Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

generateSignInWithEmailLink Generates One-Time Link Which Becomes Invalid Due to Pre-Click by Antivirus #8536

Open
AmilKey opened this issue Sep 26, 2024 · 1 comment
Open

generateSignInWithEmailLink Generates One-Time Link Which Becomes Invalid Due to Pre-Click by Antivirus #8536

AmilKey opened this issue Sep 26, 2024 · 1 comment
Labels
api: auth feature request needs-attention question

Comments

@AmilKey
Copy link

AmilKey commented Sep 26, 2024

Operating System

Mac OS

Environment (if applicable)

Chrome 129

Firebase SDK Version

10.13.2

Firebase SDK Product(s)

Auth, Functions

Project Tooling

Native JS

Detailed Problem Description

Detailed Problem Description

I am experiencing an issue with the generateSignInWithEmailLink method in the Firebase JavaScript SDK. This method generates a link that is only valid for a single use. However, in many cases, users have antivirus software configured on their email accounts that automatically opens the link before the actual user does. As a result, the link becomes invalid, and the user receives an error message: auth/invalid-action-code.

This creates a significant usability issue since the user is unable to proceed with the email link sign-in process.

What I Was Trying to Achieve

I was trying to implement email link sign-in for users by generating a link using generateSignInWithEmailLink. The goal was for users to click the link in their email and sign in successfully.

What Actually Happened

Due to the default behavior of many antivirus solutions that scan incoming emails, the generated link gets "clicked" before the user has a chance to open it, rendering the link invalid with the error auth/invalid-action-code.

Steps and code to reproduce issue

  1. Generate a sign-in link using generateSignInWithEmailLink.
  2. Send the link to an email address that has an antivirus scanner active (most common email providers have this).
  3. Attempt to open the link from the email as the end-user.
  4. Observe the auth/invalid-action-code error indicating that the link is already used or expired.
const actionCodeSettings = {
  url: 'https://example.com/finishSignUp',
  handleCodeInApp: true,
};
firebase.auth().sendSignInLinkToEmail(email, actionCodeSettings)
  .then(() => {
    // Link sent successfully
  })
  .catch(error => {
    console.error(error);
  });

Possible Solution or Improvement

  1. Allow specifying an expiration time for the sign-in link as an additional parameter when calling generateSignInWithEmailLink.

  2. Alternatively, consider implementing an option to allow multiple uses of the link for a specified time window (e.g., 10 minutes), reducing the chance that antivirus pre-clicks invalidate it.

This feature would greatly improve usability for users who have email security features enabled and prevent unnecessary friction during the sign-in process.
@AmilKey AmilKey added new A new issue that hasn't be categoirzed as question, bug or feature request question labels Sep 26, 2024
@google-oss-bot
Copy link
Contributor

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@jbalidiong jbalidiong added api: auth needs-attention and removed needs-triage new A new issue that hasn't be categoirzed as question, bug or feature request labels Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api: auth feature request needs-attention question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AmilKey @hsubox76 @google-oss-bot @jbalidiong