lordkev
commented
1 year ago I'm seeing this issue too. It seems like the easiest solution is to ensure HEAD requests do not invalidate the passwordless link. Is this a possibility?
Closed edouardouvrard closed 1 year ago
lordkev
commented
1 year ago I'm seeing this issue too. It seems like the easiest solution is to ensure HEAD requests do not invalidate the passwordless link. Is this a possibility?
lordkev
commented
1 year ago Hmm, seems like the fix for HEAD requests was already added in the commits referenced in the issue below. Maybe Microsoft is doing something different now? @edouardouvrard - did you look into this further, or figure out a solution?
rikur
commented
1 year ago What a PITA, thanks Microsoft. We tried deploying a custom function to do the redirection (and block out MS bots), but Outlook seems to even visit URIs inside URIs.
At this point, I would base64 encode and rot13 the {link} and do the reverse at the router middleware.. that should keep MS from snooping 🤦
stale[bot]
commented
1 year ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
dbarrosop
commented
1 year ago Sorry, this one fell through the cracks, there is a parallel conversation about this that started recently with some proposed solutions:
https://github.com/nhost/nhost/issues/2314
Feel free to chime-in there.
Hasura auth has the same issue https://github.com/FusionAuth/fusionauth-issues/issues/629
Passwordless links are opened by robot and invalidate it.
Do you think it's possible to handle this use case ?