Fix: Add local: true and custom controller for invitation acceptance

Fixes the "Invitation token can't be blank" error that occurs when new
users accept email invitations and try to set their password.

Root cause: PR #6528 refactored form_for to form_with, but form_with
defaults to remote: true (AJAX submission) which can cause issues with
hidden field submission, particularly the invitation_token field.

Changes made:
1. Added local: true to form_with to use standard form submission
2. Removed readonly: true from invitation_token hidden field (unnecessary
   and potentially problematic with form_with)
3. Created custom Users::InvitationsController to:
   - Explicitly ensure invitation_token is set on resource in edit action
   - Explicitly permit invitation_token in strong parameters
   - Add logging to help debug token issues
4. Updated routes to use custom invitations controller

The custom controller provides better control over parameter handling
and includes debugging logs to identify any future token issues.

Related to PR #6528 (form helper refactor)

Author: compwron

app/controllers/users/invitations_controller.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Users::InvitationsController < Devise::InvitationsController
+  # GET /users/invitation/accept?invitation_token=abcdef123456
+  def edit
+    set_minimum_password_length
+    # Ensure the invitation_token is set on the resource from the URL parameter
+    resource.invitation_token = params[:invitation_token]
+
+    Rails.logger.info "Invitation Edit: Token from params: #{params[:invitation_token]}"
+    Rails.logger.info "Invitation Edit: Token set on resource: #{resource.invitation_token}"
+
+    render :edit
+  end
+
+  # PUT /users/invitation
+  def update
+    Rails.logger.info "Invitation Update: Params received: #{update_resource_params.inspect}"
+    Rails.logger.info "Invitation Update: invitation_token in params: #{update_resource_params[:invitation_token]}"
+
+    super
+  end
+
+  protected
+
+  # Permit the invitation_token parameter
+  def update_resource_params
+    params.require(resource_name).permit(:invitation_token, :password, :password_confirmation)
+  end
+end

app/views/devise/invitations/edit.html.erb

@@ -1,9 +1,9 @@
 <div class="password-box px-4 pb-3">
   <h2 class="my-3">Send invitation</h2>
 
-  <%= form_with(model: resource, as: resource_name, url: invitation_path(resource_name), html: {method: :put}) do |f| %>
+  <%= form_with(model: resource, as: resource_name, url: invitation_path(resource_name), local: true, html: {method: :put}) do |f| %>
     <%= render "/shared/error_messages", resource: resource %>
-    <%= f.hidden_field :invitation_token, readonly: true %>
+    <%= f.hidden_field :invitation_token %>
 
     <% if f.object.class.require_password_on_accepting %>
       <div class="input-style-1">

config/routes.rb

@@ -5,7 +5,7 @@
   mount Rswag::Api::Engine => "/api-docs"
 
   devise_for :all_casa_admins, path: "all_casa_admins", controllers: {sessions: "all_casa_admins/sessions"}
-  devise_for :users, controllers: {sessions: "users/sessions", passwords: "users/passwords"}
+  devise_for :users, controllers: {sessions: "users/sessions", passwords: "users/passwords", invitations: "users/invitations"}
   authenticate :all_casa_admins do
     mount PgHero::Engine, at: "pg_dashboard", constraints: lambda { |request|
       admin = request.env["warden"].user(:all_casa_admin)