Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Email client security checks trigger duplicate two-factor emails #2360

Closed
1 task done
spwitt opened this issue Jul 7, 2023 · 1 comment
Closed
1 task done

Email client security checks trigger duplicate two-factor emails #2360

spwitt opened this issue Jul 7, 2023 · 1 comment
Assignees
@spwitt
Labels
bug Something isn't working client-reported
Projects
FusionAuth Issues
Milestone
1.47.0

Comments

@spwitt
Copy link

spwitt commented Jul 7, 2023
edited by robotdan

Email client security checks trigger duplicate two-factor emails

Description

Some email clients or other security measures may send pre-flight checks for links in emails. For users with email configured as an MFA option, these checks may trigger sending the MFA code via email. The user is sent another MFA code when they navigate to the link in their browser. Only the most recent MFA code is valid.

These are often an HTTP HEAD request, but some clients may use a GET request.

Affects versions

1.33.0-1.46.0

Steps to reproduce

  1. Enable MFA for a user via email
  2. On the FusionAuth login page, click the Forgot Password link
  3. Enter the user's email address and submit the form
  4. Copy the change password link from the email (do not click it)
  5. Use the curl command or other tool to send a HEAD request to the link to simulate an email client security check (example below)
  6. The user should receive an email with an MFA code
  7. Now open the password change link in the browser
  8. The user receives another MFA code via email
  9. Only the second code will work to complete MFA step-up

Here is an example curl command to send the request. Query string parameters have been omitted for brevity but should be provided when making the request.

curl "https://local.fusionauth.io/password/change/UXWpPTWf4qr_vbBoXAIZNTN16R1HXAJagvq7AvOA5ro?<queryString>" --head

Expected behavior

Email client or other pre-flight security checks should not trigger an MFA email to be sent.

Documentation

  • Include warning about changes to origin validation to include the port number in Release Notes
@spwitt spwitt self-assigned this Jul 7, 2023
@spwitt spwitt added this to Backlog in FusionAuth Issues via automation Jul 7, 2023
@spwitt spwitt moved this from Backlog to Code complete in FusionAuth Issues Jul 7, 2023
@spwitt
Copy link
Author

spwitt commented Jul 7, 2023

Internal

@andrewpai andrewpai added this to the 1.47.0 milestone Jul 12, 2023
@spwitt spwitt added bug Something isn't working client-reported labels Jul 19, 2023
@spwitt spwitt mentioned this issue Jul 19, 2023
Closed
@robotdan robotdan moved this from Code complete to Reviewer approved in FusionAuth Issues Jul 20, 2023
FusionAuth Issues automation moved this from Reviewer approved to Done Jul 26, 2023
This was referenced Aug 23, 2023
Closed
Closed
This was referenced Feb 7, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spwitt spwitt

Labels
bug Something isn't working client-reported
Projects
FusionAuth Issues
  
Delivered
Milestone
1.47.0
Development

No branches or pull requests
3 participants
@robotdan @spwitt @andrewpai