[New Feature] Magic login link workflow action

Typically when people sign up they are expecting the magic login to complete so a 1 hour duration seems fine. For my apps, we have a staff table that holds contact details and admins invite staff to join as users as required.

So users aren’t expecting the email and might be on leave/sick/too busy to see the email. we built a page for admins to see if staff have joined as users and can do a one click resend of the email. We can also automate this if required.

Your suggestion of automating a resend would save all of this and would get my vote but could we limit it to x number of resends? Otherwise it could loop for months.

I agree we don’t want links lasting more than 24 hours. There needs to be some urgency in dealing with a link thats a potentially insecure way to log in.

Anyone know if users are still logged out after a couple days?

I need to keep users logged in (forever)…like the normal login workflow. I saw the bubble team and @nick.carroll working on a fix last year but haven’t seen an update since.


Would be really nice to fix this

Hi there, just had a very interesting bug and also found a fix with the following flow:

  1. Button in front-end triggering a backend workflow through the API connector
  2. Creating the magic link in the backend workflow as “don’t send email, create link only” and returning the data through the “Return data” workflow action
  3. Opening the link returned from the API call “Result of step …” with a “Open external link”

For some reason, the link was successfully generated, but opening the link resulted in absolutely no effect.
It opened the right page (the success page), without logging the user or showing any error message. Same behaviour on another browser, or if a user was already logged in.
Opening the link multiple times also resulted in no expired error message.

I found that the generated link was https://myapp.bubbleapps.io/version-live/api... and changed it to its set domain name and removed the version path (https://myapp.com/api...) worked well.

So if you’re experiencing this @ZubairLK you can try a “Find and replace” action on the generated URL.

Hi! I found a way to do it. 3 simple steps:

  1. In the magic link send UTM parameter “magiclink=yes”

  2. Workflow when page loads “get data from UR” => magiclink=yes

  3. In the workflow, create action 1. “Assign a temporary password to the user” and 2. “Log in the user” (with “Stay logged = yes”) using the temporary password from the previous step

ps: I’ve created a condition for this Workflow “only if the user is logged in” for security reasons
ps2: the problem with this solution is that you gonna change the user password

Hi @aestela have you found a solution for this? I agree that this is particularly an issue!

Unfortunately no, due to the behaviour, I removed the functionality and never tried again.

@bmbroch @aestela Might be able to do it if instead you generate a code that they copy/paste back into their original browser… not the most elegant but also not out of the ordinary

Then some additional logic on the page to generate a magic login link once the code is verified and navigate to that new link. Would prob require a workaround by pinging your own app via API connector so it can return a magic login link (Only works in backend)

The thing is, in my case, we have a native app wrapped with Natively, we use deep linking and any links clicked outside from the email app work as expected (when clicked, the user is directed to the app), this doesn’t happen from email app.

If there was a way to alter the login link to be able to send the user to their system browser, that would do the trick. Or, does someone know of a free HTML email plugin? You can send the user to a different browser if you can customize HTML in your email.

Over the last couple of months I’ve been getting many enterprise users (banks, healthcare etc) and their browser security software (or firewall) is mangling the clicks, or their corporate email servers are scanning all the links before the magic link email hits their inbox making it invalid.

I use OTP as a backup, but I don’t know if there’s a way to know by the header if it’s malware scanning software, or the user who’s clicking it.

@nick.carroll Any updates on the status of this feature request? :slight_smile:

1 Like

Any updates on the status of this feature? We are attempting to streamline the login process for users & this would be really handy.

@grace.hong @josh this has been reported several times: Magic link created with wrong domain name from non authenticated backend workflow

The bug that if triggered by a backend workflow it will use bubbleapps.io domain instead of the custom domain is extremely annoying and looks unprofessional.

I’m facing this same issue now with email firewall checkers opening the link rendering it useless :sweat_smile:

@nick.carroll any update on this sub-feature?
Would really appreciate also enabling this option for the magic-link login flow

@nick.carroll Was this ever shipped? I can’t seem to find it!

I’m using Postmark to send an e-mail with the magic login link, but when I click the link, I keep getting the same error: “This is not a valid password reset request. Please have another reset email sent to you.”. It has code “WRONG_PASSWORD_RESET”.

Really frustrating. The “Send password reset mail” however, does work when I use Postmark to send it to an existing user.

Any of you had the same problem and succesfully solved it?

Are you using the magic link for a non existing user?

I’m using the magic link for a user I then just made. Saw the comments in this topic as well and checked this, but the user already exists.

For now I fixed it by just using the “Send password reset mail” link instead of the magic link. Fixes the problem for me, but I’m not sure if this will cause any (new) problems?

I was only asking because you contrasted it with Reset password which was for EXISTING user.

So you’re creating a user and then creating a magic link for that user? What’s the workflow? Are you ensuring the magic link is only being created after the user is created?