refactor(api,cli): migrate membership management to dedicated collection

- Migrate from embedded namespace.members to standalone
  membership_invitations collection
- Add environment-specific prefixes ([cloud] vs [community|enterprise])
  to member service tests
- Update AddNamespaceMember tests to use MembershipInvitationResolve for
  cloud environments
- Refactor addMember tests to validate MembershipInvitationCreate
  instead of direct membership
- Add cloud-specific UpdateNamespaceMember tests for invitation
  management
- Update RemoveNamespaceMember tests with invitation cancellation logic
  using MembershipInvitationStatusCancelled
- Fix mock.MatchedBy matchers to validate invitation status changes
- Add envMock.AssertExpectations to all refactored test functions
- Create audit trail for all membership operations across environments

Author: heiytor

api/services/auth.go

@@ -309,10 +309,8 @@ func (s *service) AuthLocalUser(ctx context.Context, req *requests.AuthLocalUser
 
 	tenantID := ""
 	role := ""
-	// Populate the tenant and role when the user is associated with a namespace. If the member status is pending, we
-	// ignore the namespace.
 	if ns, _ := s.store.NamespaceGetPreferred(ctx, user.ID); ns != nil && ns.TenantID != "" {
-		if m, _ := ns.FindMember(user.ID); m.Status != models.MemberStatusPending {
+		if m, _ := ns.FindMember(user.ID); m != nil {
 			tenantID = ns.TenantID
 			role = m.Role.String()
 		}
@@ -393,10 +391,8 @@ func (s *service) CreateUserToken(ctx context.Context, req *requests.CreateUserT
 			return nil, NewErrNamespaceMemberNotFound(user.ID, nil)
 		}
 
-		if member.Status != models.MemberStatusPending {
-			tenantID = namespace.TenantID
-			role = member.Role.String()
-		}
+		tenantID = namespace.TenantID
+		role = member.Role.String()
 	default:
 		namespace, err := s.store.NamespaceResolve(ctx, store.NamespaceTenantIDResolver, req.TenantID)
 		if err != nil {
@@ -408,10 +404,6 @@ func (s *service) CreateUserToken(ctx context.Context, req *requests.CreateUserT
 			return nil, NewErrNamespaceMemberNotFound(user.ID, nil)
 		}
 
-		if member.Status == models.MemberStatusPending {
-			return nil, NewErrNamespaceMemberNotFound(user.ID, nil)
-		}
-
 		tenantID = namespace.TenantID
 		role = member.Role.String()
 

api/services/auth_test.go

@@ -1890,134 +1890,6 @@ func TestService_AuthLocalUser(t *testing.T) {
 				err:      nil,
 			},
 		},
-		{
-			description: "succeeds to authenticate with a namespace (and member status 'pending')",
-			sourceIP:    "127.0.0.1",
-			req: &requests.AuthLocalUser{
-				Identifier: "john_doe",
-				Password:   "secret",
-			},
-			requiredMocks: func() {
-				user := &models.User{
-					ID:        "65fdd16b5f62f93184ec8a39",
-					Origin:    models.UserOriginLocal,
-					Status:    models.UserStatusConfirmed,
-					LastLogin: now,
-					MFA: models.UserMFA{
-						Enabled: false,
-					},
-					UserData: models.UserData{
-						Username: "john_doe",
-						Email:    "[email protected]",
-						Name:     "john doe",
-					},
-					Password: models.UserPassword{
-						Hash: "$2a$10$V/6N1wsjheBVvWosPfv02uf4WAOb9lmp8YWQCIa2UYuFV4OJby7Yi",
-					},
-					Preferences: models.UserPreferences{
-						PreferredNamespace: "00000000-0000-4000-0000-000000000000",
-						AuthMethods:        []models.UserAuthMethod{models.UserAuthMethodLocal},
-					},
-				}
-				updatedUser := &models.User{
-					ID:        "65fdd16b5f62f93184ec8a39",
-					Origin:    models.UserOriginLocal,
-					Status:    models.UserStatusConfirmed,
-					LastLogin: now,
-					MFA: models.UserMFA{
-						Enabled: false,
-					},
-					UserData: models.UserData{
-						Username: "john_doe",
-						Email:    "[email protected]",
-						Name:     "john doe",
-					},
-					Password: models.UserPassword{
-						Hash: "$2a$10$V/6N1wsjheBVvWosPfv02uf4WAOb9lmp8YWQCIa2UYuFV4OJby7Yi",
-					},
-					Preferences: models.UserPreferences{
-						PreferredNamespace: "",
-						AuthMethods:        []models.UserAuthMethod{models.UserAuthMethodLocal},
-					},
-				}
-
-				mock.
-					On("SystemGet", ctx).
-					Return(
-						&models.System{
-							Authentication: &models.SystemAuthentication{
-								Local: &models.SystemAuthenticationLocal{
-									Enabled: true,
-								},
-							},
-						},
-						nil,
-					).
-					Once()
-				mock.
-					On("UserResolve", ctx, store.UserUsernameResolver, "john_doe").
-					Return(user, nil).
-					Once()
-				cacheMock.
-					On("HasAccountLockout", ctx, "127.0.0.1", "65fdd16b5f62f93184ec8a39").
-					Return(int64(0), 0, nil).
-					Once()
-				hashMock.
-					On("CompareWith", "secret", "$2a$10$V/6N1wsjheBVvWosPfv02uf4WAOb9lmp8YWQCIa2UYuFV4OJby7Yi").
-					Return(true).
-					Once()
-				cacheMock.
-					On("ResetLoginAttempts", ctx, "127.0.0.1", "65fdd16b5f62f93184ec8a39").
-					Return(nil).
-					Once()
-
-				ns := &models.Namespace{
-					TenantID: "00000000-0000-4000-0000-000000000000",
-					Members: []models.Member{
-						{
-							ID:     "65fdd16b5f62f93184ec8a39",
-							Role:   "owner",
-							Status: models.MemberStatusPending,
-						},
-					},
-				}
-
-				mock.
-					On("NamespaceGetPreferred", ctx, "65fdd16b5f62f93184ec8a39").
-					Return(ns, nil).
-					Once()
-
-				clockMock := new(clockmock.Clock)
-				clock.DefaultBackend = clockMock
-				clockMock.On("Now").Return(now)
-
-				cacheMock.
-					On("Set", ctx, "token_65fdd16b5f62f93184ec8a39", testifymock.Anything, time.Hour*72).
-					Return(nil).
-					Once()
-
-				mock.
-					On("UserUpdate", ctx, updatedUser).
-					Return(nil).
-					Once()
-			},
-			expected: Expected{
-				res: &models.UserAuthResponse{
-					ID:          "65fdd16b5f62f93184ec8a39",
-					Origin:      models.UserOriginLocal.String(),
-					AuthMethods: []models.UserAuthMethod{models.UserAuthMethodLocal},
-					Name:        "john doe",
-					User:        "john_doe",
-					Email:       "[email protected]",
-					Tenant:      "",
-					Role:        "",
-					Token:       "must ignore",
-				},
-				lockout:  0,
-				mfaToken: "",
-				err:      nil,
-			},
-		},
 		{
 			description: "succeeds to authenticate with a namespace (and empty preferred namespace)",
 			sourceIP:    "127.0.0.1",
@@ -2391,57 +2263,6 @@ func TestCreateUserToken(t *testing.T) {
 				err: NewErrNamespaceMemberNotFound("000000000000000000000000", nil),
 			},
 		},
-		{
-			description: "[with-tenant] fails when user membership is pending",
-			req:         &requests.CreateUserToken{UserID: "000000000000000000000000", TenantID: "00000000-0000-4000-0000-000000000000"},
-			requiredMocks: func(ctx context.Context) {
-				storeMock.
-					On("UserResolve", ctx, store.UserIDResolver, "000000000000000000000000").
-					Return(
-						&models.User{
-							ID:        "000000000000000000000000",
-							Status:    models.UserStatusConfirmed,
-							LastLogin: now,
-							MFA: models.UserMFA{
-								Enabled: false,
-							},
-							UserData: models.UserData{
-								Username: "john_doe",
-								Email:    "[email protected]",
-								Name:     "john doe",
-							},
-							Password: models.UserPassword{
-								Hash: "$2a$10$V/6N1wsjheBVvWosPfv02uf4WAOb9lmp8YWQCIa2UYuFV4OJby7Yi",
-							},
-							Preferences: models.UserPreferences{
-								PreferredNamespace: "",
-							},
-						},
-						nil,
-					).
-					Once()
-				storeMock.
-					On("NamespaceResolve", ctx, store.NamespaceTenantIDResolver, "00000000-0000-4000-0000-000000000000").
-					Return(
-						&models.Namespace{
-							TenantID: "00000000-0000-4000-0000-000000000000",
-							Members: []models.Member{
-								{
-									ID:     "000000000000000000000000",
-									Role:   "administrator",
-									Status: models.MemberStatusPending,
-								},
-							},
-						},
-						nil,
-					).
-					Once()
-			},
-			expected: Expected{
-				res: nil,
-				err: NewErrNamespaceMemberNotFound("000000000000000000000000", nil),
-			},
-		},
 		{
 			description: "[with-tenant] succeeds",
 			req:         &requests.CreateUserToken{UserID: "000000000000000000000000", TenantID: "00000000-0000-4000-0000-000000000000"},
@@ -2496,9 +2317,8 @@ func TestCreateUserToken(t *testing.T) {
 							TenantID: "00000000-0000-4000-0000-000000000000",
 							Members: []models.Member{
 								{
-									ID:     "000000000000000000000000",
-									Role:   "owner",
-									Status: models.MemberStatusAccepted,
+									ID:   "000000000000000000000000",
+									Role: "owner",
 								},
 							},
 						},
@@ -2566,9 +2386,8 @@ func TestCreateUserToken(t *testing.T) {
 							TenantID: "00000000-0000-4000-0000-000000000000",
 							Members: []models.Member{
 								{
-									ID:     "000000000000000000000000",
-									Role:   "owner",
-									Status: models.MemberStatusAccepted,
+									ID:   "000000000000000000000000",
+									Role: "owner",
 								},
 							},
 						},