Appointments icon indicating copy to clipboard operation
Appointments copied to clipboard
verified publisher icon SergeyMosin

Unintended 'appointment canceled' actions

Open nicoletflr opened this issue 5 months ago • 4 comments

We have a verified account with your tool.

We have recently been dealing with a situation where people make an appointment and we receive an ‘appointment canceled’ notification within minutes. We have checked this every time, but the cancellations were not intended for all situations. This has now happened about six times. But not every time. The unintended cancellations usually come from large organizations. So we thought this might have something to do with firewalls or something similar?

Thanks in advance for your reaction!

nicoletflr avatar Oct 02 '25 10:10 nicoletflr

I think this might be happening because of overzealous or misconfigured antivirus software, or automated bots/AI agents. Some of these programs follow the cancellation link in the email, and a few even go as far as “clicking” the Confirm/Cancel button.

In theory(according to specs), they should only send a HEAD requests, but the bad ones send GET requests and completely ignore the robots nofollow directive, which might trigger the unintended cancellation.

For the next release I can add a few changes to help with this:

  1. Switch the confirm/cancel flow from GET to POST. Bots aren’t supposed to send POST requests at all, although some poorly designed ones may still do so.
  2. Add an option for a short 2–3 second "bot protection" countdown timer/delay to the Confirm/Cancel button. Most bots won’t wait that long, although some AI Agents might.
  3. Add an option to enable (Re)CAPTCHA on the Confirm/Cancel pages. This should block almost all bots/AIs, though it could be a little annoying for real users.

SergeyMosin avatar Oct 02 '25 13:10 SergeyMosin

In v2.6.0, the Confirm/Cancel flow has been updated to use the POST method, which should (in theory) prevent bots and AI agents from sending unintended requests.

If you’re still seeing uninitiated cancellations, try enabling the Confirm/Cancel Button Timer under: Page Settings → Form Settings → Confirm/Cancel Button Timer.

Image

SergeyMosin avatar Oct 07 '25 20:10 SergeyMosin

Thank you for your reply! Currently I have 2.4.6 with Nextcloud Hub 9 (30.0.11) and with this version of NC this is the only version I can use (I do not see update possibilities to newer versions). Do you have suggestions for version 2.4.6? I do not see the option to prevent sending an e-mail to a participant and just receive a notification so that I can sent them an invitation manually.

nicoletflr avatar Oct 08 '25 08:10 nicoletflr

@nicoletflr Unfortunately, since NC Hub 9 (v30) reached its end of life ( https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule#eol-versions ) in September, there are no plans to backport v2.6.x changes to v2.4.x, mainly due to a lack of free time.

SergeyMosin avatar Oct 09 '25 14:10 SergeyMosin