class InvitationsController < ApplicationController
  before_action :set_user_by_token, only: %i[ edit update ]
  allow_unauthenticated_access

  def edit
  end

  def update
    password_params = params.expect(user: [ :password, :password_confirmation ])

    if @user.update(password_params.merge(invitation_accepted_at: Time.current))
      redirect_to root_path, notice: "Account activated!"
    else
      redirect_to invitation_path(params[:token]), alert: "Passwords did not match."
    end
  end

  private

  def set_user_by_token
    @user = User.find_by_invitation_token(params[:token])
  rescue ActiveSupport::MessageVerifier::InvalidSignature
    redirect_to root_path, alert: "Invitation link is invalid or has expired."
  end
end