Proposal/teacher onboarding mvp

[CarlyAThomas]

Checklist:

• I have read freeCodeCamp's contribution guidelines.
• My pull request has a descriptive title (not a vague title like Update index.md)

This PR is not associated with a specific issue

Case Study (Teacher Invite Acceptance Flow)

1. Admin creates/resends a teacher invite from the admin dashboard.
2. System sends a secure email link: /teacher/invite/<token>.
3. Invited teacher signs in with the invited email.
4. Teacher accepts invite.
5. Invitation becomes ACCEPTED and user role is set to TEACHER.

What Changed (and Why)

• Teacher invite backend APIs to support create/list/resend/revoke and secure acceptance.
  Reason: completes the core onboarding lifecycle with role-safe state transitions.
  Files:

• pages/api/admin/teacher_invites/create.js

• pages/api/admin/teacher_invites/list.js

• pages/api/admin/teacher_invites/resend.js

• pages/api/admin/teacher_invites/revoke.js

• pages/api/teacher_invites/accept.js

• util/inviteApiUtils.js

• Email delivery + feature flag rollout support.
  Reason: enables controlled rollout and real invitation delivery.
  Files:

• util/inviteEmail.js

• util/featureFlags.js

• package.json

• package-lock.json

• Admin + teacher UI flow.
  Reason: gives a usable end-to-end path from invite creation to invite acceptance.
  Files:

• components/TeacherInvitesPanel.js

• components/TeacherInvitesPanel.module.css

• pages/admin/index.js

• pages/teacher/invite/[inviteToken].js

• styles/Home.module.css

• pages/error.js

• Data model + migration for invitation lifecycle.
  Reason: persists invitation state and supports expiry/revoke/accept transitions.
  Files:

• prisma/schema.prisma

• prisma/migrations/20260409192210_add_invitation_models/migration.sql

• Env/security/docs updates.
  Reason: prevent future secret leaks and keep setup clear with tracked templates.
  Files:

• .gitignore

• .env.sample

• .env.development.example

• .env.production.example

• README.md

• .env.development / .env.production removed from tracking

Validation

• npm run lint:code
• npm test

How to Test

Prerequisites
This branch allows you to create an ADMIN account and send out email invitations to users to onboard as teachers.
You need:

• 1 "Admin" email (to serve as your ADMIN, and set up your Classroom account)
• 1+ extra "Teacher" emails (to receive email invites and onboard as teachers)

Configuring this branch for local development

1. Create a local branch that tracks the CarlyAThomas:proposal/teacher-onboarding-mvp branch.
2. Run cp .env.development.example .env.development
3. Update SMTP_USER in .env.development with your Admin Email.
4. Go to myaccount.google.com/apppasswords. Make sure you're using your ADMIN email for steps 3-6.
5. Type in the name of the Application (FCC Classroom) and select create.
6. Google generates a 16-character password
7. Copy that password (not your Gmail password)
8. Update SMTP_PASS in .env.development with the new password.

Running the app

1. In the terminal, run npx prisma migrate reset, and press y to reset your database.
2. Run npm run develop and npx prisma studio to run the project.
3. Log in with your "Admin" email.
4. In prisma studio, set your Admin account's role to ADMIN.

Testing

1. Go to the /admin page
2. Type out your TEACHER email address, then press Enter.
3. Open an Incognito tab, or a different browser, so you can log into a different account.
4. Go to your TEACHER email address and onboard using the link provided. (Use Case: Onboarding a Teacher with a brand new account)
5. (Alternative) Open localhost:3001 again and create a Classroom account with your TEACHER email address. Then, repeat step 4. (Use Case: Onboarding a Teacher who already has an account)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nodemailer@​6.10.1

View full report

[utsab]

Overall, this PR is a solid end-to-end workflow for the teacher invite. Nice work.

Can you add some tests? Given that there are so many status change branches (pending, accepted, rejected, expired), it would be good to have a test that verifies that each status is assigned correctly. You can mock the 3rd party apps (like the SMTP server).

You may also want to add a test to confirm that an uninvited teacher cannot access the classes page.

[utsab]

The StudentInvitation schema changes don't seem like they belong in this PR.

[utsab]

We are hardcoding auth0 which means a contributor using the Github oAuth would not be able to test this feature locally. I'm not totally opposed to only supporting auth0, but I'm curious, how difficult/complicated would it be to support both auth0 and Github oAuth?

If we do decide to only support auth0, then we should document somewhere in the README that if a developer decides to go with Github oAuth, certain features (like Teacher Invitations) won't work.

[utsab]

The documentation is great, but I'm concerned the README.md is getting too long. Can you create a subpage for this documentation and link it from the README?

[NewtonLC]

We have a separate issue & PR for this! Issue #593 and PR #605