How do I track information about invitations that have been sent?
After a discussion on the community team the other day I’ve upped my logging from WARNING to INFO level, but I don’t see anything related to invitations going out being logged at all, and can’t find any documentation about how to see what’s going on with invitations in bulk, or individually.
Things I would really like to see:
when was an invitation email sent?
to what email address was it sent?
what team was the person invited to?
who sent the invitation?
was the token used?
if the token was used, was a user created? which user?
if not, what user used it?
We occasionally have trouble reports that are probably user error, but might indicate a problem, and it’s impossible to troubleshoot or figure out without more information about what the server has been asked to do and has done. It also seems like a pretty important security auditing need to be able to tell if someone’s been invited to a team they shouldn’t be in, and how that invite was sent.
What options are there? Do I need to dig into the database?
Thanks for raising this, Matthew! Currently, detailed tracking of invitation events like the ones you outlined isn’t fully exposed via logs, so digging into the database is unfortunately the main option for now; that said, you might find some relevant info in the Users, TeamMembers, and Audits tables. For general logging guidance, you can refer to our logging documentation here: Environment configuration settings - Mattermost documentation
It would probably be a good idea for Mattermost to expose at least some of that information somewhere. Not being able to see how users got on a restricted workspace/team feels like a pretty serious security issue.
So it looks like invitations aren’t tracked AT ALL.
I ran the following test:
I dumped the audits, teams, teammembers, and users tables to JSON files
sent an invite by email
dumped again
clicked the invite link to open the signup page
dumped again
completed the signup
dumped again
The only place any data was written to the database was on step 6.
There’s only one value in the invite link which could be a token (&t=...). It’s a 64 character hash that doesn’t match the team token directly. Presumably it is a checksum on the other data in the invite URL (team, invited email address), likely hashed using the team token.
So it looks like there is no auditing of the creation or use of email invites, and the best case for any security applied to them is that they are difficult to forge outright, but nothing stops someone from sharing an invite link to be used (or re-used).