Bug: magic link login fails from TBS tablet in Outlook

[patheard]

Summary

Users trying to login with a @tbs-sct.gc.ca email address are getting a Magic link invalid error when they attempt to login from their TBS tablet using Outlook.

Using the @tbs-sct.gc.ca email address works properly through the iPhone mail client.

[patheard]

What appears to be happening is that an automated security process is visiting the magic link and claiming the session before the user is able to.

This has been confirmed by finding the magic link's UUID session active in the DynamoDB table and viewing the WAF ACL firewall logs showing GET requests to the magic link. Here is an example of one of the automated request's that claims the session:

clientip=4.204.208.99 # Microsoft Toronto datacentre
country=CA
uri=/fr/lien-magique, args=guid=<UUID>&email=patrick.heard%40tbs-sct.gc.ca
httpversion=HTTP/2.0
httpmethod=GET

# headers
[
    {name=host, value=url-shortener.cdssandbox.xyz}, 
    {name=upgrade-insecure-requests, value=1}, 
    {name=user-agent, value=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36}, 
    {name=accept, value=text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9}, 
    {name=sec-fetch-site, value=none}, 
    {name=sec-fetch-mode, value=navigate}, 
    {name=sec-fetch-user, value=?1}, 
    {name=sec-fetch-dest, value=document}, 
    {name=accept-encoding, value=gzip, deflate, br}, 
    {name=accept-language, value=en-US,en;q=0.9}
]

[patheard]

This is now working in Staging. We still need to verify that expired magic link items are deleted as expected from the table.

[patheard]

Confirmed that expired items are being deleted from the table.