Skip to content

Login Link is followed by emailing scanning software and link is invalidated #4965

Description

@joelhooks

Provider type

Email

Environment

System:
OS: macOS 12.2.1
CPU: (10) arm64 Apple M1 Max
Memory: 6.94 GB / 64.00 GB
Shell: 5.8 - /bin/zsh
Binaries:
Node: 16.16.0 - ~/.nodenv/versions/16.16.0/bin/node
Yarn: 1.22.19 - ~/.yarn/bin/yarn
npm: 8.11.0 - ~/.nodenv/versions/16.16.0/bin/npm
Browsers:
Chrome: 103.0.5060.114
Safari: 15.3
npmPackages:
next: ^12.1.6 => 12.1.6
next-auth: =4.2.1 => 4.2.1
react: 17.0.2 => 17.0.2

Reproduction URL

https://github.com/skillrecordings/products/blob/main/apps/testingaccessibility/src/pages/api/auth/%5B...nextauth%5D.ts

Describe the issue

Many organizations utilize various email scanning mechanism that will actively follow links in email messages. When this occurs with a next-auth email provider email, it results in the VerificationToken being used and thus instantly invalidated for the human user that clicks the link seconds, minutes, or hours later.

The link is never valid for the human user no matter how many times they try.

Microsoft 365 Advanced Threat Protection
Bing Preview Clicks Links

This has been previously discussed: #4585

some additional information on stack exchange: https://security.stackexchange.com/a/211293

The "?redirect=true" approach seems very reasonable to me, so if the follow param is missing, render this:

<!DOCTYPE html>
<html>
  <body>
    <script> 
var queryParams = new URLSearchParams(window.location.search);
queryParams.set("follow", "true");
history.replaceState(null, null, "?"+queryParams.toString());
    </script>
  </body>
</html>

alternatively if we could allow them to be valid for a period of time with unlimited use that would suit our needs specifically, and might help others with tradeoffs.

If this isn't an issue and should remain in the above discussion, please feel free to close it.

How to reproduce

This is tricky. I've got a user that this occurs to consistently, but you need to setup a Baracuda or various Microsoft tools that robo-click emails.

Expected behavior

Human users should get verification links that work.

} else if (provider.type === "email") {

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions