Signing in using magic link with Outlook email when SafeLinks enabled does not work

[dweemx]

Describe the bug
Signing in with an Outlook email which is linked to an account where the SafeLinks premium feature is enabled does not work.

Another authentication library seems to have the same issue: FusionAuth/fusionauth-issues#629.
When this Outlook feature is enabled, the magic link is encapsulated by a SafeLinks Outlook protection URL, e.g.:

https://eur02.safelinks.protection.outlook.com/?url=<magic-link-url>

From the issue in FusionAuth, it seems that the token gets invalidated because of some request that SafeLinks is being made beforehand. (Source: FusionAuth/fusionauth-issues#629 (comment))

Steps to reproduce

1. Sign in with Outlook email which has SafeLinks enabled
2. Click on Sign link from email

Expected behavior
User should be able to login

Screenshots or error logs
None. The user gets redirected to /auth/sign-in?error=Verification

Additional context
/

Feedback

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[balazsorban44]

I am a bit confused and have no knowledge of what SafeLinks is. Could you point to some documentation and/or try to explain your problem a bit better?

This is certainly not a bug, as it doesn't reproduce any undesirable or documented action.

[ndom91]

I've done a bit more research, and it seems that Microsoft makes a HEAD request to the URL in the query params (our magic URL) before hand therefore "using up" the magic code and invalidating it for the user.

The fusion auth issue thread is pretty detailed / lots of discussion back and forth. A quick fix that seemed to work was to simply ignore HEAD requests in the invalidating magic code logic.

An Opencollective maintianer posted in that thread as well saying they'd had to work around a similar issue with outlook.com robots, and linked a PR through which they were able to get around the issue - opencollective/opencollective-frontend#5476

Workaround Nr. 2 - the office365 admin can also apparently whitelist URLs which do not get this "safelink" treatment, so @dweemx, for now you cuold whitelist your application's domain in order for magic link emails to work again in the short-term

[dweemx]

Indeed @ndom91
We followed the suggestion from the discussion i.e.: ignoring the HEAD request.

[Raggok]

any workaround that we can implement ???

[dweemx]

@Raggok, one workaround is available here #1841

[Raggok]

how can i use this workaround on my production code? thx!

[dweemx]

You can either use this branch https://github.com/dweemx/next-auth/tree/fix/prod%2Fmagic-link-outlook-safe-links or you'd have to fork NextAuth and patch it in custom branch and install NextAuth using that particular branch

[balazsorban44]

@dweemx as mentioned, your suggestion in #1841 cannot possibly work, as I explain in #1841 (review). I am guessing you have added some other changes as well. Right?

[ndom91]

@Raggok you can also whitelist domains in the office365 portal apparently, haven't tried it myself but I've read its possible - let me see if I can find the docs again.

EDIT: Check out this document about setting up safe links policies: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide#do-not-rewrite-the-following-urls-lists-in-safe-links-policies

So you could whitelist the domain of your application and then outlook won't "check" the URL and trigger the magic link 1-time-use URL and invalidate it for the user.

[thmsrmbld]

Just wanted to say for the record and for anyone else - I came into this issue (I run a platform using NGINX on the front, as a reverse proxy for a Django application, but the principles are the same for any stack) and here are some options for sorting it:

• Take any HEAD requests at the web server level requesting this URL and bounce them out somewhere safe rather than letting them through to the application code (fast, secure, but more complicated from an update perspective, and might have unexpected side effects).
• Alternatively allow the request through as normal, but protect your view to only allow HEAD / GET requests and then check if it’s HEAD - if it is, redirect the request somewhere you know is safe and will return a 200 (which is what I did and it worked).
• Alternatively, you could also just block all HEAD requests from this endpoint (which I’d prefer to do) but initially I wouldn’t recommend it especially if you need a fast fix - because I’m not certain that blocking HEAD requests won’t trip something in the MS SafeLinks technology and give the user an ‘unsafe’ warning or similar.

Anyway yes, annoying bug but but the solution for me was to handle the HEAD requests in the endpoint and pass them somewhere else, which doesn't invalidate your tokens by completing the GET operation by accident.

Solved for me on both Outlook web client and desktop client with SafeLinks enabled.