802f387215f6a930285ba3eaf332f Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Sun, 4 Aug 2024 16:50:25 -0700
Subject: [PATCH 03/10] Fix typo

---
 docs/fern/docs/pages/getting-started/setup.mdx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/fern/docs/pages/getting-started/setup.mdx b/docs/fern/docs/pages/getting-started/setup.mdx
index 3426db807d..1854d87615 100644
--- a/docs/fern/docs/pages/getting-started/setup.mdx
+++ b/docs/fern/docs/pages/getting-started/setup.mdx
@@ -70,7 +70,6 @@ We recommend using our **setup wizard**, which will automatically detect your pr
 
       export const stackServerApp = new StackServerApp({
         tokenStore: "nextjs-cookie", // storing auth tokens in cookies
-        //there is other parameter named "urls" which is covered later in the docs
       });
       ```
     

From 52d489b710b5bdf43db753506195d87860b930bd Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Sun, 4 Aug 2024 17:21:32 -0700
Subject: [PATCH 04/10] Update error message

---
 packages/stack/src/lib/auth.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/stack/src/lib/auth.ts b/packages/stack/src/lib/auth.ts
index 9b9ad9410b..ddbbd2ba01 100644
--- a/packages/stack/src/lib/auth.ts
+++ b/packages/stack/src/lib/auth.ts
@@ -72,7 +72,7 @@ function consumeOAuthCallbackQueryParams(expectedState: string): null | URL {
   if (expectedState !== originalUrl.searchParams.get("state")) {
     // If the state doesn't match, then the callback wasn't meant for us.
     // Maybe the website uses another OAuth library?
-    captureError("consumeOAuthCallbackQueryParams", new Error(`Invalid OAuth callback state: Was this meant for someone else, or did cookies fail?`));
+    captureError("consumeOAuthCallbackQueryParams", new Error(`Invalid OAuth callback state: Are you using another OAuth authentication with the same callback URL as Stack, or did your cookies reset?`));
     return null;
   }
 

From 1dbf2b717c584b7611f3bd769b4457e472f09060 Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Sun, 4 Aug 2024 19:30:37 -0700
Subject: [PATCH 05/10] Remove unnecessary console.warn

---
 packages/stack-shared/src/interface/clientInterface.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/stack-shared/src/interface/clientInterface.ts b/packages/stack-shared/src/interface/clientInterface.ts
index 5c1f4c78b8..36313f306c 100644
--- a/packages/stack-shared/src/interface/clientInterface.ts
+++ b/packages/stack-shared/src/interface/clientInterface.ts
@@ -299,7 +299,6 @@ export class StackClientInterface {
     } catch (e) {
       if (e instanceof TypeError) {
         // Network error, retry
-        console.warn(`Stack detected a network error while fetching ${url}, retrying.`, e, { url });
         return Result.error(e);
       }
       throw e;

From f0a5c32d380dc251692db3b1c830fc87e925a2ac Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Mon, 5 Aug 2024 09:21:06 -0700
Subject: [PATCH 06/10] Updated "edit this page" button

---
 docs/fern/docs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/fern/docs.yml b/docs/fern/docs.yml
index ab8e2f63c9..9ddc081568 100644
--- a/docs/fern/docs.yml
+++ b/docs/fern/docs.yml
@@ -5,7 +5,7 @@ instances:
       github:
         owner: stack-auth
         repo: stack
-        branch: dev
+        branch: dev/docs
 title: Stack Auth Documentation
 
 tabs:

From e8221ca00662a4bdabc67e01f21a858556f9f2c5 Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Tue, 6 Aug 2024 15:30:29 -0700
Subject: [PATCH 07/10] Hide unsupported properties from docs

---
 packages/stack-shared/src/interface/crud/users.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/stack-shared/src/interface/crud/users.ts b/packages/stack-shared/src/interface/crud/users.ts
index 0555387faf..3772ad84f2 100644
--- a/packages/stack-shared/src/interface/crud/users.ts
+++ b/packages/stack-shared/src/interface/crud/users.ts
@@ -53,13 +53,13 @@ export const usersCrudServerReadSchema = fieldSchema.yupObject({
       type: fieldSchema.yupString().oneOf(['oauth']).required(),
       provider: fieldSchema.userOAuthProviderSchema.required(),
     }).required(),
-  )).required().meta({ openapiField: { description: 'A list of authentication methods available for this user to sign in with', exampleValue: [ { "contact_channel": { "email": "john.doe@gmail.com", "type": "email", }, "type": "otp", } ] } }),
+  )).required().meta({ openapiField: { hidden: true, description: 'A list of authentication methods available for this user to sign in with', exampleValue: [ { "contact_channel": { "email": "john.doe@gmail.com", "type": "email", }, "type": "otp", } ] } }),
   connected_accounts: fieldSchema.yupArray(fieldSchema.yupUnion(
     fieldSchema.yupObject({
       type: fieldSchema.yupString().oneOf(['oauth']).required(),
       provider: fieldSchema.userOAuthProviderSchema.required(),
     }).required(),
-  )).required().meta({ openapiField: { description: 'A list of connected accounts to this user', exampleValue: [ { "provider": { "provider_user_id": "12345", "type": "google", }, "type": "oauth", } ] } }),
+  )).required().meta({ openapiField: { hidden: true, description: 'A list of connected accounts to this user', exampleValue: [ { "provider": { "provider_user_id": "12345", "type": "google", }, "type": "oauth", } ] } }),
   client_metadata: fieldSchema.userClientMetadataSchema,
   server_metadata: fieldSchema.userServerMetadataSchema,
 }).required();

From ee139bf346124628e7ae8fd87fafda8e2561047a Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Tue, 6 Aug 2024 17:00:20 -0700
Subject: [PATCH 08/10] OAuth token tests

---
 apps/backend/src/oauth/model.tsx              | 12 ++-
 apps/e2e/tests/backend/backend-helpers.ts     | 55 +++++++++++++-
 .../endpoints/api/v1/auth/oauth/token.test.ts | 76 +++++++++++++++++++
 .../src/interface/clientInterface.ts          |  6 +-
 4 files changed, 144 insertions(+), 5 deletions(-)
 create mode 100644 apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/token.test.ts

diff --git a/apps/backend/src/oauth/model.tsx b/apps/backend/src/oauth/model.tsx
index 5af08b3189..61b374c87d 100644
--- a/apps/backend/src/oauth/model.tsx
+++ b/apps/backend/src/oauth/model.tsx
@@ -104,9 +104,19 @@ export class OAuthModel implements AuthorizationCodeModel {
     token.client = client;
     token.user = user;
     return {
-      ...token,
+      accessToken: token.accessToken,
+      accessTokenExpiresAt: token.accessTokenExpiresAt,
+      refreshToken: token.refreshToken,
+      refreshTokenExpiresAt: token.refreshTokenExpiresAt,
+      scope: token.scope,
+      client: token.client,
+      user: token.user,
+
+      // TODO remove deprecated camelCase properties
       newUser: user.newUser,
+      is_new_user: user.newUser,
       afterCallbackRedirectUrl: user.afterCallbackRedirectUrl,
+      after_callback_redirect_url: user.afterCallbackRedirectUrl,
     };
   }
 
diff --git a/apps/e2e/tests/backend/backend-helpers.ts b/apps/e2e/tests/backend/backend-helpers.ts
index 776abb2bc1..9920d9f1ef 100644
--- a/apps/e2e/tests/backend/backend-helpers.ts
+++ b/apps/e2e/tests/backend/backend-helpers.ts
@@ -1,6 +1,7 @@
 import { generateSecureRandomString } from "@stackframe/stack-shared/dist/utils/crypto";
 import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { filterUndefined } from "@stackframe/stack-shared/dist/utils/objects";
+import { camelCaseToSnakeCase } from "@stackframe/stack-shared/dist/utils/strings";
 import { expect } from "vitest";
 import { Context, Mailbox, NiceRequestInit, NiceResponse, STACK_BACKEND_BASE_URL, STACK_INTERNAL_PROJECT_ADMIN_KEY, STACK_INTERNAL_PROJECT_CLIENT_KEY, STACK_INTERNAL_PROJECT_ID, STACK_INTERNAL_PROJECT_SERVER_KEY, createMailbox, localRedirectUrl, niceFetch, updateCookiesFromResponse } from "../helpers";
 
@@ -52,7 +53,7 @@ function expectSnakeCase(obj: unknown, path: string): void {
     }
   } else {
     for (const [key, value] of Object.entries(obj)) {
-      if (key.match(/[a-z0-9][A-Z][a-z0-9]+/) && !key.includes("_")) {
+      if (key.match(/[a-z0-9][A-Z][a-z0-9]+/) && !key.includes("_") && !["newUser", "afterCallbackRedirectUrl"].includes(key)) {
         throw new StackAssertionError(`Object has camelCase key (expected snake case): ${path}.${key}`);
       }
       expectSnakeCase(value, `${path}.${key}`);
@@ -438,6 +439,58 @@ export namespace Auth {
         authorizationCode: outerCallbackUrl.searchParams.get("code")!,
       };
     }
+
+    export async function signIn() {
+      const getAuthorizationCodeResult = await Auth.OAuth.getAuthorizationCode();
+
+      const projectKeys = backendContext.value.projectKeys;
+      if (projectKeys === "no-project") throw new Error("No project keys found in the backend context");
+
+      const tokenResponse = await niceBackendFetch("/api/v1/auth/oauth/token", {
+        method: "POST",
+        accessType: "client",
+        body: {
+          client_id: projectKeys.projectId,
+          client_secret: projectKeys.publishableClientKey ?? throwErr("No publishable client key found in the backend context"),
+          code: getAuthorizationCodeResult.authorizationCode,
+          redirect_uri: localRedirectUrl,
+          code_verifier: "some-code-challenge",
+          grant_type: "authorization_code",
+        },
+      });
+      expect(tokenResponse).toMatchInlineSnapshot(`
+        NiceResponse {
+          "status": 200,
+          "body": {
+            "access_token": <stripped field 'access_token'>,
+            "afterCallbackRedirectUrl": null,
+            "after_callback_redirect_url": null,
+            "expires_in": 3599,
+            "is_new_user": true,
+            "newUser": true,
+            "refresh_token": <stripped field 'refresh_token'>,
+            "scope": "legacy",
+            "token_type": "Bearer",
+          },
+          "headers": Headers {
+            "pragma": "no-cache",
+            <some fields may have been hidden>,
+          },
+        }
+      `);
+
+      backendContext.set({
+        userAuth: {
+          accessToken: tokenResponse.body.access_token,
+          refreshToken: tokenResponse.body.refresh_token,
+        },
+      });
+
+      return {
+        ...getAuthorizationCodeResult,
+        tokenResponse,
+      };
+    }
   }
 }
 
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/token.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/token.test.ts
new file mode 100644
index 0000000000..2df910b517
--- /dev/null
+++ b/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/token.test.ts
@@ -0,0 +1,76 @@
+
+import { describe } from "vitest";
+import { it } from "../../../../../../helpers";
+import { Auth, niceBackendFetch } from "../../../../../backend-helpers";
+
+describe("with grant_type === 'authorization_code'", async () => {
+  it("should sign in a user when called as part of the OAuth flow", async ({ expect }) => {
+    const response = await Auth.OAuth.signIn();
+    expect(response.tokenResponse).toMatchInlineSnapshot(`
+      NiceResponse {
+        "status": 200,
+        "body": {
+          "access_token": <stripped field 'access_token'>,
+          "afterCallbackRedirectUrl": null,
+          "after_callback_redirect_url": null,
+          "expires_in": 3599,
+          "is_new_user": true,
+          "newUser": true,
+          "refresh_token": <stripped field 'refresh_token'>,
+          "scope": "legacy",
+          "token_type": "Bearer",
+        },
+        "headers": Headers {
+          "pragma": "no-cache",
+          <some fields may have been hidden>,
+        },
+      }
+    `);
+    await Auth.expectToBeSignedIn();
+    const meResponse = await niceBackendFetch("/api/v1/users/me", { accessType: "client" });
+    expect(meResponse).toMatchInlineSnapshot(`
+      NiceResponse {
+        "status": 200,
+        "body": {
+          "auth_methods": [
+            {
+              "provider": {
+                "provider_user_id": "<stripped UUID>@stack-generated.example.com",
+                "type": "facebook",
+              },
+              "type": "oauth",
+            },
+          ],
+          "auth_with_email": false,
+          "client_metadata": null,
+          "connected_accounts": [
+            {
+              "provider": {
+                "provider_user_id": "<stripped UUID>@stack-generated.example.com",
+                "type": "facebook",
+              },
+              "type": "oauth",
+            },
+          ],
+          "display_name": null,
+          "has_password": false,
+          "id": "<stripped UUID>",
+          "oauth_providers": [
+            {
+              "account_id": "<stripped UUID>@stack-generated.example.com",
+              "email": "<stripped UUID>@stack-generated.example.com",
+              "id": "facebook",
+            },
+          ],
+          "primary_email": "<stripped UUID>@stack-generated.example.com",
+          "primary_email_verified": false,
+          "profile_image_url": null,
+          "selected_team": null,
+          "selected_team_id": null,
+          "signed_up_at_millis": <stripped field 'signed_up_at_millis'>,
+        },
+        "headers": Headers { <some fields may have been hidden> },
+      }
+    `);
+  });
+});
diff --git a/packages/stack-shared/src/interface/clientInterface.ts b/packages/stack-shared/src/interface/clientInterface.ts
index 36313f306c..92e661b4b8 100644
--- a/packages/stack-shared/src/interface/clientInterface.ts
+++ b/packages/stack-shared/src/interface/clientInterface.ts
@@ -685,7 +685,7 @@ export class StackClientInterface {
     return {
       accessToken: result.access_token,
       refreshToken: result.refresh_token,
-      newUser: result.new_user,
+      newUser: result.is_new_user,
     };
   }
 
@@ -782,8 +782,8 @@ export class StackClientInterface {
       throw new StackAssertionError("Outer OAuth error during authorization code response", { result });
     }
     return {
-      newUser: result.newUser as boolean,
-      afterCallbackRedirectUrl: result.afterCallbackRedirectUrl as string | undefined,
+      newUser: result.is_new_user as boolean,
+      afterCallbackRedirectUrl: result.after_callback_redirect_url as string | undefined,
       accessToken: result.access_token,
       refreshToken: result.refresh_token ?? throwErr("Refresh token not found in outer OAuth response"),
     };

From 0739bca0846442caf443e2b66f23a4989d3bdaaa Mon Sep 17 00:00:00 2001
From: Stan Wohlwend <n2d4xc@gmail.com>
Date: Wed, 7 Aug 2024 11:42:39 -0700
Subject: [PATCH 09/10] Fix typo

---
 packages/init-stack/index.mjs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/init-stack/index.mjs b/packages/init-stack/index.mjs
index 84d7ceb3d6..e9c0331d4b 100644
--- a/packages/init-stack/index.mjs
+++ b/packages/init-stack/index.mjs
@@ -196,7 +196,7 @@ async function main() {
     {
       type: "confirm",
       name: "ready",
-      message: `Found a Next.js project at ${projectPath}. Ready to install Stack?`,
+      message: `Found a Next.js project at ${projectPath} — ready to install Stack?`,
       default: true,
     },
   ]);

From a45e7a94557d529a08ae03cc15da53e6c24a0113 Mon Sep 17 00:00:00 2001
From: Zai Shi <zaishi00@outlook.com>
Date: Thu, 8 Aug 2024 13:50:38 -0700
Subject: [PATCH 10/10] added create user button (#173)

---
 .../[projectId]/users/page-client.tsx         | 48 ++++++++++++++++++-
 .../src/interface/serverInterface.ts          | 15 ++++++
 packages/stack/src/lib/stack-app.ts           | 25 ++++++++++
 3 files changed, 86 insertions(+), 2 deletions(-)

diff --git a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/users/page-client.tsx b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/users/page-client.tsx
index 0ea31b814e..c2f46cb409 100644
--- a/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/users/page-client.tsx
+++ b/apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/users/page-client.tsx
@@ -1,18 +1,62 @@
 "use client";
 
 import { UserTable } from "@/components/data-table/user-table";
+import { FormDialog } from "@/components/form-dialog";
+import { InputField, SwitchField } from "@/components/form-fields";
 import { StyledLink } from "@/components/link";
-import { Alert } from "@stackframe/stack-ui";
+import { Alert, Button } from "@stackframe/stack-ui";
+import * as yup from "yup";
 import { PageLayout } from "../page-layout";
 import { useAdminApp } from "../use-admin-app";
 
+function CreateDialog(props: {
+  open?: boolean,
+  onOpenChange?: (open: boolean) => void,
+  trigger?: React.ReactNode,
+}) {
+  const adminApp = useAdminApp();
+  const formSchema = yup.object({
+    displayName: yup.string().optional(),
+    primaryEmail: yup.string().email().required(),
+    primaryEmailVerified: yup.boolean().optional(),
+    password: yup.string().required(),
+  });
+
+  return <FormDialog
+    trigger={props.trigger}
+    title={"Create User"}
+    formSchema={formSchema}
+    okButton={{ label: "Create" }}
+    onSubmit={async (values) => {
+      await adminApp.createUser(values);
+    }}
+    cancelButton
+    render={(form) => (
+      <>
+        <InputField control={form.control} label="Display Name" name="displayName" />
+
+        <div className="flex gap-4 items-end">
+          <div className="flex-1">
+            <InputField control={form.control} label="Primary Email" name="primaryEmail" required />
+          </div>
+          <div className="mb-2">
+            <SwitchField control={form.control} label="Verified" name="primaryEmailVerified" />
+          </div>
+        </div>
+
+        <InputField control={form.control} label="Password" name="password" type="password" required />
+      </>
+    )}
+  />;
+}
+
 
 export default function PageClient() {
   const stackAdminApp = useAdminApp();
   const allUsers = stackAdminApp.useUsers();
 
   return (
-    <PageLayout title="Users">
+    <PageLayout title="Users" actions={<CreateDialog trigger={<Button>Create User</Button>} />}>
       {allUsers.length > 0 ? null : (
         <Alert variant='success'>
           Congratulations on starting your project! Check the <StyledLink href="https://docs.stack-auth.com">documentation</StyledLink> to add your first users.
diff --git a/packages/stack-shared/src/interface/serverInterface.ts b/packages/stack-shared/src/interface/serverInterface.ts
index 5fd86eb499..f20379d659 100644
--- a/packages/stack-shared/src/interface/serverInterface.ts
+++ b/packages/stack-shared/src/interface/serverInterface.ts
@@ -72,6 +72,21 @@ export class StackServerInterface extends StackClientInterface {
     }
   }
 
+  async createServerUser(data: UsersCrud['Server']['Create']): Promise<UsersCrud['Server']['Read']> {
+    const response = await this.sendServerRequest(
+      "/users",
+      {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+        },
+        body: JSON.stringify(data),
+      },
+      null,
+    );
+    return await response.json();
+  }
+
   async getServerUserByToken(session: InternalSession): Promise<CurrentUserCrud['Server']['Read'] | null> {
     const responseOrError = await this.sendServerRequestAndCatchKnownError(
       "/users/me",
diff --git a/packages/stack/src/lib/stack-app.ts b/packages/stack/src/lib/stack-app.ts
index aa71f6cae3..65bf9f5e4b 100644
--- a/packages/stack/src/lib/stack-app.ts
+++ b/packages/stack/src/lib/stack-app.ts
@@ -1568,6 +1568,12 @@ class _StackServerAppImpl<HasTokenStore extends boolean, ProjectId extends strin
     };
   }
 
+  async createUser(options: ServerUserCreateOptions): Promise<ServerUser> {
+    const crud = await this._interface.createServerUser(serverUserCreateOptionsToCrud(options));
+    await this._refreshUsers();
+    return this._serverUserFromCrud(crud);
+  }
+
 
   async getUser(options: GetUserOptions<HasTokenStore> & { or: 'redirect' }): Promise<ProjectCurrentServerUser<ProjectId>>;
   async getUser(options: GetUserOptions<HasTokenStore> & { or: 'throw' }): Promise<ProjectCurrentServerUser<ProjectId>>;
@@ -2236,6 +2242,23 @@ function serverUserUpdateOptionsToCrud(options: ServerUserUpdateOptions): Curren
 }
 
 
+type ServerUserCreateOptions = {
+  primaryEmail: string,
+  password: string,
+  displayName?: string,
+  primaryEmailVerified?: boolean,
+}
+function serverUserCreateOptionsToCrud(options: ServerUserCreateOptions): UsersCrud["Server"]["Create"] {
+  return {
+    primary_email: options.primaryEmail,
+    password: options.password,
+    primary_email_auth_enabled: true,
+    display_name: options.displayName,
+    primary_email_verified: options.primaryEmailVerified,
+  };
+}
+
+
 type _______________PROJECT_______________ = never;  // this is a marker for VSCode's outline view
 
 export type Project = {
@@ -2616,6 +2639,8 @@ export type StackServerApp<HasTokenStore extends boolean = boolean, ProjectId ex
      */
     getServerUser(): Promise<ProjectCurrentServerUser<ProjectId> | null>,
 
+    createUser(options: ServerUserCreateOptions): Promise<ServerUser>,
+
     useUser(options: GetUserOptions<HasTokenStore> & { or: 'redirect' }): ProjectCurrentServerUser<ProjectId>,
     useUser(options: GetUserOptions<HasTokenStore> & { or: 'throw' }): ProjectCurrentServerUser<ProjectId>,
     useUser(options?: GetUserOptions<HasTokenStore>): ProjectCurrentServerUser<ProjectId> | null,