Closed patheard closed 1 year ago
What appears to be happening is that an automated security process is visiting the magic link and claiming the session before the user is able to.
This has been confirmed by finding the magic link's UUID session active in the DynamoDB table and viewing the WAF ACL firewall logs showing GET
requests to the magic link. Here is an example of one of the automated request's that claims the session:
clientip=4.204.208.99 # Microsoft Toronto datacentre
country=CA
uri=/fr/lien-magique, args=guid=<UUID>&email=patrick.heard%40tbs-sct.gc.ca
httpversion=HTTP/2.0
httpmethod=GET
# headers
[
{name=host, value=url-shortener.cdssandbox.xyz},
{name=upgrade-insecure-requests, value=1},
{name=user-agent, value=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36},
{name=accept, value=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9},
{name=sec-fetch-site, value=none},
{name=sec-fetch-mode, value=navigate},
{name=sec-fetch-user, value=?1},
{name=sec-fetch-dest, value=document},
{name=accept-encoding, value=gzip, deflate, br},
{name=accept-language, value=en-US,en;q=0.9}
]
This is now working in Staging. We still need to verify that expired magic link items are deleted as expected from the table.
Confirmed that expired items are being deleted from the table.
Summary
Users trying to login with a
@tbs-sct.gc.ca
email address are getting aMagic link invalid
error when they attempt to login from their TBS tablet using Outlook.Using the
@tbs-sct.gc.ca
email address works properly through the iPhone mail client.