Magic Links and issues with tokens expiring, security issues

Ok so it appears with Microsoft Outlook corporate email any Magic links sent to login will be examined and ‘used’ - therefore expiring them before the user has the opportunity to login… frustrating.

To see this what you need to do is get the link from the magic link the client receives, copy the link out of the email and send it to you - it will look something like this:
image

When clicked by the user receiving the email, it break the token and they get a message about the issue, io it doesn’t do anything at all depending on the browser (so I found out)

*side note - this is the same if you try to send the links in a Whatsapp message to a user (who’s helping you test) - this does the same thing and invalidates the token.

So to fix it what I did in my case is to create the workflow for the Magic Link, but i ticked the box to create the link only.

Now in a subsequent workflow action I recreate the same email, grabbed the link from the previous workflow step and extracted the token from the url and popped this in a URL parameter pointed at an intermediary page (more next on this) rather than send the whole link in the parameter - mainly because its ugly.

Link example: website.com/redirect?key=121212121212x1123131313

On the intermediary page (redirect) I create a workflow action on page load to pause for 1 second and then I send them to an external page where I recreate the magic link url from the URL parameter and the url that is usually sent - looks like this:

{website home url} api/1.1/login-link?key=121212121212x1123131313

{website home url } is your website - use this because it adds or removed version-test etc

Ends up like this: https://website.com/version-test/api/1.1/login-link?key=121212121212x1123131313 (or without if live).

there will be refinements to this I am sure, but I needed a quick solution right now.

In the future they could change the security to follow JavaScript redirects, but I doubt it as there is an arbitrary delay, but be mindful just in case. And you could add a clickable screen, albeit annoying.

I hope this helps someone pain - lost me half a day.

3 Likes

Thanks for sharing. It may be more useful as a Tip though…

2 Likes

Hi, You’d better report as a BUG. This is an important issue, Bubble should care about !

Its not really a bug as such, it’s a security feature of the vendor software - in this case microsoft. They are looking at the links and following them to see if they are melicious and due to the ‘one time use’ of the links it expires them when the user clicks.

This method resolves the issue fine

How “Extracted the Token” works, Can you detail
As the output is always a link, Did you use truncated from end ?

sure thing, because it outputs a link instead of a key/token you have to extract that token from the url - I did it like this

image
results of (the magic link step) :split by (=) last item.

1 Like

UPDATE

This no longer seems to work, the only way around it for me at this stage is to put an intermediary button for the user to click to initiate the magic link - not ideal.

Or have the clients IT department put the domain in the whitelist of the Outlook security solution.

Ill update this if I find any other workarounds - there are a number of posts around the internet on this issue happening with a number of other systems that use magic links.

Appreciate it for keeping us in the loop @stuart4 :smiley:

1 Like

Appreciate the thread. Any new developments on this? A number of our users are using magic link only to login and them using Outlook corporate account will consistently expire the links.

Yea, ive introduced a step in the process. They get sent to a page with a button that has the magic link
Then from here the login works fine. So not seamless, however, this works.

So technically one way you can bypass the Microsoft safe links firewall and some other corporate firewalls is by using a Rich Text Format (RTF) email.

As Microsoft notes: Complete Safe Links overview for Microsoft Defender for Office 365 | Microsoft Learn they don’t support Safe Links on that type of email, so my recommendation would be to construct a HTML email or a Rich Text Email you should be fine.

I don’t have a corporate Microsoft email so I can’t really do much testing so this is all based on the docs :sweat_smile:

If this works, it will be a very easy solution to the problem. The tradeoff maybe email deliverability I think.

Would that be possible please share the steps how you do this? maybe in a dummy bubble app for demonstration?

Nope, email delivery shouldn’t be affected at all depending on your ESP. This shouldn’t affect your deliverability whatsoever

Ill test this one with the client and see how we go, but yea a bit of a pain for sure.

Thanks! Curious if that’ll work but have no good way of testing :sweat_smile:

1 Like