Evaluate different approaches to implement the feature of automatically subscribing external users to a share.

On share form any user can invite watchers:

We will send email invite to users.
We create account if email is not in DB.


We need to track all invites.
Email with link that render share and automatically subscribes to ticket.
We track if user accepted invitation.

We only send 1 invite to email.
If there is no subscribe_auto record - we send invitation email.
We create subscribe_auto record with NO_DECISION.
If there is subscribe_auto record with NO_DECISION / REJECT - we do not send invitation email.


we do not send more invitations via email from atlassian_host.
We do not create more subscribe_invitation for that user.

This will ensure our service wont be used as spam tool.
If Jira instance has more than 50 un-accepted invitations in last 30 days, we do not send more invitations via email.
User can see on dashboard new tab with invitations. Accepted, rejected, without-decision.

If user rejects all watch invitation - he can get another invitations notifications.
We base our spam protection based on NO_DECISION.

What happens during the invite action:

• New record inserted to subscribe_auto (if no record)
  by default NO_DECISION

• New record inserted to subscribe_invitation,
  status NO_DECISION - if subscribe_auto is NO_DECISION or REJECTED
  status ACCEPTED - if subscribe_auto is ACCEPTED

Example invite email

Link:
https://jira.external-share.com/subscribe/{id}/{hash}

{id} - invitation id
{hash} - hash(invitation id + share.secret_key)

Action - the link is clicked, then:

we change the status in subscribe_auto to ACCEPTED

status in subscribe_invitation to ACCEPTED.

If the user has an unconfirmed account (i.e. registration status is initial or pending),

then we redirect to the registration completion page https://jira.external-share.com/activate.html?code={code} .

If user has confirmed account, redirect to share /issue/{share-uuid}

Dashboard - 2 new tabs/tables.
1. Subscribe invitations

In case Invited by is atlassian_sender_user_id then:
we retrieve the name asynchronously.
In the table we insert <div atlassian-acconut-id='12345'>12345</div>.
In html header:

<meta name="atlassian-acconut-id-fetch" content="{signed-url-to-fetch-all-account-ids}">

signed-url-to-fetch-all-account-ids= /atlassian-user/{jwt}
jwt → payload - list of atlassian-acconut-id - signed. Example - status change on share ticket.

2. Subscribe permissions -
A list of hosts from which we allow an external user to be added to the subscription automatically (without confirmation). With the ability to undo this.

If user is logged to account A and gets invite for account B, we should show error page with message like: “Subscription invitation is for another account”. Subscription invite should not be accepted.

Additional notes:

• Pagination should be done on Subscribe invitations and Subscribe permissions tabs.

• In Subscribe invitations and Subscribe permissions tables status should look like a status in subscriptions tab.

• Invitation date should be added to Subscribe invitations table.