overview / requirement-sharing

Requirement Sharing Workflow

A high-level walkthrough of how an organization lets one of its customers β€” a person with no platform login β€” open a public link, review a deal's requirements, and approve or reject each one, with every decision landing authoritatively in the platform and propagating live to the internal Requirements tab.

At a glance

A handful of numbers capture the shape of the feature β€” what the customer needs, how the link is secured, and how little data it exposes:

0
logins the customer needs
256-bit
share-token entropy
5
requirement fields exposed publicly
30-day
default link expiry
2
new database tables
live
real-time sync to the org's tab

Overview

Requirement sharing replaces the old manual review loop β€” generate a document, email the customer, wait for a marked-up copy, email it back, and have an internal user re-key each decision by hand. Instead the customer opens a single public link, reviews the deal's requirements in a surface that mirrors the internal one, and approves or rejects each one; the decision is written directly into the platform. The characteristics below are grounded in the mechanisms documented in the rest of this file β€” they describe what the code actually does.

Public & login-less

The /share/requirements/[token] route lives outside the auth wall (the web middleware only guards /app and /auth). The customer needs no account, no Auth0 session β€” only the link.

Token-scoped & multi-tenant

The share token is the only credential. ShareTokenGuard derives the deal and organization scope from it; every read and write is scoped to those guard-derived values, never to a client argument.

Authoritative & event-sourced

A review flips the requirement's status and appends an immutable RequirementReviewEvent in one interactive transaction β€” the decision is real platform state, with a full audit trail beside it.

Minimal data exposure

The public surface exposes only five requirement fields plus the deal and customer name. No confidence scores, source filenames, approver identity, internal IDs, source type, or tags ever cross the boundary.

Rate-limited & non-enumerable

A per-(token, IP) request throttler and a per-IP cap on no-live-link resolutions bound abuse; every failure path returns an identical generic NotFound, giving an attacker no enumeration signal.

Real-time to the org

After each review commits, the existing dealRequirementChanged event publishes over Redis pub/sub, so the org's open Requirements tab refetches and shows "Approved/Rejected by {customer}" with no manual refresh.

The rest of this document walks the flow end to end, from minting the link through to the live update on the org's tab.

An organization admin starts on the deal's Requirements Capture tab and clicks "Share with customer", which calls a single GraphQL mutation:

  • Mutation: createRequirementShareLink(dealId, expiresInDays?) β€” gated by @RequireRole(OrganizationAdmin) plus a deal-access verification (verifyUserDealAccess).

The API generates a 32-byte (256-bit) random token (base64url) and stores only its SHA-256 hash in a new RequirementShareLink row. The raw token is returned exactly once and is unrecoverable afterward β€” only its hash lives in the database.

RequirementShareLink fieldPurpose
tokenHash (unique)SHA-256 of the raw token β€” the lookup key. The raw secret is never stored.
dealId / organizationIdThe token-derived scope every public operation is bound to.
createdByUserIdThe admin who minted the link β€” the accountable human proxy recorded against any resulting action-item completion.
expiresAtUtcAbsolute expiry (30-day default; caller may pass 1–90 days).
revokedAtUtc?Set when the link is revoked via revokeRequirementShareLink; a revoked link is no longer live.
lastAccessedAtUtc?Fire-and-forget touch on each successful guard pass (a failed touch never fails the request).

The org copies ${APP_BASE_URL}/share/requirements/{token} and sends it however they like β€” this is copy-link only; the platform sends no email.

2. The public route

The link opens /share/requirements/[token], a Next.js route that sits outside the auth wall. It mounts a token-less Apollo client that carries the token in an X-Requirement-Share-Token header β€” no Auth0 bearer, no websocket link. An identity gate collects the customer's name and email once (stored in sessionStorage, keyed by the token) and threads them into every review submission.

Public requirement-share request path Customer browser no login Β· token-less Apollo X-Requirement-Share-Token header /share/requirements/[token] Next.js route Β· outside auth wall header token ShareTokenGuard + throttler guard (runs first) token-scoped query Public resolver retrieve… / submitRequirementReview authoritative txn RequirementShareService scope from token, never the client Redis throttle + per-IP counters Postgres ShareLink Β· Requirement Β· DealReq Β· ReviewEvent hash β†’ lookup live link Redis pub/sub live events to the org publish dealRequirementChanged
The public request path. Blue = deterministic code, guards, and resolvers; grey = datastores and messaging. Scope always comes from the token, never a client argument.

3. Token guard & scope

The public resolvers are @Authentication(None) (the global AccessTokenGuard does not run) and protected per-route by @UseGuards(ShareTokenThrottlerGuard, ShareTokenGuard) β€” the throttler runs first so a flood is capped before the token is even looked up. ShareTokenGuard reads the header, SHA-256-hashes it, and looks up a live link (not revoked, not expired). On success it stashes { dealId, organizationId, shareLinkId } for a @ShareLinkContext() decorator; the resolver scopes every action to those guard-derived values. Scope is always token-derived, never a client argument.

ShareTokenGuard decision tree ShareTokenGuard hash header token, look up link missing / unknown / revoked / expired live link generic NotFound identical shape Β· no enumeration per-IP cap++ stash scope β†’ proceed { dealId, organizationId, shareLinkId } + fire-and-forget lastAccessed touch @ShareLinkContext() resolver, scoped to the token
Every failure path collapses to one indistinguishable NotFound; only a live link yields a scope, and that scope drives every downstream read and write.

4. Reading the requirements

retrievePublicSharedDealRequirements returns minimal deal context (deal name, customer name) plus a paginated requirements list. The list deliberately mirrors the internal one β€” the same container, a "Requirements" heading with a count badge (but no actions menu), search, and multi-select filters for Categories, Priority, and Status β€” with all filtering, sorting, and pagination applied server-side on top of the token-derived scope. One filter is intentionally absent: there is no Asset filter, because exposing asset IDs would leak the internal source documents.

The public surface exposes only five requirement fields:

id
requirement identifier
text
the requirement statement
category
requirement category
priority
requirement priority
status
approved / rejected / pending
βˆ…
no confidence, source, approver, or internal IDs

The dedicated PublicRequirement model is deliberately not the internal RequirementModel/DealRequirementModel, so the public surface cannot accidentally leak an authenticated requirement field β€” no confidence %, source filenames, approver identity, internal IDs, sourceType, or tags.

5. Submitting a review

A decision is submitted through submitRequirementReview(requirementId, action, reviewerName, reviewerEmail, reason?). A reject requires a reason; an approve takes an optional note in the same reason field β€” both enforced at the GraphQL input DTO via class-validator (a @ValidateIf on the action). Before any write, the client-supplied requirementId is re-verified against the token-derived dealId + organizationId (the IDOR guard); a requirement from another deal or tenant is indistinguishable from a missing one β€” same NotFound.

The write happens in one interactive Prisma transaction with two separate statements:

  1. Flip Requirement.status to Approved or Rejected (mirroring the internal approve/unapprove exactly β€” only the requirement's approval state is touched; approvedByUserId stays null because the customer is not a User).
  2. Append an immutable RequirementReviewEvent audit row carrying requirementId, dealRequirementId, dealId, organizationId, shareLinkId, reviewerName, reviewerEmail, the action enum, an optional reason, and createdAtUtc.

On approve, the same internal action-item completion logic as an in-app approval runs (completing the "map a requirement" action item); rejecting a previously-approved requirement re-evaluates and may un-complete it. After the transaction commits, the existing dealRequirementChanged Redis subscription is published.

The customer's name and email are self-asserted β€” they are attribution recorded on the review event, not verified identity. Anyone holding the link can type any name. A future confirm step (where the org confirms the customer's decision) is the real trust boundary; today's model treats the review as an attributed signal, not a proof of who acted.

The design is authoritative now, but event-sourced for "confirm-later". Because the status flip and the immutable review event are separate statements in one transaction, a future "customer signals, org confirms" mode is a purely additive change β€” nullable confirm columns plus a review-mode flag β€” with no data migration: the existing events stay valid, and the new mode simply withholds the flip until an org user confirms.

The two public operations contrast cleanly:

retrievePublicSharedDealRequirements β€” a query. Returns the deal/customer name and a server-filtered, server-sorted, server-paginated list of the five public requirement fields. No mutation, no actor recorded; the only side effect is the guard's fire-and-forget lastAccessedAtUtc touch.

6. Real-time propagation

The org's open Requirements tab is already subscribed to dealRequirementChanged, so no new subscription module was needed. When the customer's review commits and the event publishes, that tab refetches and updates live β€” showing "Approved by {customer}" or "Rejected by {customer}: {reason}" on each card. The attribution is surfaced through a new reviewEvents field on DealRequirement (a lazy resolve-field, capped per parent to bound the N+1 path). The decision a customer makes on the public link is visible to the internal team the moment it lands β€” closing the loop the old email cycle left open.

7. Security model

This is an internet-facing, unauthenticated surface fed customer-supplied input, so the controls are layered from the token through the wire to storage:

ControlWhat it does
256-bit token32 random bytes, base64url-encoded. Only the SHA-256 hash is persisted; the raw token is returned exactly once and is unrecoverable afterward.
Generic NotFoundEvery failure path β€” missing, unknown, revoked, or expired token β€” returns an identical parameter-less NotFound, giving no enumeration signal and no way to distinguish a rate-limited rejection from a plain invalid token.
Per-(token, IP) throttlerA self-contained request throttler on the public surface (re-hashes the header token itself), needed because the global throttler skips no-JWT requests. Fails open on a Redis outage.
Per-IP no-live-link capA defense-in-depth cap on requests that resolve to no live link (counted in the guard) β€” stops one IP firing unlimited distinct-token guesses; the 256-bit entropy is the real defense. Fails open on a Redis outage.
Expiry + revocationChecked on every request; resolved scope is never cached across requests, so a revoked or expired link stops working immediately.
IDOR guardThe client-supplied requirementId is re-verified against the token-derived deal + org before any write; a requirement outside the shared deal is treated as missing.
Data minimizationPublic models expose only id / text / category / priority / status plus the deal name and customer name β€” nothing more.
Length caps on free textAttacker-controlled strings are bounded to limit storage/DoS: reason ≀ 4000, reviewerName ≀ 200, reviewerEmail ≀ 320 characters.
CORS + CSRF allowanceThe anonymous cross-origin POST with the custom header is permitted by the API's CORS (it reflects the requested header) and Apollo's CSRF config (non-multipart application/json).
Org-side gatingMinting and revoking a link are gated by @RequireRole(OrganizationAdmin) plus a deal-access verification β€” only an admin who can see the deal can share or revoke it.

Summary

End-to-end the flow looks like:

End-to-end requirement-sharing flow Org UI Customer (public) API Postgres + Redis Mint + copy link createRequirementShareLink org sends URL out-of-band Open link enter name + email approve / reject submitRequirementReview X-Requirement-Share-Token ShareTokenGuard resolve token scope Interactive txn flip status write review event action item IDOR-verified first commit write Postgres write Requirement Β· ReviewEvent + publish over Redis dealRequirementChanged pub/sub event fan out to the org's tab Requirements tab refetches live "Approved/Rejected by {customer}"
From mint to live update: the org shares a link out-of-band, the customer reviews login-less, the API writes authoritatively under the token scope, and a Redis event closes the loop on the org's tab β€” no re-keying, no refresh.