Passwordless link broken by Microsoft/Outlook "Safe link"

Question

Passwordless link broken by Microsoft/Outlook "Safe link"

Closed this issue 8 months ago · 5 comments

Hasura auth has the same issue FusionAuth/fusionauth-issues#629

Passwordless links are opened by robot and invalidate it.

Do you think it's possible to handle this use case ?

Answer 1 · 2023-03-13T21:33:14.000Z

I'm seeing this issue too. It seems like the easiest solution is to ensure HEAD requests do not invalidate the passwordless link. Is this a possibility?

Answer 2 · 2023-03-13T21:57:56.000Z

Hmm, seems like the fix for HEAD requests was already added in the commits referenced in the issue below. Maybe Microsoft is doing something different now? @edouardouvrard - did you look into this further, or figure out a solution?

#189

Answer 3 · 2023-04-20T11:28:27.000Z

What a PITA, thanks Microsoft. We tried deploying a custom function to do the redirection (and block out MS bots), but Outlook seems to even visit URIs inside URIs.

At this point, I would base64 encode and rot13 the {link} and do the reverse at the router middleware.. that should keep MS from snooping 🤦

Answer 4 · 2023-10-17T12:52:51.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Answer 5 · 2023-10-18T09:19:03.000Z

Sorry, this one fell through the cracks, there is a parallel conversation about this that started recently with some proposed solutions:

nhost/nhost#2314

Feel free to chime-in there.