@appconda/nextjs 1.0.87 → 1.0.88

package/dist/index.d.ts

@@ -40,3 +40,4 @@ export { getAppcondaClient } from './getAppcondaClient';
 export * from './modules';
 export type { SafeActionFn } from 'next-safe-action';
 export * from './actions';
+export * from './lib';

package/dist/index.js

@@ -37,3 +37,4 @@ export { getSDKForService } from './getSDKForService';
 export { getAppcondaClient } from './getAppcondaClient';
 export * from './modules';
 export * from './actions';
+export * from './lib';

package/dist/lib/crypto.d.ts

@@ -0,0 +1,23 @@
+/**
+ *
+ * @param text Value to be encrypted
+ * @param key Key used to encrypt value must be 32 bytes for AES256 encryption algorithm
+ *
+ * @returns Encrypted value using key
+ */
+export declare const symmetricEncrypt: (text: string, key: string) => string;
+/**
+ *
+ * @param text Value to decrypt
+ * @param key Key used to decrypt value must be 32 bytes for AES256 encryption algorithm
+ */
+export declare const symmetricDecrypt: (text: string, key: string) => string;
+export declare const getHash: (key: string) => string;
+export declare const encryptAES128: (encryptionKey: string, data: string) => string;
+export declare const decryptAES128: (encryptionKey: string, data: string) => string;
+export declare const generateLocalSignedUrl: (fileName: string, environmentId: string, fileType: string) => {
+    signature: string;
+    uuid: string;
+    timestamp: number;
+};
+export declare const validateLocalSignedUrl: (uuid: string, fileName: string, environmentId: string, fileType: string, timestamp: number, signature: string, secret: string) => boolean;

package/dist/lib/crypto.js

@@ -0,0 +1,76 @@
+import crypto from "crypto";
+import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes } from "crypto";
+import { getEnv } from "./env";
+const ALGORITHM = "aes256";
+const INPUT_ENCODING = "utf8";
+const OUTPUT_ENCODING = "hex";
+const BUFFER_ENCODING = getEnv().ENCRYPTION_KEY.length === 32 ? "latin1" : "hex";
+const IV_LENGTH = 16; // AES blocksize
+/**
+ *
+ * @param text Value to be encrypted
+ * @param key Key used to encrypt value must be 32 bytes for AES256 encryption algorithm
+ *
+ * @returns Encrypted value using key
+ */
+export const symmetricEncrypt = (text, key) => {
+    const _key = Buffer.from(key, BUFFER_ENCODING);
+    const iv = crypto.randomBytes(IV_LENGTH);
+    // @ts-ignore -- the package needs to be built
+    const cipher = crypto.createCipheriv(ALGORITHM, _key, iv);
+    let ciphered = cipher.update(text, INPUT_ENCODING, OUTPUT_ENCODING);
+    ciphered += cipher.final(OUTPUT_ENCODING);
+    const ciphertext = iv.toString(OUTPUT_ENCODING) + ":" + ciphered;
+    return ciphertext;
+};
+/**
+ *
+ * @param text Value to decrypt
+ * @param key Key used to decrypt value must be 32 bytes for AES256 encryption algorithm
+ */
+export const symmetricDecrypt = (text, key) => {
+    const _key = Buffer.from(key, BUFFER_ENCODING);
+    const components = text.split(":");
+    const iv_from_ciphertext = Buffer.from(components.shift() || "", OUTPUT_ENCODING);
+    // @ts-ignore -- the package needs to be built
+    const decipher = crypto.createDecipheriv(ALGORITHM, _key, iv_from_ciphertext);
+    let deciphered = decipher.update(components.join(":"), OUTPUT_ENCODING, INPUT_ENCODING);
+    deciphered += decipher.final(INPUT_ENCODING);
+    return deciphered;
+};
+export const getHash = (key) => createHash("sha256").update(key).digest("hex");
+// create an aes128 encryption function
+export const encryptAES128 = (encryptionKey, data) => {
+    // @ts-ignore -- the package needs to be built
+    const cipher = createCipheriv("aes-128-ecb", Buffer.from(encryptionKey, "base64"), "");
+    let encrypted = cipher.update(data, "utf-8", "hex");
+    encrypted += cipher.final("hex");
+    return encrypted;
+};
+// create an aes128 decryption function
+export const decryptAES128 = (encryptionKey, data) => {
+    // @ts-ignore -- the package needs to be built
+    const cipher = createDecipheriv("aes-128-ecb", Buffer.from(encryptionKey, "base64"), "");
+    let decrypted = cipher.update(data, "hex", "utf-8");
+    decrypted += cipher.final("utf-8");
+    return decrypted;
+};
+export const generateLocalSignedUrl = (fileName, environmentId, fileType) => {
+    const uuid = randomBytes(16).toString("hex");
+    const timestamp = Date.now();
+    const data = `${uuid}:${fileName}:${environmentId}:${fileType}:${timestamp}`;
+    const signature = createHmac("sha256", getEnv().ENCRYPTION_KEY).update(data).digest("hex");
+    return { signature, uuid, timestamp };
+};
+export const validateLocalSignedUrl = (uuid, fileName, environmentId, fileType, timestamp, signature, secret) => {
+    const data = `${uuid}:${fileName}:${environmentId}:${fileType}:${timestamp}`;
+    const expectedSignature = createHmac("sha256", secret).update(data).digest("hex");
+    if (expectedSignature !== signature) {
+        return false;
+    }
+    // valid for 5 minutes
+    if (Date.now() - timestamp > 1000 * 60 * 5) {
+        return false;
+    }
+    return true;
+};

package/dist/lib/env.js

@@ -14,6 +14,8 @@ export const getEnv = (() => {
                     APPCONDA_CLIENT_ENDPOINT: z.string(),
                     _SERVICE_TOKEN: z.string(),
                     ENTERPRISE_LICENSE_KEY: z.string(),
+                    NEXTAUTH_SECRET: z.string().min(1),
+                    ENCRYPTION_KEY: z.string().length(64).or(z.string().length(32)),
                     /* AI_AZURE_LLM_API_KEY: z.string().optional(),
                     AI_AZURE_EMBEDDINGS_DEPLOYMENT_ID: z.string().optional(),
                     AI_AZURE_LLM_DEPLOYMENT_ID: z.string().optional(),
@@ -33,7 +35,7 @@ export const getEnv = (() => {
                     E2E_TESTING: z.enum(["1", "0"]).optional(),
                     EMAIL_AUTH_DISABLED: z.enum(["1", "0"]).optional(),
                     EMAIL_VERIFICATION_DISABLED: z.enum(["1", "0"]).optional(),
-                    ENCRYPTION_KEY: z.string().length(64).or(z.string().length(32)),
+                   
                     ENTERPRISE_LICENSE_KEY: z.string().optional(),
                     FORMBRICKS_ENCRYPTION_KEY: z.string().length(24).or(z.string().length(0)).optional(),
                     GITHUB_ID: z.string().optional(),
@@ -55,7 +57,7 @@ export const getEnv = (() => {
                     INTERCOM_SECRET_KEY: z.string().optional(),
                     IS_FORMBRICKS_CLOUD: z.enum(["1", "0"]).optional(),
                     MAIL_FROM: z.string().email().optional(),
-                    NEXTAUTH_SECRET: z.string().min(1),
+                    
                     NOTION_OAUTH_CLIENT_ID: z.string().optional(),
                     NOTION_OAUTH_CLIENT_SECRET: z.string().optional(),
                     OIDC_CLIENT_ID: z.string().optional(),
@@ -119,6 +121,8 @@ export const getEnv = (() => {
                     APPCONDA_CLIENT_ENDPOINT: process.env.APPCONDA_CLIENT_ENDPOINT,
                     _SERVICE_TOKEN: process.env._SERVICE_TOKEN,
                     ENTERPRISE_LICENSE_KEY: process.env.ENTERPRISE_LICENSE_KEY,
+                    NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
+                    ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,
                 },
             });
             console.log(env);

package/dist/lib/index.d.ts

@@ -0,0 +1 @@
+export * from "./jwt";

package/dist/lib/index.js

@@ -0,0 +1 @@
+export * from "./jwt";

package/dist/lib/jwt.d.ts

@@ -0,0 +1,12 @@
+import { JwtPayload } from "jsonwebtoken";
+export declare const createToken: (userId: string, userEmail: string, options?: {}) => string;
+export declare const createTokenForLinkSurvey: (surveyId: string, userEmail: string) => string;
+export declare const createEmailToken: (email: string) => string;
+export declare const getEmailFromEmailToken: (token: string) => string;
+export declare const createInviteToken: (inviteId: string, email: string, options?: {}) => string;
+export declare const verifyTokenForLinkSurvey: (token: string, surveyId: string) => string | null;
+export declare const verifyToken: (token: string) => Promise<JwtPayload>;
+export declare const verifyInviteToken: (token: string) => {
+    inviteId: string;
+    email: string;
+};

package/dist/lib/jwt.js

@@ -0,0 +1,102 @@
+import jwt from "jsonwebtoken";
+import { symmetricDecrypt, symmetricEncrypt } from "./crypto";
+import { getEnv } from "./env";
+export const createToken = (userId, userEmail, options = {}) => {
+    const encryptedUserId = symmetricEncrypt(userId, getEnv().ENCRYPTION_KEY);
+    return jwt.sign({ id: encryptedUserId }, getEnv().NEXTAUTH_SECRET + userEmail, options);
+};
+export const createTokenForLinkSurvey = (surveyId, userEmail) => {
+    const encryptedEmail = symmetricEncrypt(userEmail, getEnv().ENCRYPTION_KEY);
+    return jwt.sign({ email: encryptedEmail }, getEnv().NEXTAUTH_SECRET + surveyId);
+};
+export const createEmailToken = (email) => {
+    const encryptedEmail = symmetricEncrypt(email, getEnv().ENCRYPTION_KEY);
+    return jwt.sign({ email: encryptedEmail }, getEnv().NEXTAUTH_SECRET);
+};
+export const getEmailFromEmailToken = (token) => {
+    const payload = jwt.verify(token, getEnv().NEXTAUTH_SECRET);
+    try {
+        // Try to decrypt first (for newer tokens)
+        const decryptedEmail = symmetricDecrypt(payload.email, getEnv().ENCRYPTION_KEY);
+        return decryptedEmail;
+    }
+    catch {
+        // If decryption fails, return the original email (for older tokens)
+        return payload.email;
+    }
+};
+export const createInviteToken = (inviteId, email, options = {}) => {
+    const encryptedInviteId = symmetricEncrypt(inviteId, getEnv().ENCRYPTION_KEY);
+    const encryptedEmail = symmetricEncrypt(email, getEnv().ENCRYPTION_KEY);
+    return jwt.sign({ inviteId: encryptedInviteId, email: encryptedEmail }, getEnv().NEXTAUTH_SECRET, options);
+};
+export const verifyTokenForLinkSurvey = (token, surveyId) => {
+    try {
+        const { email } = jwt.verify(token, getEnv().NEXTAUTH_SECRET + surveyId);
+        try {
+            // Try to decrypt first (for newer tokens)
+            const decryptedEmail = symmetricDecrypt(email, getEnv().ENCRYPTION_KEY);
+            return decryptedEmail;
+        }
+        catch {
+            // If decryption fails, return the original email (for older tokens)
+            return email;
+        }
+    }
+    catch (err) {
+        return null;
+    }
+};
+export const verifyToken = async (token) => {
+    // First decode to get the ID
+    const decoded = jwt.decode(token);
+    const payload = decoded;
+    const { id } = payload;
+    if (!id) {
+        throw new Error("Token missing required field: id");
+    }
+    // Try to decrypt the ID (for newer tokens), if it fails use the ID as-is (for older tokens)
+    let decryptedId;
+    try {
+        decryptedId = symmetricDecrypt(id, getEnv().ENCRYPTION_KEY);
+    }
+    catch {
+        decryptedId = id;
+    }
+    // If no email provided, look up the user
+    const foundUser = null; /* await prisma.user.findUnique({
+      where: { id: decryptedId },
+    }); */
+    if (!foundUser) {
+        throw new Error("User not found");
+    }
+    const userEmail = foundUser.email;
+    return { id: decryptedId, email: userEmail };
+};
+export const verifyInviteToken = (token) => {
+    try {
+        const decoded = jwt.decode(token);
+        const payload = decoded;
+        const { inviteId, email } = payload;
+        let decryptedInviteId;
+        let decryptedEmail;
+        try {
+            // Try to decrypt first (for newer tokens)
+            decryptedInviteId = symmetricDecrypt(inviteId, getEnv().ENCRYPTION_KEY);
+            decryptedEmail = symmetricDecrypt(email, getEnv().ENCRYPTION_KEY);
+        }
+        catch {
+            // If decryption fails, use original values (for older tokens)
+            decryptedInviteId = inviteId;
+            decryptedEmail = email;
+        }
+        return {
+            inviteId: decryptedInviteId,
+            email: decryptedEmail,
+        };
+    }
+    catch (error) {
+        console.error(`Error verifying invite token: ${error}`);
+        throw new Error("Invalid or expired invite token");
+    }
+};

package/package.json

@@ -2,7 +2,7 @@
   "name": "@appconda/nextjs",
   "homepage": "https://appconda.io/support",
   "description": "Appconda is an open-source self-hosted backend server that abstract and simplify complex and repetitive development tasks behind a very simple REST API",
-  "version": "1.0.87",
+  "version": "1.0.88",
   "license": "BSD-3-Clause",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -24,6 +24,7 @@
   "jsdelivr": "dist/iife/sdk.js",
   "unpkg": "dist/iife/sdk.js",
   "dependencies": {
+    "jsonwebtoken": "^9.0.2",
     "next": "^15.2.3",
     "next-auth": "^4.24.11",
     "next-safe-action": "^7.10.4",

package/src/index.ts

@@ -40,3 +40,4 @@ export { getAppcondaClient } from './getAppcondaClient';
 export * from './modules';
 export type { SafeActionFn } from 'next-safe-action'; 
 export * from './actions';
+export * from './lib';

package/src/lib/crypto.ts

@@ -0,0 +1,103 @@
+import crypto from "crypto";
+import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes } from "crypto";
+import { getEnv } from "./env";
+
+
+const ALGORITHM = "aes256";
+const INPUT_ENCODING = "utf8";
+const OUTPUT_ENCODING = "hex";
+const BUFFER_ENCODING = getEnv().ENCRYPTION_KEY!.length === 32 ? "latin1" : "hex";
+const IV_LENGTH = 16; // AES blocksize
+
+/**
+ *
+ * @param text Value to be encrypted
+ * @param key Key used to encrypt value must be 32 bytes for AES256 encryption algorithm
+ *
+ * @returns Encrypted value using key
+ */
+export const symmetricEncrypt = (text: string, key: string) => {
+  const _key = Buffer.from(key, BUFFER_ENCODING);
+  const iv = crypto.randomBytes(IV_LENGTH);
+
+  // @ts-ignore -- the package needs to be built
+  const cipher = crypto.createCipheriv(ALGORITHM, _key, iv);
+  let ciphered = cipher.update(text, INPUT_ENCODING, OUTPUT_ENCODING);
+  ciphered += cipher.final(OUTPUT_ENCODING);
+  const ciphertext = iv.toString(OUTPUT_ENCODING) + ":" + ciphered;
+
+  return ciphertext;
+};
+
+/**
+ *
+ * @param text Value to decrypt
+ * @param key Key used to decrypt value must be 32 bytes for AES256 encryption algorithm
+ */
+export const symmetricDecrypt = (text: string, key: string) => {
+  const _key = Buffer.from(key, BUFFER_ENCODING);
+
+  const components = text.split(":");
+  const iv_from_ciphertext = Buffer.from(components.shift() || "", OUTPUT_ENCODING);
+  // @ts-ignore -- the package needs to be built
+  const decipher = crypto.createDecipheriv(ALGORITHM, _key, iv_from_ciphertext);
+  let deciphered = decipher.update(components.join(":"), OUTPUT_ENCODING, INPUT_ENCODING);
+  deciphered += decipher.final(INPUT_ENCODING);
+
+  return deciphered;
+};
+
+export const getHash = (key: string): string => createHash("sha256").update(key).digest("hex");
+
+// create an aes128 encryption function
+export const encryptAES128 = (encryptionKey: string, data: string): string => {
+  // @ts-ignore -- the package needs to be built
+  const cipher = createCipheriv("aes-128-ecb", Buffer.from(encryptionKey, "base64"), "");
+  let encrypted = cipher.update(data, "utf-8", "hex");
+  encrypted += cipher.final("hex");
+  return encrypted;
+};
+// create an aes128 decryption function
+export const decryptAES128 = (encryptionKey: string, data: string): string => {
+  // @ts-ignore -- the package needs to be built
+  const cipher = createDecipheriv("aes-128-ecb", Buffer.from(encryptionKey, "base64"), "");
+  let decrypted = cipher.update(data, "hex", "utf-8");
+  decrypted += cipher.final("utf-8");
+  return decrypted;
+};
+
+export const generateLocalSignedUrl = (
+  fileName: string,
+  environmentId: string,
+  fileType: string
+): { signature: string; uuid: string; timestamp: number } => {
+  const uuid = randomBytes(16).toString("hex");
+  const timestamp = Date.now();
+  const data = `${uuid}:${fileName}:${environmentId}:${fileType}:${timestamp}`;
+  const signature = createHmac("sha256", getEnv().ENCRYPTION_KEY!).update(data).digest("hex");
+  return { signature, uuid, timestamp };
+};
+
+export const validateLocalSignedUrl = (
+  uuid: string,
+  fileName: string,
+  environmentId: string,
+  fileType: string,
+  timestamp: number,
+  signature: string,
+  secret: string
+): boolean => {
+  const data = `${uuid}:${fileName}:${environmentId}:${fileType}:${timestamp}`;
+  const expectedSignature = createHmac("sha256", secret).update(data).digest("hex");
+
+  if (expectedSignature !== signature) {
+    return false;
+  }
+
+  // valid for 5 minutes
+  if (Date.now() - timestamp > 1000 * 60 * 5) {
+    return false;
+  }
+
+  return true;
+};

package/src/lib/env.ts

@@ -16,6 +16,8 @@ export const getEnv = (() => {
                     APPCONDA_CLIENT_ENDPOINT: z.string(),
                     _SERVICE_TOKEN: z.string(),
                     ENTERPRISE_LICENSE_KEY: z.string(),
+                    NEXTAUTH_SECRET: z.string().min(1),
+                    ENCRYPTION_KEY: z.string().length(64).or(z.string().length(32)),
                     /* AI_AZURE_LLM_API_KEY: z.string().optional(),
                     AI_AZURE_EMBEDDINGS_DEPLOYMENT_ID: z.string().optional(),
                     AI_AZURE_LLM_DEPLOYMENT_ID: z.string().optional(),
@@ -35,7 +37,7 @@ export const getEnv = (() => {
                     E2E_TESTING: z.enum(["1", "0"]).optional(),
                     EMAIL_AUTH_DISABLED: z.enum(["1", "0"]).optional(),
                     EMAIL_VERIFICATION_DISABLED: z.enum(["1", "0"]).optional(),
-                    ENCRYPTION_KEY: z.string().length(64).or(z.string().length(32)),
+                   
                     ENTERPRISE_LICENSE_KEY: z.string().optional(),
                     FORMBRICKS_ENCRYPTION_KEY: z.string().length(24).or(z.string().length(0)).optional(),
                     GITHUB_ID: z.string().optional(),
@@ -57,7 +59,7 @@ export const getEnv = (() => {
                     INTERCOM_SECRET_KEY: z.string().optional(),
                     IS_FORMBRICKS_CLOUD: z.enum(["1", "0"]).optional(),
                     MAIL_FROM: z.string().email().optional(),
-                    NEXTAUTH_SECRET: z.string().min(1),
+                    
                     NOTION_OAUTH_CLIENT_ID: z.string().optional(),
                     NOTION_OAUTH_CLIENT_SECRET: z.string().optional(),
                     OIDC_CLIENT_ID: z.string().optional(),
@@ -122,6 +124,8 @@ export const getEnv = (() => {
                     APPCONDA_CLIENT_ENDPOINT: process.env.APPCONDA_CLIENT_ENDPOINT,
                     _SERVICE_TOKEN: process.env._SERVICE_TOKEN,
                     ENTERPRISE_LICENSE_KEY: process.env.ENTERPRISE_LICENSE_KEY,
+                    NEXTAUTH_SECRET: process.env.NEXTAUTH_SECRET,
+                    ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,
                 },
             });
             console.log(env);

package/src/lib/index.ts

@@ -0,0 +1 @@
+export * from "./jwt";

package/src/lib/jwt.ts

@@ -0,0 +1,113 @@
+import jwt, { JwtPayload } from "jsonwebtoken";
+import { symmetricDecrypt, symmetricEncrypt } from "./crypto";
+import { getEnv } from "./env";
+
+export const createToken = (userId: string, userEmail: string, options = {}): string => {
+  const encryptedUserId = symmetricEncrypt(userId, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ id: encryptedUserId }, getEnv().NEXTAUTH_SECRET + userEmail, options);
+};
+export const createTokenForLinkSurvey = (surveyId: string, userEmail: string): string => {
+  const encryptedEmail = symmetricEncrypt(userEmail, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ email: encryptedEmail }, getEnv().NEXTAUTH_SECRET + surveyId);
+};
+
+export const createEmailToken = (email: string): string => {
+  const encryptedEmail = symmetricEncrypt(email, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ email: encryptedEmail }, getEnv().NEXTAUTH_SECRET);
+};
+
+export const getEmailFromEmailToken = (token: string): string => {
+  const payload = jwt.verify(token, getEnv().NEXTAUTH_SECRET) as JwtPayload;
+  try {
+    // Try to decrypt first (for newer tokens)
+    const decryptedEmail = symmetricDecrypt(payload.email, getEnv().ENCRYPTION_KEY);
+    return decryptedEmail;
+  } catch {
+    // If decryption fails, return the original email (for older tokens)
+    return payload.email;
+  }
+};
+
+export const createInviteToken = (inviteId: string, email: string, options = {}): string => {
+  const encryptedInviteId = symmetricEncrypt(inviteId, getEnv().ENCRYPTION_KEY);
+  const encryptedEmail = symmetricEncrypt(email, getEnv().ENCRYPTION_KEY);
+  return jwt.sign({ inviteId: encryptedInviteId, email: encryptedEmail }, getEnv().NEXTAUTH_SECRET, options);
+};
+
+export const verifyTokenForLinkSurvey = (token: string, surveyId: string): string | null => {
+  try {
+    const { email } = jwt.verify(token, getEnv().NEXTAUTH_SECRET + surveyId) as JwtPayload;
+    try {
+      // Try to decrypt first (for newer tokens)
+      const decryptedEmail = symmetricDecrypt(email, getEnv().ENCRYPTION_KEY);
+      return decryptedEmail;
+    } catch {
+      // If decryption fails, return the original email (for older tokens)
+      return email;
+    }
+  } catch (err) {
+    return null;
+  }
+};
+
+export const verifyToken = async (token: string): Promise<JwtPayload> => {
+  // First decode to get the ID
+  const decoded = jwt.decode(token);
+  const payload: JwtPayload = decoded as JwtPayload;
+
+  const { id } = payload;
+  if (!id) {
+    throw new Error("Token missing required field: id");
+  }
+
+  // Try to decrypt the ID (for newer tokens), if it fails use the ID as-is (for older tokens)
+  let decryptedId: string;
+  try {
+    decryptedId = symmetricDecrypt(id, getEnv().ENCRYPTION_KEY);
+  } catch {
+    decryptedId = id;
+  }
+
+  // If no email provided, look up the user
+  const foundUser = null;/* await prisma.user.findUnique({
+    where: { id: decryptedId },
+  }); */
+
+  if (!foundUser) {
+    throw new Error("User not found");
+  }
+
+  const userEmail = foundUser.email;
+
+  return { id: decryptedId, email: userEmail };
+};
+
+export const verifyInviteToken = (token: string): { inviteId: string; email: string } => {
+  try {
+    const decoded = jwt.decode(token);
+    const payload: JwtPayload = decoded as JwtPayload;
+
+    const { inviteId, email } = payload;
+
+    let decryptedInviteId: string;
+    let decryptedEmail: string;
+
+    try {
+      // Try to decrypt first (for newer tokens)
+      decryptedInviteId = symmetricDecrypt(inviteId, getEnv().ENCRYPTION_KEY);
+      decryptedEmail = symmetricDecrypt(email, getEnv().ENCRYPTION_KEY);
+    } catch {
+      // If decryption fails, use original values (for older tokens)
+      decryptedInviteId = inviteId;
+      decryptedEmail = email;
+    }
+
+    return {
+      inviteId: decryptedInviteId,
+      email: decryptedEmail,
+    };
+  } catch (error) {
+    console.error(`Error verifying invite token: ${error}`);
+    throw new Error("Invalid or expired invite token");
+  }
+};