Skip to content

Prevent linkbots from consuming tokens in one time links#4775

Open
frjo wants to merge 4 commits intomainfrom
feature/prevent-linkbots-consume-tokens
Open

Prevent linkbots from consuming tokens in one time links#4775
frjo wants to merge 4 commits intomainfrom
feature/prevent-linkbots-consume-tokens

Conversation

@frjo
Copy link
Member

@frjo frjo commented Mar 25, 2026

Fixes #4535

This is mainly a fix for MS Outlook mail system habit of doing a preview of links in all e-mails. This preview expires the one time links so when a user tries to login or reset their password it does not work.

The solution is to show an extra confirmation screen with a login button, so users need to click one extra time. This solves the MicrosoftPreview issue and should work for any similar issues as well.

During the work I found a number of inconsistencies in various login related templates that I also attempted to fix. That is the reson so many files are changes in this PR.

Test Steps

  • Use the signup and passwordless login and confirm that you by clicking the link in the email come to a confirmation screen. Clicking the button there log you in to the site.

@frjo frjo added Type: Feature This is something new (not an enhancement of an existing thing). Type: Minor Minor change, used in release drafter labels Mar 25, 2026
@frjo frjo requested a review from wes-otf March 25, 2026 14:09
@frjo frjo mentioned this pull request Mar 25, 2026
Closed
1 task
wes-otf
wes-otf approved these changes Mar 25, 2026
View reviewed changes
Copy link
Contributor

@wes-otf wes-otf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this looks and works fantastic! This is the solution we needed - you were also so fast about this!

hypha/apply/users/templates/users/passwordless_login_signup.html
Copy link
Contributor

@wes-otf wes-otf Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super nitpick but should we also add {% block body_class %}bg-base-200{% endblock %} after the title block? I like how that makes the card pop on the confirm template:

hypha/hypha/apply/users/templates/users/activation/confirm.html

Line 5 in 7da74b7

{% block body_class %}bg-base-200{% endblock %}

Copy link
Member Author

@frjo frjo Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will look at that, we use the same style in many places so I make sure they all look the same.

hypha/apply/users/templates/users/password_reset/done.html
<div class="flex flex-col justify-center items-center min-h-[60vh]">
<section class="w-full max-w-2xl card shadow-xs bg-base-100 md:card-lg">
<div class="items-center card-body">
<span class="flex justify-center items-center mb-4 rounded-full bg-primary/10">
Copy link
Contributor

@wes-otf wes-otf Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is so slick! I love the shadowy circle behind the icon

@frjo
Copy link
Member Author

frjo commented Mar 25, 2026

Been thinking about a solution for weeks and worked on it since last week, so not so fast 😃.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wes-otf wes-otf wes-otf approved these changes

Assignees

No one assigned

Labels

Type: Feature This is something new (not an enhancement of an existing thing). Type: Minor Minor change, used in release drafter

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Workaround for Outlook previewing login links and expire them prematurely

2 participants

@frjo @wes-otf