docs: update API invitations documentation

Author: ruchiralak

docs/api/API_INVITATIONS.md

@@ -1,5 +1,355 @@
 # Invitations API Documentation
 
+## POST `/api/invitations`
+
+Create and send an invitation to a new user.
+
+**Request Body:**
+
+```json
+{
+  "email": "string",
+  "firstName": "string",
+  "lastName": "string",
+  "role": "student | mentor | superAdmin",
+  "projectId": "string (optional)"
+}
+```
+
+**Success Response (201):**
+
+```json
+{
+  "message": "Invitation sent successfully",
+  "invitation": {
+    "id": "string",
+    "email": "string",
+    "role": "string",
+    "token": "string",
+    "createdAt": "ISO 8601",
+    "expiresAt": "ISO 8601"
+  }
+}
+```
+
+**Authentication Required:** ✓ (superAdmin only)
+
+---
+
+## GET `/api/invitations`
+
+Two modes depending on query parameters.
+
+### List all invitations (no query params)
+
+Returns all invitations for the admin dashboard.
+
+**Success Response (200):**
+
+```json
+[
+  {
+    "id": "string",
+    "email": "string",
+    "role": "string",
+    "project": "string",
+    "status": "Pending | Accepted | Expired",
+    "createdAt": "ISO 8601",
+    "expiresAt": "ISO 8601"
+  }
+]
+```
+
+### Validate an invitation token
+
+**Query Parameters:**
+
+- `token` (required) — invitation token from the registration link
+
+**Success Response (200):**
+
+```json
+{
+  "valid": true,
+  "invitation": {
+    "id": "string",
+    "email": "string",
+    "role": "string",
+    "token": "string",
+    "createdAt": "ISO 8601",
+    "expiresAt": "ISO 8601",
+    "accepted": false
+  }
+}
+```
+
+---
+
+## PATCH `/api/invitations`
+
+Update the status of an invitation. Mutates the underlying `accepted` and `expiresAt` fields on the `Invitation` record to reflect the requested status.
+
+**Request Body:**
+
+```json
+{
+  "id": "string",
+  "status": "Accepted | Pending | Expired"
+}
+```
+
+**Status behaviour:**
+
+| `status`   | Effect                                                                                   |
+|------------|------------------------------------------------------------------------------------------|
+| `Accepted` | Sets `accepted: true`                                                                    |
+| `Pending`  | Sets `accepted: false`, resets `expiresAt` to 7 days from now                           |
+| `Expired`  | Sets `accepted: false`, sets `expiresAt: new Date(0)` — permanently invalidates the link |
+
+**Success Response (200):**
+
+```json
+{
+  "message": "Invitation status updated"
+}
+```
+
+**Error Responses:**
+
+| Status | Reason                        |
+|--------|-------------------------------|
+| 400    | Missing `id` in request body  |
+| 401    | Unauthenticated               |
+| 403    | Not a superAdmin              |
+| 500    | Internal server error         |
+
+---
+
+## DELETE `/api/invitations?id=<id>`
+
+Cascade-delete an invitation and permanently remove the associated user account along with all their data.
+
+**Query Parameters:**
+
+- `id` (required) — the invitation ID
+
+**Deletion order (transactional):**
+
+1. `MentorFeedback` records for the user's activities
+2. `Activity` records for the user
+3. `MentorFeedback` records given by the user as a mentor
+4. `MentorActivity` records for the user
+5. `Report` records
+6. `UserBadge` records
+7. `ProjectAllocation` records
+8. `ProjectMentor` records
+9. Null-out `invitedBy` on any invitations this user sent
+10. The `Invitation` record itself
+11. The `User` record
+
+If no associated user exists (invitation was never accepted), only the `Invitation` record is deleted.
+
+**Success Response (200):**
+
+```json
+{
+  "message": "Invitation deleted"
+}
+```
+
+**Error Responses:**
+
+| Status | Reason                    |
+|--------|---------------------------|
+| 400    | Missing `id` query param  |
+| 404    | Invitation not found      |
+| 500    | Internal server error     |
+
+---
+
+## Frontend Hook: `useInvitation`
+
+**Location:** `hooks/admin/useInvitation.ts`
+
+Sends a `POST /api/invitations` request to create a new invitation and trigger the onboarding email.
+
+**Parameters:**
+
+| Name        | Type     | Description                                        |
+|-------------|----------|----------------------------------------------------|
+| `email`     | `string` | Recipient email address                            |
+| `firstName` | `string` | Recipient first name                               |
+| `lastName`  | `string` | Recipient last name                                |
+| `role`      | `string` | `"student"`, `"mentor"`, or `"superAdmin"`         |
+| `projectId` | `string` | *(optional)* Project to assign the user to         |
+
+**Usage:**
+
+```typescript
+const { mutate: sendInvitation, isPending } = useInvitation();
+
+sendInvitation({
+  email: "user@example.com",
+  firstName: "John",
+  lastName: "Doe",
+  role: "student",
+});
+```
+
+On success, invalidates the `["invitations"]` query key and shows a success toast. On error, shows an error toast.
+
+---
+
+## Frontend Hook: `useRecentInvitations`
+
+**Location:** `hooks/admin/useInvitation.ts`
+
+Fetches the full list of invitations from `GET /api/invitations` (no token param). Each item includes `id`, `email`, `role`, `project`, `status`, `createdAt`, and `expiresAt`.
+
+**Returns:** `UseQueryResult` — array of invitation objects.
+
+**Usage:**
+
+```typescript
+const { data, isLoading, isError } = useRecentInvitations();
+
+if (isLoading) return <Spinner />;
+if (isError) return <p>Failed to load invitations.</p>;
+
+return data.map((inv) => <InvitationRow key={inv.id} {...inv} />);
+```
+
+**Notes:**
+
+- Auth is handled server-side via session cookies; no auth params are passed from the hook.
+- Throws `"Failed to fetch invitations"` on a non-OK response, surfaced via `error`.
+- Uses query key `["invitations"]`, which is invalidated by `useInvitation`, `useChangeInvitationStatus`, and `useDeleteInvitation` on success.
+
+---
+
+## Frontend Hook: `useExpireInvitation`
+
+**Location:** `hooks/admin/useInvitation.ts`
+
+Convenience wrapper around `useChangeInvitationStatus` that calls `PATCH /api/invitations` with `status: "Expired"`, permanently invalidating the invitation link without deleting the record.
+
+**Parameters:**
+
+| Name | Type     | Description                  |
+|------|----------|------------------------------|
+| `id` | `string` | The invitation ID to expire  |
+
+**Usage:**
+
+```typescript
+const { mutate: expireInvitation, isPending: isExpiring } = useExpireInvitation();
+
+expireInvitation({ id: "abc123" });
+```
+
+On success, invalidates `["invitations"]` and shows a success toast. On error, shows an error toast.
+
+---
+
+## Frontend Hook: `useChangeInvitationStatus`
+
+**Location:** `hooks/admin/useInvitation.ts`
+
+Calls `PATCH /api/invitations` to update the status of an invitation to `Accepted`, `Pending`, or `Expired`.
+
+**Parameters:**
+
+| Name     | Type     | Description                                          |
+|----------|----------|------------------------------------------------------|
+| `id`     | `string` | The invitation ID                                    |
+| `status` | `string` | Target status: `"Accepted"`, `"Pending"`, or `"Expired"` |
+
+**Usage:**
+
+```typescript
+const { mutate: changeStatus, isPending: isChangingStatus } = useChangeInvitationStatus();
+
+changeStatus({ id: "abc123", status: "Pending" });
+```
+
+On success, invalidates `["invitations"]` and shows a success toast. On error, shows an error toast.
+
+---
+
+## Frontend Hook: `useDeleteInvitation`
+
+**Location:** `hooks/admin/useInvitation.ts`
+
+Calls `DELETE /api/invitations?id=<id>` to cascade-delete the invitation and all associated user data.
+
+**Parameters:**
+
+| Name | Type     | Description                 |
+|------|----------|-----------------------------|
+| `id` | `string` | The invitation ID to delete |
+
+**Usage:**
+
+```typescript
+const { mutate: deleteInvitation, isPending: isDeleting } = useDeleteInvitation();
+
+deleteInvitation({ id: "abc123" });
+```
+
+On success, invalidates `["invitations"]` and shows a success toast. On error, shows an error toast.
+
+---
+
+## Frontend Hook: `useValidateInvitation`
+
+**Location:** `hooks/admin/useInvitation.ts`
+
+Validates a single invitation token by calling `GET /api/invitations?token=<token>`. The query only executes when `token` is a non-empty string (`enabled: !!token`), making it safe to call unconditionally before the token is available.
+
+**Parameters:**
+
+| Name    | Type     | Description                       |
+|---------|----------|-----------------------------------|
+| `token` | `string` | The invitation token to validate  |
+
+**Returns:** `UseQueryResult` — the response from `GET /api/invitations?token=<token>`.
+
+**Success response shape:**
+
+```json
+{
+  "valid": true,
+  "invitation": {
+    "id": "string",
+    "email": "string",
+    "role": "string",
+    "token": "string",
+    "createdAt": "ISO 8601",
+    "expiresAt": "ISO 8601",
+    "accepted": false
+  }
+}
+```
+
+**Usage:**
+
+```typescript
+// token typically comes from URL search params on the registration page
+const token = searchParams.get("token") ?? "";
+const { data, isLoading, isError } = useValidateInvitation(token);
+
+if (isLoading) return <Spinner />;
+if (isError || !data?.valid) return <p>Invalid or expired invitation.</p>;
+
+return <RegistrationForm invitation={data.invitation} />;
+```
+
+**Notes:**
+
+- Throws `"Invalid token"` on a non-OK response; surfaced via `error` from React Query.
+- Uses a scoped query key `["invitation", token]` so each token is cached independently.
+
+
 ## POST `/api/invitations`
 
 Create and send an invitation to a new user.