Invalid token on discuss.flarum

[jordanjay29]

User ashkir on discuss.flarum had an issue with the activation link to his account. He reported that the link in the email, token provided below, led him to a blank page with the source containing only: "Invalid confirmation token." Empty webdev console as well.

His account was activated in the interim period as he had made a post on discuss with no issues. By the time the email arrived, he had no adverse reactions to his account, only the odd result upon following the link.

token: nx704D0e1a1XLGxnpW5YpvLliC9UFma9pBPfygcS

[tobyzerner]

Deployed latest code to discuss.flarum and seems to be fixed.

[JasonLABS]

I signed up yesterday on the flarum community, and I received the confirmation email, but when I clicked on the link the following message was displayed in a blank browser:

Invalid confirmation token

[tobyzerner]

What email client did you use? I'm suspicious that the email client is visiting the link in the background when you open the email (to check for viruses or whatever) and thus activating the account + invalidating the confirmation token before you even click on the link yourself.

[JasonLABS]

I use gmail as the email client for my domain. https://gsuite.google.com/

[tobyzerner]

Yeah I can reproduce now. In fact, you need only sign up a new account (with any email provider) and then reload the page after a few seconds to see that the account has magically been activated – somehow the activation URL is being visited without ever opening the email!

I did some investigation and I think that SparkPost, the SMTP service we use on discuss.flarum.org, may be the culprit... I've opened a ticket with them so we'll see if they can offer any explanation. I don't think this is a bug with Flarum, but I'll reopen the issue as it's definitely something we need to solve on discuss.flarum.org soon.

[tobyzerner]

This is fixed

[franzliedke]

@tobscure What was the fix?

[waltdestler]

@tobscure What was the fix for this? I'm having this issue on my own forum using Beta 6, and I too am using SparkPost. Is there something I need to fix on SparkPost, or did this end up being a Flarum bug and I just need to wait for the next Flarum version?

[tobyzerner]

Sorry! The issue was that our SparkPost account had been flagged because of some links from suspicious domains being present in some of the emails sent (due to user-generated content being present in the emails). This resulted in all links in all emails being visited automatically by SparkPost.

At my request, SparkPost took our account off the blacklist but we ended up back on it very quickly for the same reason. Then, in order for them to take us off again, they requested that I implement a filter for all links to the culprit domains, which I did using a homebrew extension. Since then it's been fine.

[jice-lavocat]

So, just to confirm, once a link is visited by a bot, the link expires? To fix that on my end, I disabled link tracking for Sparkpost SMTP's relay.

[jice-lavocat]

An "improved" behavior could be that an already visited activation link doesn't return an Error, but instead allows the user to log in (or at least redirect to the login screen).

[luceos]

@tanzaho check out flagrow/auto-confirm-fix for a (temporary) workaround. It redirects users to the index.

[jice-lavocat]

Thanks, that's perfect.

[waltdestler]

I'd be wary of any solution that hides the underlying issue (which in my case was that the link was being visited by Sparkpost's bot). If an error wasn't being shown, I probably never would have realized that Sparkpost was visiting the links before the users, and never would have gotten the error corrected on Sparkpost's end.

In my case, I had to actually contact Sparkpost's tech support to get this problem fixed. (I had a new account, and they were visiting the links as an anti-spam measure.) Here's the forum thread where I discuss this problem: https://discuss.flarum.org/d/4987-invalid-confirmation-token-when-clicking-link-in-account-activation-email

[adetheprince]

But I am using google and I still get this issue, so whats the fix for Gmail?

[matteocontrini]

Regarding the issue that email clients/providers might open activation links, a possible solution would be to make it work like Mailchimp, which had a clever idea.

When you open subscribe/unsubscribe links, you are presented with a page with a big button, but as soon as you open that page some JavaScript runs and the button is automatically "clicked", so the action is performed automatically, but only if the visitor is using a browser that supports JavaScript.

It might be worth investigating, even for a future "unsubscribe" link. Shall I create another issue?

[franzliedke]

@matteocontrini We already have this issue - feel free to add a comment there.