Change invite logic

2022-10-27 17:09:07 +02:00 · 2022-10-27 17:09:07 +02:00 · 481e2c52af
commit 481e2c52af
parent 1e73844ac0
9 changed files with 228 additions and 201 deletions
--- a/common/pkg/acl/aclrecordproto/aclrecord.pb.go
+++ b/common/pkg/acl/aclrecordproto/aclrecord.pb.go
@ -681,10 +681,9 @@ func (m *ACLUserAdd) GetPermissions() ACLUserPermissions {

 type ACLUserInvite struct {
 	AcceptPublicKey   []byte             `protobuf:"bytes,1,opt,name=acceptPublicKey,proto3" json:"acceptPublicKey,omitempty"`
-	EncryptPublicKey  []byte             `protobuf:"bytes,2,opt,name=encryptPublicKey,proto3" json:"encryptPublicKey,omitempty"`
+	EncryptSymKeyHash uint64             `protobuf:"varint,2,opt,name=encryptSymKeyHash,proto3" json:"encryptSymKeyHash,omitempty"`
 	EncryptedReadKeys [][]byte           `protobuf:"bytes,3,rep,name=encryptedReadKeys,proto3" json:"encryptedReadKeys,omitempty"`
 	Permissions       ACLUserPermissions `protobuf:"varint,4,opt,name=permissions,proto3,enum=aclrecord.ACLUserPermissions" json:"permissions,omitempty"`
-	InviteId          string             `protobuf:"bytes,5,opt,name=inviteId,proto3" json:"inviteId,omitempty"`
 }

 func (m *ACLUserInvite) Reset()         { *m = ACLUserInvite{} }
@ -727,11 +726,11 @@ func (m *ACLUserInvite) GetAcceptPublicKey() []byte {
 	return nil
 }

-func (m *ACLUserInvite) GetEncryptPublicKey() []byte {
+func (m *ACLUserInvite) GetEncryptSymKeyHash() uint64 {
 	if m != nil {
-		return m.EncryptPublicKey
+		return m.EncryptSymKeyHash
 	}
-	return nil
+	return 0
 }

 func (m *ACLUserInvite) GetEncryptedReadKeys() [][]byte {
@ -748,18 +747,11 @@ func (m *ACLUserInvite) GetPermissions() ACLUserPermissions {
 	return ACLUserPermissions_Admin
 }

-func (m *ACLUserInvite) GetInviteId() string {
-	if m != nil {
-		return m.InviteId
-	}
-	return ""
-}
-
 type ACLUserJoin struct {
 	Identity          []byte   `protobuf:"bytes,1,opt,name=identity,proto3" json:"identity,omitempty"`
 	EncryptionKey     []byte   `protobuf:"bytes,2,opt,name=encryptionKey,proto3" json:"encryptionKey,omitempty"`
 	AcceptSignature   []byte   `protobuf:"bytes,3,opt,name=acceptSignature,proto3" json:"acceptSignature,omitempty"`
-	InviteId          string   `protobuf:"bytes,4,opt,name=inviteId,proto3" json:"inviteId,omitempty"`
+	AcceptPubKey      []byte   `protobuf:"bytes,4,opt,name=acceptPubKey,proto3" json:"acceptPubKey,omitempty"`
 	EncryptedReadKeys [][]byte `protobuf:"bytes,5,rep,name=encryptedReadKeys,proto3" json:"encryptedReadKeys,omitempty"`
 }

@ -817,11 +809,11 @@ func (m *ACLUserJoin) GetAcceptSignature() []byte {
 	return nil
 }

-func (m *ACLUserJoin) GetInviteId() string {
+func (m *ACLUserJoin) GetAcceptPubKey() []byte {
 	if m != nil {
-		return m.InviteId
+		return m.AcceptPubKey
 	}
-	return ""
+	return nil
 }

 func (m *ACLUserJoin) GetEncryptedReadKeys() [][]byte {
@ -1019,61 +1011,61 @@ func init() {
 }

 var fileDescriptor_14abe0d1b4206d54 = []byte{
-	// 859 bytes of a gzipped FileDescriptorProto
+	// 854 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
 	0x14, 0xdf, 0x59, 0x3b, 0x71, 0xf6, 0xd9, 0x6d, 0xdc, 0x11, 0xa4, 0xab, 0xa8, 0x58, 0xd6, 0x8a,
-	0x83, 0x55, 0x81, 0x0b, 0x06, 0xa9, 0x28, 0x07, 0x90, 0x6b, 0x5a, 0xd9, 0x24, 0x87, 0x6a, 0x02,
-	0x14, 0x71, 0x9b, 0xee, 0x8e, 0x92, 0x51, 0xed, 0xdd, 0xd5, 0xec, 0xd8, 0xc8, 0x47, 0xce, 0x5c,
-	0xe0, 0x23, 0xf0, 0x41, 0x38, 0x71, 0xe1, 0xd8, 0x0b, 0x12, 0x47, 0x94, 0x7c, 0x01, 0xee, 0x5c,
-	0xd0, 0xcc, 0xfe, 0xdf, 0xb5, 0x2d, 0x2a, 0x59, 0x3d, 0x24, 0xde, 0xf7, 0xde, 0xef, 0x3d, 0xff,
-	0xe6, 0xf7, 0xde, 0xbc, 0x35, 0x7c, 0x18, 0xbe, 0xba, 0x7a, 0x44, 0xdd, 0xb9, 0xfa, 0x13, 0xcc,
-	0x0d, 0x84, 0x17, 0x8a, 0x40, 0x06, 0x8f, 0xf4, 0xff, 0x28, 0xf7, 0x0e, 0xb5, 0x03, 0x5b, 0x99,
-	0xc3, 0x79, 0x06, 0x1d, 0x42, 0x7f, 0x18, 0x4f, 0x2e, 0x88, 0xb6, 0xb1, 0x0d, 0xad, 0x90, 0xae,
-	0xe7, 0x01, 0xf5, 0x6c, 0xd4, 0x47, 0x83, 0x0e, 0x49, 0x4d, 0xfc, 0x00, 0xac, 0x88, 0x5f, 0xf9,
-	0x54, 0x2e, 0x05, 0xb3, 0x4d, 0x1d, 0xcb, 0x1d, 0xce, 0xe7, 0x80, 0x8b, 0x75, 0x5e, 0x70, 0x79,
-	0x3d, 0xdb, 0x55, 0xed, 0x2e, 0x98, 0xdc, 0xd3, 0x65, 0x2c, 0x62, 0x72, 0xcf, 0xf9, 0x15, 0x81,
-	0x95, 0xb3, 0x38, 0x81, 0xc3, 0x50, 0xb0, 0xd5, 0x2c, 0x4e, 0xb3, 0x48, 0x62, 0xe1, 0x53, 0x38,
-	0xe2, 0x1e, 0xf3, 0x25, 0x97, 0xeb, 0x84, 0x42, 0x66, 0x63, 0x0c, 0x4d, 0x8f, 0x4a, 0x6a, 0x37,
-	0xb4, 0x5f, 0x3f, 0xe3, 0x21, 0x60, 0x77, 0x29, 0x04, 0xf3, 0x25, 0x61, 0xd4, 0x3b, 0x67, 0xeb,
-	0x29, 0x8d, 0xae, 0xed, 0x66, 0x1f, 0x0d, 0x9a, 0x64, 0x43, 0x44, 0x9d, 0x51, 0xf2, 0x05, 0x8b,
-	0x24, 0x5d, 0x84, 0xf6, 0x41, 0x1f, 0x0d, 0x1a, 0x24, 0x77, 0x38, 0x3f, 0x99, 0xd0, 0x52, 0x1c,
-	0x83, 0x40, 0x96, 0x98, 0xa0, 0x0a, 0x93, 0xf7, 0xe1, 0x0e, 0xf3, 0x5d, 0xb1, 0x0e, 0x25, 0x0f,
-	0xfc, 0x73, 0x96, 0x52, 0x2d, 0x3b, 0x95, 0x36, 0x51, 0x48, 0x5d, 0x36, 0xf3, 0x34, 0x65, 0x8b,
-	0xa4, 0x26, 0x7e, 0x08, 0xdd, 0x04, 0xca, 0xbc, 0x84, 0x9d, 0xe6, 0xdc, 0x21, 0x35, 0xbf, 0xc2,
-	0x7a, 0x4c, 0xf0, 0x15, 0x55, 0x65, 0x2f, 0xdd, 0x6b, 0xb6, 0x60, 0x9a, 0xb8, 0x45, 0x6a, 0xfe,
-	0x2d, 0x6a, 0x1c, 0xfe, 0x3f, 0x35, 0x5a, 0x55, 0x35, 0xfe, 0x34, 0xe1, 0x78, 0x3c, 0xb9, 0x98,
-	0x04, 0xbe, 0x64, 0xbe, 0xfc, 0x96, 0xce, 0x97, 0x0c, 0x7f, 0x0c, 0xad, 0x65, 0xc4, 0xc4, 0xd8,
-	0x8b, 0x1b, 0xd7, 0x1e, 0xbd, 0x3b, 0xcc, 0x67, 0x6f, 0x3c, 0xb9, 0xf8, 0x26, 0x0e, 0x4e, 0x0d,
-	0x92, 0xe2, 0xf0, 0x19, 0x80, 0x7a, 0x24, 0x6c, 0x11, 0xac, 0xe2, 0xb9, 0x6a, 0x8f, 0xec, 0x7a,
-	0x56, 0x1c, 0x9f, 0x1a, 0xa4, 0x80, 0xc6, 0xdf, 0xc1, 0x3b, 0xca, 0x7a, 0xce, 0xc4, 0x82, 0x47,
-	0x11, 0x0f, 0xfc, 0xc9, 0x35, 0xf5, 0xaf, 0x98, 0xd6, 0xb3, 0x3d, 0x72, 0xea, 0x55, 0xaa, 0xc8,
-	0xa9, 0x41, 0x36, 0x56, 0x48, 0x59, 0xcd, 0xfc, 0x15, 0x97, 0x4c, 0x8b, 0xbf, 0x91, 0x55, 0x1c,
-	0x4f, 0x59, 0xc5, 0x16, 0xfe, 0x14, 0x8e, 0x94, 0xf5, 0x55, 0xc0, 0x7d, 0xdd, 0x8a, 0xf6, 0xe8,
-	0xa4, 0x9e, 0xa9, 0xa2, 0x53, 0x83, 0x64, 0xc8, 0x27, 0x2d, 0x38, 0x58, 0x29, 0x0d, 0x9d, 0xa7,
-	0x7a, 0xc8, 0xbe, 0x54, 0xe3, 0x7b, 0x06, 0x40, 0xdd, 0x79, 0xa2, 0xb0, 0x8d, 0xfa, 0x8d, 0x41,
-	0x7b, 0x74, 0x5a, 0xae, 0x55, 0x94, 0x9f, 0x14, 0xd0, 0xce, 0xbf, 0x08, 0x8e, 0xc6, 0x93, 0x8b,
-	0x4b, 0x49, 0x25, 0x53, 0x13, 0x29, 0xf2, 0xc6, 0xb2, 0x48, 0xd7, 0x6a, 0x92, 0xb2, 0x13, 0x3f,
-	0x8e, 0x0f, 0xad, 0x53, 0x22, 0xdb, 0xd4, 0x5f, 0x77, 0xbf, 0x4e, 0x5d, 0xc7, 0x49, 0x01, 0x8a,
-	0xcf, 0xa0, 0xc5, 0xf5, 0xd9, 0x23, 0xbb, 0xa1, 0xb3, 0xfa, 0xe5, 0x2c, 0x0d, 0x1b, 0xc6, 0xf2,
-	0x44, 0x4f, 0x7d, 0x29, 0xd6, 0x24, 0x4d, 0x38, 0xfd, 0x1a, 0x3a, 0xc5, 0x00, 0xee, 0x42, 0xe3,
-	0x15, 0x5b, 0x27, 0xf7, 0x5e, 0x3d, 0xe2, 0x61, 0xa2, 0xcc, 0xf6, 0xe1, 0x88, 0x0b, 0x90, 0x18,
-	0x76, 0x66, 0x7e, 0x86, 0x9c, 0x5f, 0x10, 0x74, 0x8a, 0x74, 0xf7, 0x70, 0x5f, 0xbf, 0x80, 0x76,
-	0x98, 0x8d, 0x49, 0xa4, 0x67, 0xec, 0xee, 0xe8, 0xbd, 0x5d, 0x33, 0x16, 0x91, 0x62, 0x86, 0xf3,
-	0x1b, 0x02, 0xc8, 0xef, 0xc0, 0x1e, 0x18, 0x7d, 0x00, 0xf7, 0xaa, 0xfb, 0x20, 0x6e, 0x40, 0x87,
-	0xd4, 0x03, 0x55, 0xfe, 0xcd, 0x37, 0xe6, 0xff, 0x0f, 0x82, 0x3b, 0x25, 0xc1, 0xf1, 0x00, 0x8e,
-	0xa9, 0xeb, 0xb2, 0x50, 0x3e, 0x5f, 0xbe, 0x9c, 0x73, 0xf7, 0x9c, 0xa5, 0x27, 0xa9, 0xba, 0x0b,
-	0x2b, 0x2d, 0x87, 0x9a, 0xa5, 0x95, 0x96, 0x63, 0xdf, 0xee, 0xb1, 0x74, 0x1f, 0xf4, 0x71, 0x66,
-	0x5e, 0xb2, 0x39, 0x33, 0xdb, 0xf9, 0x1d, 0x41, 0xbb, 0x70, 0x61, 0xf7, 0xd0, 0xb3, 0x4c, 0xb2,
-	0xcb, 0xec, 0x5d, 0xda, 0x28, 0x4a, 0x96, 0xb9, 0x4b, 0xbc, 0x9a, 0x65, 0x5e, 0x9b, 0x25, 0x3a,
-	0xd8, 0x22, 0x91, 0x13, 0x65, 0x7d, 0x4b, 0xf6, 0xe6, 0xae, 0x63, 0x3c, 0x83, 0xe3, 0x64, 0x2b,
-	0x10, 0x16, 0xce, 0xa9, 0x9b, 0xdd, 0xe9, 0x07, 0x65, 0x4d, 0x49, 0x09, 0x44, 0xaa, 0x49, 0xce,
-	0x8f, 0x08, 0xee, 0xd5, 0x60, 0x7b, 0x10, 0x70, 0xd3, 0xcb, 0xb1, 0xb1, 0xf9, 0xe5, 0xe8, 0xac,
-	0xe0, 0xfe, 0x96, 0xc5, 0xbf, 0x93, 0x48, 0x65, 0xa4, 0xcc, 0x37, 0x1d, 0xa9, 0x87, 0x8f, 0x01,
-	0xd7, 0x21, 0xd8, 0x82, 0x83, 0xb1, 0xb7, 0xe0, 0x7e, 0xd7, 0xc0, 0x00, 0x87, 0x2f, 0x04, 0x97,
-	0x4c, 0x74, 0x91, 0x7a, 0x56, 0x7c, 0x99, 0xe8, 0x9a, 0x4f, 0x3e, 0xfa, 0xe3, 0xa6, 0x87, 0x5e,
-	0xdf, 0xf4, 0xd0, 0xdf, 0x37, 0x3d, 0xf4, 0xf3, 0x6d, 0xcf, 0x78, 0x7d, 0xdb, 0x33, 0xfe, 0xba,
-	0xed, 0x19, 0xdf, 0x9f, 0x6c, 0xfe, 0x85, 0xf7, 0xf2, 0x50, 0x7f, 0x7c, 0xf2, 0x5f, 0x00, 0x00,
-	0x00, 0xff, 0xff, 0x0d, 0xd2, 0xee, 0x14, 0x02, 0x0a, 0x00, 0x00,
+	0x83, 0x55, 0x81, 0x0b, 0x06, 0xa9, 0x28, 0x07, 0x90, 0x6b, 0x5a, 0x39, 0x24, 0x87, 0x6a, 0x02,
+	0x14, 0x71, 0x9b, 0xee, 0x8e, 0xe2, 0x51, 0xed, 0xdd, 0xd5, 0xec, 0xd8, 0xc8, 0x47, 0xce, 0x5c,
+	0xe0, 0x23, 0xf0, 0x41, 0xb8, 0x23, 0x71, 0xe9, 0x05, 0xc4, 0x11, 0x25, 0x1f, 0x83, 0x0b, 0x9a,
+	0xd9, 0xff, 0xbb, 0xb6, 0x45, 0x25, 0xab, 0x87, 0xc4, 0xf3, 0xde, 0xfb, 0xbd, 0xe7, 0xdf, 0xfc,
+	0xe6, 0xcd, 0x1b, 0xc3, 0x87, 0xe1, 0xab, 0xeb, 0x47, 0xd4, 0x9d, 0xab, 0x3f, 0xc1, 0xdc, 0x40,
+	0x78, 0xa1, 0x08, 0x64, 0xf0, 0x48, 0xff, 0x8f, 0x72, 0xef, 0x50, 0x3b, 0xb0, 0x95, 0x39, 0x9c,
+	0x67, 0xd0, 0x21, 0xf4, 0x87, 0xf1, 0xe4, 0x92, 0x68, 0x1b, 0xdb, 0xd0, 0x0a, 0xe9, 0x7a, 0x1e,
+	0x50, 0xcf, 0x46, 0x7d, 0x34, 0xe8, 0x90, 0xd4, 0xc4, 0x0f, 0xc0, 0x8a, 0xf8, 0xb5, 0x4f, 0xe5,
+	0x52, 0x30, 0xdb, 0xd4, 0xb1, 0xdc, 0xe1, 0x7c, 0x0e, 0xb8, 0x58, 0xe7, 0x05, 0x97, 0xb3, 0xf3,
+	0x5d, 0xd5, 0xee, 0x82, 0xc9, 0x3d, 0x5d, 0xc6, 0x22, 0x26, 0xf7, 0x9c, 0x5f, 0x11, 0x58, 0x39,
+	0x8b, 0x13, 0x38, 0x0c, 0x05, 0x5b, 0x9d, 0xc7, 0x69, 0x16, 0x49, 0x2c, 0x7c, 0x0a, 0x47, 0xdc,
+	0x63, 0xbe, 0xe4, 0x72, 0x9d, 0x50, 0xc8, 0x6c, 0x8c, 0xa1, 0xe9, 0x51, 0x49, 0xed, 0x86, 0xf6,
+	0xeb, 0x35, 0x1e, 0x02, 0x76, 0x97, 0x42, 0x30, 0x5f, 0x12, 0x46, 0xbd, 0x0b, 0xb6, 0x9e, 0xd2,
+	0x68, 0x66, 0x37, 0xfb, 0x68, 0xd0, 0x24, 0x1b, 0x22, 0x6a, 0x8f, 0x92, 0x2f, 0x58, 0x24, 0xe9,
+	0x22, 0xb4, 0x0f, 0xfa, 0x68, 0xd0, 0x20, 0xb9, 0xc3, 0xf9, 0xc9, 0x84, 0x96, 0xe2, 0x18, 0x04,
+	0xb2, 0xc4, 0x04, 0x55, 0x98, 0xbc, 0x0f, 0x77, 0x98, 0xef, 0x8a, 0x75, 0x28, 0x79, 0xe0, 0x5f,
+	0xb0, 0x94, 0x6a, 0xd9, 0xa9, 0xb4, 0x89, 0x42, 0xea, 0xb2, 0x73, 0x4f, 0x53, 0xb6, 0x48, 0x6a,
+	0xe2, 0x87, 0xd0, 0x4d, 0xa0, 0xcc, 0x4b, 0xd8, 0x69, 0xce, 0x1d, 0x52, 0xf3, 0x2b, 0xac, 0xc7,
+	0x04, 0x5f, 0x51, 0x55, 0xf6, 0xca, 0x9d, 0xb1, 0x05, 0xd3, 0xc4, 0x2d, 0x52, 0xf3, 0x6f, 0x51,
+	0xe3, 0xf0, 0xff, 0xa9, 0xd1, 0xaa, 0xaa, 0xf1, 0xa7, 0x09, 0xc7, 0xe3, 0xc9, 0xe5, 0x24, 0xf0,
+	0x25, 0xf3, 0xe5, 0xb7, 0x74, 0xbe, 0x64, 0xf8, 0x63, 0x68, 0x2d, 0x23, 0x26, 0xc6, 0x5e, 0x7c,
+	0x70, 0xed, 0xd1, 0xbb, 0xc3, 0xbc, 0xf7, 0xc6, 0x93, 0xcb, 0x6f, 0xe2, 0xe0, 0xd4, 0x20, 0x29,
+	0x0e, 0x9f, 0x01, 0xa8, 0x25, 0x61, 0x8b, 0x60, 0x15, 0xf7, 0x55, 0x7b, 0x64, 0xd7, 0xb3, 0xe2,
+	0xf8, 0xd4, 0x20, 0x05, 0x34, 0xfe, 0x0e, 0xde, 0x51, 0xd6, 0x73, 0x26, 0x16, 0x3c, 0x8a, 0x78,
+	0xe0, 0x4f, 0x66, 0xd4, 0xbf, 0x66, 0x5a, 0xcf, 0xf6, 0xc8, 0xa9, 0x57, 0xa9, 0x22, 0xa7, 0x06,
+	0xd9, 0x58, 0x21, 0x65, 0x75, 0xee, 0xaf, 0xb8, 0x64, 0x5a, 0xfc, 0x8d, 0xac, 0xe2, 0x78, 0xca,
+	0x2a, 0xb6, 0xf0, 0xa7, 0x70, 0xa4, 0xac, 0xaf, 0x02, 0xee, 0xeb, 0xa3, 0x68, 0x8f, 0x4e, 0xea,
+	0x99, 0x2a, 0x3a, 0x35, 0x48, 0x86, 0x7c, 0xd2, 0x82, 0x83, 0x95, 0xd2, 0xd0, 0x79, 0xaa, 0x9b,
+	0xec, 0x4b, 0xd5, 0xbe, 0x67, 0x00, 0xd4, 0x9d, 0x27, 0x0a, 0xdb, 0xa8, 0xdf, 0x18, 0xb4, 0x47,
+	0xa7, 0xe5, 0x5a, 0x45, 0xf9, 0x49, 0x01, 0xed, 0xfc, 0x8b, 0xe0, 0x68, 0x3c, 0xb9, 0xbc, 0x92,
+	0x54, 0x32, 0xd5, 0x91, 0x22, 0x3f, 0x58, 0x16, 0xe9, 0x5a, 0x4d, 0x52, 0x76, 0xe2, 0xc7, 0xf1,
+	0xa6, 0x75, 0x4a, 0x64, 0x9b, 0xfa, 0xeb, 0xee, 0xd7, 0xa9, 0xeb, 0x38, 0x29, 0x40, 0xf1, 0x19,
+	0xb4, 0xb8, 0xde, 0x7b, 0x64, 0x37, 0x74, 0x56, 0xbf, 0x9c, 0xa5, 0x61, 0xc3, 0x58, 0x9e, 0xe8,
+	0xa9, 0x2f, 0xc5, 0x9a, 0xa4, 0x09, 0xa7, 0x5f, 0x43, 0xa7, 0x18, 0xc0, 0x5d, 0x68, 0xbc, 0x62,
+	0xeb, 0xe4, 0xde, 0xab, 0x25, 0x1e, 0x26, 0xca, 0x6c, 0x6f, 0x8e, 0xb8, 0x00, 0x89, 0x61, 0x67,
+	0xe6, 0x67, 0xc8, 0xf9, 0x05, 0x41, 0xa7, 0x48, 0x77, 0x0f, 0xf7, 0xf5, 0x0b, 0x68, 0x87, 0x59,
+	0x9b, 0x44, 0xba, 0xc7, 0xee, 0x8e, 0xde, 0xdb, 0xd5, 0x63, 0x11, 0x29, 0x66, 0x38, 0xbf, 0x21,
+	0x80, 0xfc, 0x0e, 0xec, 0x81, 0xd1, 0x07, 0x70, 0xaf, 0x3a, 0x0f, 0xe2, 0x03, 0xe8, 0x90, 0x7a,
+	0xa0, 0xca, 0xbf, 0xf9, 0xc6, 0xfc, 0xff, 0x42, 0x70, 0xa7, 0x24, 0x38, 0x1e, 0xc0, 0x31, 0x75,
+	0x5d, 0x16, 0xca, 0xe7, 0xcb, 0x97, 0x73, 0xee, 0x5e, 0xb0, 0x74, 0x27, 0x55, 0x77, 0x81, 0xea,
+	0xd5, 0x7a, 0x91, 0x4e, 0x1e, 0x53, 0x4f, 0x9e, 0x7a, 0xe0, 0x6d, 0x6f, 0xec, 0x0f, 0x04, 0xed,
+	0xc2, 0xb5, 0xdc, 0xc3, 0xc9, 0x64, 0xc2, 0x5c, 0x65, 0x2f, 0x66, 0xa3, 0x28, 0x4c, 0xe6, 0xc6,
+	0x0e, 0x74, 0x32, 0xad, 0xf2, 0x39, 0x5f, 0xf2, 0x6d, 0x96, 0xe3, 0x60, 0x8b, 0x1c, 0x4e, 0x94,
+	0x9d, 0x52, 0x32, 0x25, 0x77, 0x6d, 0xe7, 0x19, 0x1c, 0x27, 0x33, 0x80, 0xb0, 0x70, 0x4e, 0xdd,
+	0xec, 0x06, 0x3f, 0x28, 0xeb, 0x47, 0x4a, 0x20, 0x52, 0x4d, 0x72, 0x7e, 0x44, 0x70, 0xaf, 0x06,
+	0xdb, 0x83, 0x90, 0x9b, 0x9e, 0xc2, 0xc6, 0xe6, 0xa7, 0xd0, 0x59, 0xc1, 0xfd, 0x2d, 0x63, 0x7e,
+	0x27, 0x91, 0x4a, 0xfb, 0x98, 0x6f, 0xda, 0x3e, 0x0f, 0x1f, 0x03, 0xae, 0x43, 0xb0, 0x05, 0x07,
+	0x63, 0x6f, 0xc1, 0xfd, 0xae, 0x81, 0x01, 0x0e, 0x5f, 0x08, 0x2e, 0x99, 0xe8, 0x22, 0xb5, 0x56,
+	0x7c, 0x99, 0xe8, 0x9a, 0x4f, 0x3e, 0xfa, 0xfd, 0xa6, 0x87, 0x5e, 0xdf, 0xf4, 0xd0, 0x3f, 0x37,
+	0x3d, 0xf4, 0xf3, 0x6d, 0xcf, 0x78, 0x7d, 0xdb, 0x33, 0xfe, 0xbe, 0xed, 0x19, 0xdf, 0x9f, 0x6c,
+	0xfe, 0x3d, 0xf7, 0xf2, 0x50, 0x7f, 0x7c, 0xf2, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xa5, 0x4a,
+	0x77, 0x11, 0xf0, 0x09, 0x00, 0x00,
 }

 func (m *RawACLRecord) Marshal() (dAtA []byte, err error) {
@ -1640,13 +1632,6 @@ func (m *ACLUserInvite) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
-	if len(m.InviteId) > 0 {
-		i -= len(m.InviteId)
-		copy(dAtA[i:], m.InviteId)
-		i = encodeVarintAclrecord(dAtA, i, uint64(len(m.InviteId)))
-		i--
-		dAtA[i] = 0x2a
-	}
 	if m.Permissions != 0 {
 		i = encodeVarintAclrecord(dAtA, i, uint64(m.Permissions))
 		i--
@ -1661,12 +1646,10 @@ func (m *ACLUserInvite) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 			dAtA[i] = 0x1a
 		}
 	}
-	if len(m.EncryptPublicKey) > 0 {
-		i -= len(m.EncryptPublicKey)
-		copy(dAtA[i:], m.EncryptPublicKey)
-		i = encodeVarintAclrecord(dAtA, i, uint64(len(m.EncryptPublicKey)))
+	if m.EncryptSymKeyHash != 0 {
+		i = encodeVarintAclrecord(dAtA, i, uint64(m.EncryptSymKeyHash))
 		i--
-		dAtA[i] = 0x12
+		dAtA[i] = 0x10
 	}
 	if len(m.AcceptPublicKey) > 0 {
 		i -= len(m.AcceptPublicKey)
@ -1707,10 +1690,10 @@ func (m *ACLUserJoin) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 			dAtA[i] = 0x2a
 		}
 	}
-	if len(m.InviteId) > 0 {
-		i -= len(m.InviteId)
-		copy(dAtA[i:], m.InviteId)
-		i = encodeVarintAclrecord(dAtA, i, uint64(len(m.InviteId)))
+	if len(m.AcceptPubKey) > 0 {
+		i -= len(m.AcceptPubKey)
+		copy(dAtA[i:], m.AcceptPubKey)
+		i = encodeVarintAclrecord(dAtA, i, uint64(len(m.AcceptPubKey)))
 		i--
 		dAtA[i] = 0x22
 	}
@ -2146,9 +2129,8 @@ func (m *ACLUserInvite) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovAclrecord(uint64(l))
 	}
-	l = len(m.EncryptPublicKey)
-	if l > 0 {
-		n += 1 + l + sovAclrecord(uint64(l))
+	if m.EncryptSymKeyHash != 0 {
+		n += 1 + sovAclrecord(uint64(m.EncryptSymKeyHash))
 	}
 	if len(m.EncryptedReadKeys) > 0 {
 		for _, b := range m.EncryptedReadKeys {
@ -2159,10 +2141,6 @@ func (m *ACLUserInvite) Size() (n int) {
 	if m.Permissions != 0 {
 		n += 1 + sovAclrecord(uint64(m.Permissions))
 	}
-	l = len(m.InviteId)
-	if l > 0 {
-		n += 1 + l + sovAclrecord(uint64(l))
-	}
 	return n
 }

@ -2184,7 +2162,7 @@ func (m *ACLUserJoin) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovAclrecord(uint64(l))
 	}
-	l = len(m.InviteId)
+	l = len(m.AcceptPubKey)
 	if l > 0 {
 		n += 1 + l + sovAclrecord(uint64(l))
 	}
@ -3903,10 +3881,10 @@ func (m *ACLUserInvite) Unmarshal(dAtA []byte) error {
 			}
 			iNdEx = postIndex
 		case 2:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field EncryptPublicKey", wireType)
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field EncryptSymKeyHash", wireType)
 			}
-			var byteLen int
+			m.EncryptSymKeyHash = 0
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowAclrecord
@ -3916,26 +3894,11 @@ func (m *ACLUserInvite) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				m.EncryptSymKeyHash |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			if byteLen < 0 {
-				return ErrInvalidLengthAclrecord
-			}
-			postIndex := iNdEx + byteLen
-			if postIndex < 0 {
-				return ErrInvalidLengthAclrecord
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.EncryptPublicKey = append(m.EncryptPublicKey[:0], dAtA[iNdEx:postIndex]...)
-			if m.EncryptPublicKey == nil {
-				m.EncryptPublicKey = []byte{}
-			}
-			iNdEx = postIndex
 		case 3:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field EncryptedReadKeys", wireType)
@ -3987,38 +3950,6 @@ func (m *ACLUserInvite) Unmarshal(dAtA []byte) error {
 					break
 				}
 			}
-		case 5:
-			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field InviteId", wireType)
-			}
-			var stringLen uint64
-			for shift := uint(0); ; shift += 7 {
-				if shift >= 64 {
-					return ErrIntOverflowAclrecord
-				}
-				if iNdEx >= l {
-					return io.ErrUnexpectedEOF
-				}
-				b := dAtA[iNdEx]
-				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
-				if b < 0x80 {
-					break
-				}
-			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
-				return ErrInvalidLengthAclrecord
-			}
-			postIndex := iNdEx + intStringLen
-			if postIndex < 0 {
-				return ErrInvalidLengthAclrecord
-			}
-			if postIndex > l {
-				return io.ErrUnexpectedEOF
-			}
-			m.InviteId = string(dAtA[iNdEx:postIndex])
-			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipAclrecord(dAtA[iNdEx:])
@ -4173,9 +4104,9 @@ func (m *ACLUserJoin) Unmarshal(dAtA []byte) error {
 			iNdEx = postIndex
 		case 4:
 			if wireType != 2 {
-				return fmt.Errorf("proto: wrong wireType = %d for field InviteId", wireType)
+				return fmt.Errorf("proto: wrong wireType = %d for field AcceptPubKey", wireType)
 			}
-			var stringLen uint64
+			var byteLen int
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowAclrecord
@ -4185,23 +4116,25 @@ func (m *ACLUserJoin) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				byteLen |= int(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
-			intStringLen := int(stringLen)
-			if intStringLen < 0 {
+			if byteLen < 0 {
 				return ErrInvalidLengthAclrecord
 			}
-			postIndex := iNdEx + intStringLen
+			postIndex := iNdEx + byteLen
 			if postIndex < 0 {
 				return ErrInvalidLengthAclrecord
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
-			m.InviteId = string(dAtA[iNdEx:postIndex])
+			m.AcceptPubKey = append(m.AcceptPubKey[:0], dAtA[iNdEx:postIndex]...)
+			if m.AcceptPubKey == nil {
+				m.AcceptPubKey = []byte{}
+			}
 			iNdEx = postIndex
 		case 5:
 			if wireType != 2 {
--- a/common/pkg/acl/aclrecordproto/protos/aclrecord.proto
+++ b/common/pkg/acl/aclrecordproto/protos/aclrecord.proto
@ -63,28 +63,18 @@ message ACLUserAdd {
  ACLUserPermissions permissions = 4;
 }

-// signing accept key
-// rsa encryption key -> read keys
-
-// accept key, encrypt key, invite id
-// GetSpace(id) -> ... (space header + acl root) -> diff
-// Join(ACLJoinRecord) -> Ok
-
-// 
-
 message ACLUserInvite {
  bytes acceptPublicKey = 1;
-  bytes encryptPublicKey = 2;
+  uint64 encryptSymKeyHash = 2;
  repeated bytes encryptedReadKeys = 3;
  ACLUserPermissions permissions = 4;
-  string inviteId = 5;
 }

 message ACLUserJoin {
  bytes identity = 1;
  bytes encryptionKey = 2;
  bytes acceptSignature = 3;
-  string inviteId = 4;
+  bytes acceptPubKey = 4;
  repeated bytes encryptedReadKeys = 5;
 }

--- a/common/pkg/acl/list/aclrecordbuilder.go
+++ b/common/pkg/acl/list/aclrecordbuilder.go
@ -4,6 +4,8 @@ import (
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/pkg/acl/aclrecordproto"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/pkg/acl/common"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/cid"
+	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/asymmetric/signingkey"
+	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/symmetric"
 	"github.com/gogo/protobuf/proto"
 )

@ -23,6 +25,69 @@ func newACLRecordBuilder(id string, keychain *common.Keychain) ACLRecordBuilder
 	}
 }

+func (a *aclRecordBuilder) BuildUserJoin(acceptPrivKeyBytes []byte, encSymKeyBytes []byte, state *ACLState) (rec *aclrecordproto.RawACLRecord, err error) {
+	acceptPrivKey, err := signingkey.NewSigningEd25519PrivKeyFromBytes(acceptPrivKeyBytes)
+	if err != nil {
+		return
+	}
+	acceptPubKeyBytes, err := acceptPrivKey.GetPublic().Raw()
+	if err != nil {
+		return
+	}
+	encSymKey, err := symmetric.DeriveFromBytes(encSymKeyBytes)
+	if err != nil {
+		return
+	}
+
+	invite, err := state.Invite(acceptPubKeyBytes)
+	if err != nil {
+		return
+	}
+
+	encPrivKey, signPrivKey := state.UserKeys()
+	var symKeys [][]byte
+	for _, rk := range invite.EncryptedReadKeys {
+		dec, err := encSymKey.Decrypt(rk)
+		if err != nil {
+			return nil, err
+		}
+		newEnc, err := encPrivKey.GetPublic().Encrypt(dec)
+		if err != nil {
+			return nil, err
+		}
+		symKeys = append(symKeys, newEnc)
+	}
+	idSignature, err := acceptPrivKey.Sign(state.Identity())
+	if err != nil {
+		return
+	}
+	encPubKeyBytes, err := encPrivKey.GetPublic().Raw()
+	if err != nil {
+		return
+	}
+
+	userJoin := &aclrecordproto.ACLUserJoin{
+		Identity:          state.Identity(),
+		EncryptionKey:     encPubKeyBytes,
+		AcceptSignature:   idSignature,
+		AcceptPubKey:      acceptPubKeyBytes,
+		EncryptedReadKeys: symKeys,
+	}
+	marshalledJoin, err := userJoin.Marshal()
+	if err != nil {
+		return
+	}
+	joinSignature, err := signPrivKey.Sign(marshalledJoin)
+	if err != nil {
+		return
+	}
+	rec = &aclrecordproto.RawACLRecord{
+		Payload:   marshalledJoin,
+		Signature: joinSignature,
+	}
+	return
+}
+
 func (a *aclRecordBuilder) ConvertFromRaw(rawIdRecord *aclrecordproto.RawACLRecordWithId) (rec *ACLRecord, err error) {
 	rawRec := &aclrecordproto.RawACLRecord{}
 	err = proto.Unmarshal(rawIdRecord.Payload, rawRec)
--- a/common/pkg/acl/list/aclstate.go
+++ b/common/pkg/acl/list/aclstate.go
@ -7,6 +7,7 @@ import (
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/app/logger"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/pkg/acl/aclrecordproto"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/pkg/acl/common"
+	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/asymmetric/encryptionkey"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/asymmetric/signingkey"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/symmetric"
@ -23,6 +24,8 @@ var ErrUserRemoved = errors.New("user was removed from the document")
 var ErrDocumentForbidden = errors.New("your user was forbidden access to the document")
 var ErrUserAlreadyExists = errors.New("user already exists")
 var ErrNoSuchRecord = errors.New("no such record")
+var ErrNoSuchInvite = errors.New("no such invite")
+var ErrOldInvite = errors.New("invite is too old")
 var ErrInsufficientPermissions = errors.New("insufficient permissions")
 var ErrNoReadKey = errors.New("acl state doesn't have a read key")
 var ErrInvalidSignature = errors.New("signature is invalid")
@ -41,6 +44,7 @@ type ACLState struct {
 	userInvites        map[string]*aclrecordproto.ACLUserInvite
 	encryptionKey      encryptionkey.PrivKey
 	signingKey         signingkey.PrivKey
+	totalReadKeys      int

 	identity            string
 	permissionsAtRecord map[string][]UserPermissionPair
@ -199,6 +203,8 @@ func (st *ACLState) saveReadKeyFromRoot(root *aclrecordproto.ACLRoot) (err error
 	}
 	st.currentReadKeyHash = root.CurrentReadKeyHash
 	st.userReadKeys[root.CurrentReadKeyHash] = readKey
+	st.totalReadKeys++
+
 	return
 }

@ -207,7 +213,10 @@ func (st *ACLState) applyChangeData(changeData *aclrecordproto.ACLData, hash uin
 		if err != nil {
 			return
 		}
+		if hash != st.currentReadKeyHash {
+			st.totalReadKeys++
 			st.currentReadKeyHash = hash
+		}
 	}()

 	if !st.isUserJoin(changeData) {
@ -262,14 +271,14 @@ func (st *ACLState) applyUserPermissionChange(ch *aclrecordproto.ACLUserPermissi
 }

 func (st *ACLState) applyUserInvite(ch *aclrecordproto.ACLUserInvite) error {
-	st.userInvites[ch.InviteId] = ch
+	st.userInvites[string(ch.AcceptPublicKey)] = ch
 	return nil
 }

 func (st *ACLState) applyUserJoin(ch *aclrecordproto.ACLUserJoin) error {
-	invite, exists := st.userInvites[ch.InviteId]
+	invite, exists := st.userInvites[string(ch.AcceptPubKey)]
 	if !exists {
-		return fmt.Errorf("no such invite with id %s", ch.InviteId)
+		return fmt.Errorf("no such invite with such public key %s", keys.EncodeBytesToString(ch.AcceptPubKey))
 	}
 	chIdentity := string(ch.Identity)

@ -284,7 +293,7 @@ func (st *ACLState) applyUserJoin(ch *aclrecordproto.ACLUserJoin) error {
 		return fmt.Errorf("public key verifying invite accepts is given in incorrect format: %v", err)
 	}

-	res, err := verificationKey.(signingkey.PubKey).Verify(ch.Identity, signature)
+	res, err := verificationKey.Verify(ch.Identity, signature)
 	if err != nil {
 		return fmt.Errorf("verification returned error: %w", err)
 	}
@ -361,8 +370,8 @@ func (st *ACLState) applyUserRemove(ch *aclrecordproto.ACLUserRemove) error {
 				return ErrFailedToDecrypt
 			}

-			st.currentReadKeyHash = hash
-			st.userReadKeys[st.currentReadKeyHash] = key
+			st.userReadKeys[hash] = key
+			break
 		}
 	}
 	return nil
@ -404,6 +413,26 @@ func (st *ACLState) isUserAdd(data *aclrecordproto.ACLData, identity []byte) boo
 	return data.GetAclContent() != nil && userAdd != nil && bytes.Compare(userAdd.GetIdentity(), identity) == 0
 }

-func (st *ACLState) GetUserStates() map[string]*aclrecordproto.ACLUserState {
+func (st *ACLState) UserStates() map[string]*aclrecordproto.ACLUserState {
 	return st.userStates
 }
+
+func (st *ACLState) Invite(acceptPubKey []byte) (invite *aclrecordproto.ACLUserInvite, err error) {
+	invite, exists := st.userInvites[string(acceptPubKey)]
+	if !exists {
+		err = ErrNoSuchInvite
+		return
+	}
+	if len(invite.EncryptedReadKeys) != st.totalReadKeys {
+		err = ErrOldInvite
+	}
+	return
+}
+
+func (st *ACLState) UserKeys() (encKey encryptionkey.PrivKey, signKey signingkey.PrivKey) {
+	return st.encryptionKey, st.signingKey
+}
+
+func (st *ACLState) Identity() []byte {
+	return []byte(st.identity)
+}
--- a/common/pkg/acl/list/list_test.go
+++ b/common/pkg/acl/list/list_test.go
@ -22,9 +22,9 @@ func TestAclList_ACLState_UserInviteAndJoin(t *testing.T) {
 	idC := keychain.GetIdentity("C")

 	// checking final state
-	assert.Equal(t, aclrecordproto.ACLUserPermissions_Admin, aclList.ACLState().GetUserStates()[idA].Permissions)
-	assert.Equal(t, aclrecordproto.ACLUserPermissions_Writer, aclList.ACLState().GetUserStates()[idB].Permissions)
-	assert.Equal(t, aclrecordproto.ACLUserPermissions_Reader, aclList.ACLState().GetUserStates()[idC].Permissions)
+	assert.Equal(t, aclrecordproto.ACLUserPermissions_Admin, aclList.ACLState().UserStates()[idA].Permissions)
+	assert.Equal(t, aclrecordproto.ACLUserPermissions_Writer, aclList.ACLState().UserStates()[idB].Permissions)
+	assert.Equal(t, aclrecordproto.ACLUserPermissions_Reader, aclList.ACLState().UserStates()[idC].Permissions)
 	assert.Equal(t, aclList.Head().CurrentReadKeyHash, aclList.ACLState().CurrentReadKeyHash())

 	var records []*ACLRecord
@ -61,11 +61,11 @@ func TestAclList_ACLState_UserJoinAndRemove(t *testing.T) {
 	idC := keychain.GetIdentity("C")

 	// checking final state
-	assert.Equal(t, aclrecordproto.ACLUserPermissions_Admin, aclList.ACLState().GetUserStates()[idA].Permissions)
-	assert.Equal(t, aclrecordproto.ACLUserPermissions_Reader, aclList.ACLState().GetUserStates()[idC].Permissions)
+	assert.Equal(t, aclrecordproto.ACLUserPermissions_Admin, aclList.ACLState().UserStates()[idA].Permissions)
+	assert.Equal(t, aclrecordproto.ACLUserPermissions_Reader, aclList.ACLState().UserStates()[idC].Permissions)
 	assert.Equal(t, aclList.Head().CurrentReadKeyHash, aclList.ACLState().CurrentReadKeyHash())

-	_, exists := aclList.ACLState().GetUserStates()[idB]
+	_, exists := aclList.ACLState().UserStates()[idB]
 	assert.Equal(t, false, exists)

 	var records []*ACLRecord
--- a/common/pkg/acl/testutils/acllistbuilder/liststoragebuilder.go
+++ b/common/pkg/acl/testutils/acllistbuilder/liststoragebuilder.go
@ -9,6 +9,7 @@ import (
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/cid"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/asymmetric/encryptionkey"
 	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/asymmetric/signingkey"
+	"github.com/anytypeio/go-anytype-infrastructure-experiments/common/util/keys/symmetric"
 	"hash/fnv"
 	"io/ioutil"
 	"path"
@ -183,7 +184,7 @@ func (t *ACLListStorageBuilder) parseACLChange(ch *ACLChange) (convCh *aclrecord
 				UserAdd: &aclrecordproto2.ACLUserAdd{
 					Identity:          []byte(t.keychain.GetIdentity(add.Identity)),
 					EncryptionKey:     rawKey,
-					EncryptedReadKeys: t.encryptReadKeys(add.EncryptedReadKeys, encKey),
+					EncryptedReadKeys: t.encryptReadKeysWithPubKey(add.EncryptedReadKeys, encKey),
 					Permissions:       t.convertPermission(add.Permission),
 				},
 			},
@ -191,16 +192,16 @@ func (t *ACLListStorageBuilder) parseACLChange(ch *ACLChange) (convCh *aclrecord
 	case ch.UserJoin != nil:
 		join := ch.UserJoin

-		encKey := t.keychain.
-			GetKey(join.EncryptionKey).(encryptionkey.PrivKey)
+		encKey := t.keychain.GetKey(join.EncryptionKey).(encryptionkey.PrivKey)
 		rawKey, _ := encKey.GetPublic().Raw()

 		idKey, _ := t.keychain.SigningKeysByYAMLIdentity[join.Identity].GetPublic().Raw()
-		signKey := t.keychain.GetKey(join.AcceptSignature).(signingkey.PrivKey)
+		signKey := t.keychain.GetKey(join.AcceptKey).(signingkey.PrivKey)
 		signature, err := signKey.Sign(idKey)
 		if err != nil {
 			panic(err)
 		}
+		acceptPubKey, _ := signKey.GetPublic().Raw()

 		convCh = &aclrecordproto2.ACLContentValue{
 			Value: &aclrecordproto2.ACLContentValue_UserJoin{
@ -208,26 +209,24 @@ func (t *ACLListStorageBuilder) parseACLChange(ch *ACLChange) (convCh *aclrecord
 					Identity:          []byte(t.keychain.GetIdentity(join.Identity)),
 					EncryptionKey:     rawKey,
 					AcceptSignature:   signature,
-					InviteId:          join.InviteId,
-					EncryptedReadKeys: t.encryptReadKeys(join.EncryptedReadKeys, encKey),
+					AcceptPubKey:      acceptPubKey,
+					EncryptedReadKeys: t.encryptReadKeysWithPubKey(join.EncryptedReadKeys, encKey),
 				},
 			},
 		}
 	case ch.UserInvite != nil:
 		invite := ch.UserInvite
 		rawAcceptKey, _ := t.keychain.GetKey(invite.AcceptKey).(signingkey.PrivKey).GetPublic().Raw()
-		encKey := t.keychain.
-			GetKey(invite.EncryptionKey).(encryptionkey.PrivKey)
-		rawEncKey, _ := encKey.GetPublic().Raw()
+		hash := t.keychain.GetKey(invite.EncryptionKey).(*SymKey).Hash
+		encKey := t.keychain.ReadKeysByHash[hash]

 		convCh = &aclrecordproto2.ACLContentValue{
 			Value: &aclrecordproto2.ACLContentValue_UserInvite{
 				UserInvite: &aclrecordproto2.ACLUserInvite{
 					AcceptPublicKey:   rawAcceptKey,
-					EncryptPublicKey:  rawEncKey,
-					EncryptedReadKeys: t.encryptReadKeys(invite.EncryptedReadKeys, encKey),
+					EncryptSymKeyHash: hash,
+					EncryptedReadKeys: t.encryptReadKeysWithSymKey(invite.EncryptedReadKeys, encKey.Key),
 					Permissions:       t.convertPermission(invite.Permissions),
-					InviteId:          invite.InviteId,
 				},
 			},
 		}
@ -278,7 +277,7 @@ func (t *ACLListStorageBuilder) parseACLChange(ch *ACLChange) (convCh *aclrecord
 	return convCh
 }

-func (t *ACLListStorageBuilder) encryptReadKeys(keys []string, encKey encryptionkey.PrivKey) (enc [][]byte) {
+func (t *ACLListStorageBuilder) encryptReadKeysWithPubKey(keys []string, encKey encryptionkey.PrivKey) (enc [][]byte) {
 	for _, k := range keys {
 		realKey := t.keychain.GetKey(k).(*SymKey).Key.Bytes()
 		res, err := encKey.GetPublic().Encrypt(realKey)
@ -291,6 +290,19 @@ func (t *ACLListStorageBuilder) encryptReadKeys(keys []string, encKey encryption
 	return
 }

+func (t *ACLListStorageBuilder) encryptReadKeysWithSymKey(keys []string, key *symmetric.Key) (enc [][]byte) {
+	for _, k := range keys {
+		realKey := t.keychain.GetKey(k).(*SymKey).Key.Bytes()
+		res, err := key.Encrypt(realKey)
+		if err != nil {
+			panic(err)
+		}
+
+		enc = append(enc, res)
+	}
+	return
+}
+
 func (t *ACLListStorageBuilder) convertPermission(perm string) aclrecordproto2.ACLUserPermissions {
 	switch perm {
 	case "admin":
--- a/common/pkg/acl/testutils/acllistbuilder/ymlentities.go
+++ b/common/pkg/acl/testutils/acllistbuilder/ymlentities.go
@ -23,8 +23,7 @@ type ACLChange struct {
 	UserJoin *struct {
 		Identity          string   `yaml:"identity"`
 		EncryptionKey     string   `yaml:"encryptionKey"`
-		AcceptSignature   string   `yaml:"acceptSignature"`
-		InviteId          string   `yaml:"inviteId"`
+		AcceptKey         string   `yaml:"acceptKey"`
 		EncryptedReadKeys []string `yaml:"encryptedReadKeys"`
 	} `yaml:"userJoin"`

@ -33,7 +32,6 @@ type ACLChange struct {
 		EncryptionKey     string   `yaml:"encryptionKey"`
 		EncryptedReadKeys []string `yaml:"encryptedReadKeys"`
 		Permissions       string   `yaml:"permissions"`
-		InviteId          string   `yaml:"inviteId"`
 	} `yaml:"userInvite"`

 	UserRemove *struct {
--- a/common/pkg/acl/testutils/yamltests/userjoinexample.yml
+++ b/common/pkg/acl/testutils/yamltests/userjoinexample.yml
@ -6,10 +6,9 @@ records:
    aclChanges:
      - userInvite:
          acceptKey: key.Sign.Onetime1
-          encryptionKey: key.Enc.Onetime1
+          encryptionKey: key.Read.EncKey
          encryptedReadKeys: [key.Read.1]
          permissions: writer
-          inviteId: A.1.2
      - userAdd:
          identity: C
          permission: reader
@ -21,8 +20,7 @@ records:
      - userJoin:
          identity: B
          encryptionKey: key.Enc.B
-          acceptSignature: key.Sign.Onetime1
-          inviteId: A.1.2
+          acceptKey: key.Sign.Onetime1
          encryptedReadKeys: [key.Read.1]
    readKey: key.Read.1
 keys:
@ -48,3 +46,5 @@ keys:
  Read:
    - name: 1
      value: derived
+    - name: EncKey
+      value: generated
--- a/common/pkg/acl/testutils/yamltests/userremoveexample.yml
+++ b/common/pkg/acl/testutils/yamltests/userremoveexample.yml
@ -6,10 +6,9 @@ records:
    aclChanges:
      - userInvite:
          acceptKey: key.Sign.Onetime1
-          encryptionKey: key.Enc.Onetime1
+          encryptionKey: key.Read.EncKey
          encryptedReadKeys: [key.Read.1]
          permissions: writer
-          inviteId: A.1.2
      - userAdd:
          identity: C
          permission: reader
@ -21,8 +20,7 @@ records:
      - userJoin:
          identity: B
          encryptionKey: key.Enc.B
-          acceptSignature: key.Sign.Onetime1
-          inviteId: A.1.2
+          acceptKey: key.Sign.Onetime1
          encryptedReadKeys: [key.Read.1]
    readKey: key.Read.1
  - identity: A
@ -57,3 +55,5 @@ keys:
      value: derived
    - name: 2
      value: generated
+    - name: EncKey
+      value: generated