Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Magic links break when Outlook safe links are enabled #189

Closed
mmmmillar opened this issue Jun 8, 2022 · 7 comments
Closed

Magic links break when Outlook safe links are enabled #189

mmmmillar opened this issue Jun 8, 2022 · 7 comments

Comments

@mmmmillar
Copy link
Contributor

Magic links don't work from Outlook when safe links are enabled.

The logs show that the verifyHandler is called multiple times when the link is clicked (as part of the safety check) - the first time the ticket is removed from the user record and redirect is called correctly, but this is cancelled out by the subsequent calls to verifyHandler where the ticket no longer exists and an error response is sent.

The code where this happens is here:

hasura-auth/src/routes/verify/verify.ts

Lines 33 to 62 in 9f5cbbc

const user = await gqlSdk
.users({
where: {
_and: [
{
ticket: {
_eq: ticket,
},
},
{
ticketExpiresAt: {
_gt: new Date(),
},
},
],
},
})
.then((gqlRes) => gqlRes.users[0]);
if (!user) {
return sendError(res, 'invalid-ticket', { redirectTo });
}
// user found, delete current ticket
await gqlSdk.updateUser({
id: user.id,
user: {
ticket: null,
},
});

@elitan
Copy link
Contributor

elitan commented Jun 8, 2022
edited
Loading

I've googled a bit and seems to be a common issue.

In summary, I think there are two solutions:

  1. Always return 200 for HEAD /verify: router.head('/verify', (_, res) => res.sendStatus(200));
  2. Don't delete tickets after they've been used, but instead allow tickets to be reusable until they expires.

If we could try solution 1. and check if it works I think that would be the cleanest solution for now.

@mmmmillar mmmmillar mentioned this issue Jun 9, 2022
Merged
@Haraldson
Copy link

@elitan Did that actually fix the problem? I’m in a similar situation now, and from what I gather reading a lot of issues and tickets all around, it shouldn't have worked?

@elitan
Copy link
Contributor

elitan commented Jan 5, 2023

I think it was fixed yes.

Did you experience something else?

@Haraldson
Copy link

I haven’t really tried it out yet, but I was asking due to comments such as the ones on this StackOverflow issue, where disabling HEAD requests was said to not work. However, returning a smile and a thumbs up like your fix here might work [differently].

@lordkev lordkev mentioned this issue Mar 13, 2023
Closed
@lordkev
Copy link

lordkev commented Apr 4, 2023

Unfortunately, this solution no longer works. In my testing, Outlook makes actual GET requests during its link scanning, not just HEAD requests.

@kelkes
Copy link

kelkes commented Mar 11, 2024

I've got the same problem with magic links. Links are invalid before the user got the chance to click it.

@dbarrosop
Copy link
Member

We wrote about this issue recently:

https://nhost.io/blog/protect-magic-links-from-email-clients
nhost/nhost#2590

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@kelkes @Haraldson @elitan @lordkev @dbarrosop @mmmmillar