Skip to content

chore(docs): add tutorial for avoiding corporate email scanning HEAD reqs #3900

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ndom91 merged 5 commits into from
Mar 22, 2022
Merged

chore(docs): add tutorial for avoiding corporate email scanning HEAD reqs #3900

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
3696b8f
chore(docs): add tutorial for avoiding corporate email scanning HEAD …
ndom91 Feb 9, 2022
f3e588f
Merge branch 'main' into ndom91/tutorial-corporate-email-scanning-hea…
ndom91 Feb 12, 2022
cf32e31
Merge branch 'main' into ndom91/tutorial-corporate-email-scanning-hea…
ndom91 Mar 12, 2022
3a678fe
Merge branch 'main' into ndom91/tutorial-corporate-email-scanning-hea…
ndom91 Mar 22, 2022
1098216
fix: move to internal guides section
ndom91 Mar 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/docs/guides/fullstack.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ title: Fullstack

- Add support for HTTP/HTTPS Proxy support to `openid-client` in order to use NextAuth.js behind a corporate proxy or other locked down network.

### [Using the Email Provider behind Corporate Email Scanning Services](/tutorials/avoid-corporate-link-checking-email-provider)

- An internal tutorial on modifying the catch-all API Route to gracefully handle `HEAD` requests.

## Database

### [Custom models with TypeORM](/adapters/typeorm#custom-models)
Expand Down
40 changes: 40 additions & 0 deletions docs/docs/tutorials/avoid-corporate-link-checking-email-provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
id: corporate-link-checking-email-provider
title: Allow Email Signups Behind Corporate Link Checker
---

If you use Office 365 or Outlook, or potentially other Email systems, you may notice your Email invitation Links not working.

This is because the invitation Email your User is receiving is being scanned by the Email provider. In the specific case of Outlook and their "SafeLink" feature, they send a HEAD request to each link in the Email. This request will trigger the NextAuth.js catch-all API Route with the users invitation token, in effect using it up.

Therefore, when the user wants to use it themselves, and clicks on the invitation link they will be greeted with an error message that the invitation is invalid.

## Workarounds

### Disable "SafeLink"

The first potential workaround is to simply disable this "SafeLink" feature for your organisation. Microsoft has more details on this [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links?view=o365-worldwide#do-not-rewrite-the-following-urls-lists-in-safe-links-policies). Obviously this won't be an option for everyone as this is usually a part of corporate IT policy.

### Update NextAuth.js for 'HEAD' requests

The second option is to modify your `[...nextauth].js` catch-all API route a bit to gracefully handle these initial `HEAD` requests from the email service, without accidentally using up the invitation link.

This can be done by simply returning a `200` response on `HEAD` requests at the very top of the API route, before any other logic is executed.

For example

```jsx title="/pages/api/auth/[...nextauth].js"
import type { NextApiRequest, NextApiResponse } from "next"
import NextAuth from "next-auth"

export default async function auth(req: NextApiRequest, res: NextApiResponse) {

if(req.method === "HEAD") {
return res.status(200)
}

...
}
```

This should allow you to successfully use NextAuth.js's Email provider behind strict corporate IT settings.