Add a policy to require user interaction on certain inbound cross-site requests

[andrewpai]

Add a policy to require user interaction on certain inbound cross-site requests

Problem

There are a number of cases where we expect cross-site requests into FusionAuth, such as on a forgot password flow and inbound magic links. When these links are delivered to users by email, some security-focused link checkers will follow the links to assess risk. When the links include information to evoke state changes in FusionAuth (e.g. invalidating one-time use codes), this can make it so the legitimate click by the user will no longer work.

Solution

Add a policy to force user interaction in these cases, so that a request from a link checker will receive a form but will not change state in FusionAuth. Only a submission of the form from a user click will cause that to happen. Link checkers should not be posting a returned form.

Alternatives/workarounds

No known workarounds, other than to turn down the aggressiveness of a link checker.

Related

• https://github.com/FusionAuth/fusionauth-issues/issues/629
• https://github.com/FusionAuth/fusionauth-issues/issues/725
• https://github.com/FusionAuth/fusionauth-issues/issues/1421
• https://github.com/FusionAuth/fusionauth-issues/issues/2253
• https://github.com/FusionAuth/fusionauth-issues/issues/2360
• https://github.com/FusionAuth/fusionauth-issues/issues/2443

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[robotdan]

Looks like I opened this same issue last August.

• https://github.com/FusionAuth/fusionauth-issues/issues/2443

[robotdan]

Closing as duplicate. https://github.com/FusionAuth/fusionauth-issues/issues/2443