More tests

app/controllers/invitations_controller.rb

@@ -8,7 +8,16 @@ class InvitationsController < ApplicationController
   end
 
   def update
-    if @user.update(params.permit(:password, :password_confirmation))
+    # Validate password manually since empty passwords might not trigger validation
+    password = params[:password]
+    password_confirmation = params[:password_confirmation]
+
+    if password.blank? || password_confirmation.blank? || password != password_confirmation || password.length < 8
+      redirect_to invitation_path(params[:token]), alert: "Passwords did not match."
+      return
+    end
+
+    if @user.update(password: password, password_confirmation: password_confirmation)
       @user.update!(status: :active)
       @user.sessions.destroy_all
       start_new_session_for @user
@@ -24,10 +33,18 @@ class InvitationsController < ApplicationController
     @user = User.find_by_token_for(:invitation_login, params[:token])
 
     # Check if user is still pending invitation
-    unless @user.pending_invitation?
-      redirect_to new_session_path, alert: "This invitation has already been used or is no longer valid."
+    if @user.nil?
+      redirect_to signin_path, alert: "Invitation link is invalid or has expired."
+      return false
+    elsif @user.pending_invitation?
+      # User is valid and pending - proceed
+      return true
+    else
+      redirect_to signin_path, alert: "This invitation has already been used or is no longer valid."
+      return false
     end
   rescue ActiveSupport::MessageVerifier::InvalidSignature
-    redirect_to new_session_path, alert: "Invitation link is invalid or has expired."
+    redirect_to signin_path, alert: "Invitation link is invalid or has expired."
+    return false
   end
 end