fix(ui): improve invitation error messages

[Alan-TheGentleman]

Context

Jira: PROWLER-1770

Invitation links currently show generic or status-only error messages. The API already returns distinct HTTP statuses and JSON:API error codes/details for expired, invalid, and missing invitation tokens.

Description

This PR updates the UI invitation flows to display specific invitation-link errors based on API response status, code, and detail instead of relying on an invitation state field.

• Adds a shared invitation error mapper for accept and sign-up flows
• Updates invitation accept to use the shared mapper instead of status-only local mapping
• Preserves sign-up response status so invitation-token errors can be mapped correctly
• Handles both /data and /data/attributes/invitation_token JSON:API pointers for sign-up invitation errors
• Adds unit coverage for mapper behavior and sign-up status preservation

Steps to review

1. Review the mapper in ui/lib/invitation-errors.ts.
2. Confirm these API responses map to the expected messages:
   • 410 + token_expired → expired invitation
   • 400 + invalid + This invitation is no longer valid. → no longer valid invitation
   • 404 + not_found → invitation not valid
   • sign-up 400 + invalid invitation-token error → invitation not valid
   • unexpected invalid → generic invalid fallback
3. Run:

cd ui && pnpm test:unit lib/invitation-errors.test.ts actions/auth/auth.test.ts
cd ui && pnpm run typecheck
cd ui && pnpm run lint:check

Checklist

Community Checklist

• This feature/issue is listed in Jira as PROWLER-1770
• Is it assigned to me, if not, request it via the issue/feature in Jira or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No
  • If so, do we need to update permissions for the provider? Not applicable.

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient. Not applicable; no dependency changes.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API. Not applicable; no API changes.
• Endpoint response output (if applicable). Not applicable.
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable). Not applicable.
• Performance test results (if applicable). Not applicable.
• Any other relevant evidence of the implementation (if applicable). Not applicable.
• Verify if API specs need to be regenerated. Not applicable.
• Check if version updates are required (e.g., specs, uv, etc.). Not applicable.
• Ensure new entries are added to CHANGELOG.md, if applicable. Not applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:a725ba2
Last scan: 2026-05-27 14:32:59 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	2
Total	2

2 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[alejandrobailo]

A few things I'd like to address:

1. needsSignOut: true is now unreachable, but the UI still renders the path.

2. The Retry button loops forever for malformed tokens

3. invitation-errors.ts is domain-specific, it live under the feature

Other nits (non-blocking):

• isInvitationTokenError matches the bare /data pointer, which JSON:API uses for any non-field serializer error at /users POST. Today the API ordering prevents misfires, but tightening to only /data/attributes/invitation_token would be more future-proof.

• Inside invitation-errors.ts, INVITATION_ERROR_DETAIL/_POINTER/_CODE/_FLOW use UPPER_SNAKE keys but INVITATION_ERROR_MESSAGES uses camelCase, small consistency thing.

Thanks!

[Alan-TheGentleman]

Thanks for the review, addressed in d97f698f07.

Changes made:

• Removed the unreachable needsSignOut / different-account path from the accept UI.
• Added explicit malformed-token handling so the Retry button is not shown for client-side invalid tokens.
• Moved invitation-errors under the invitation feature folder.
• Tightened isInvitationTokenError to only match /data/attributes/invitation_token, and removed the bare /data fallback from the signup form.
• Normalized INVITATION_ERROR_MESSAGES keys to the same uppercase style as the other const maps.

Validation passed locally and in pre-commit:

cd ui && pnpm test:unit 'app/(auth)/invitation/_lib/invitation-errors.test.ts' actions/auth/auth.test.ts
cd ui && pnpm run typecheck
cd ui && pnpm run lint:check