devise icon indicating copy to clipboard operation
devise copied to clipboard
verified publisher icon heartcombo

Advise for making Devise work with Outlook Safelinks

Open alexanderholder opened this issue 4 months ago • 1 comments

Hey team, looking for help for what we can do with Devise to handle Outlook Safelinks.

From what i understand, Safelinks takes any href out of an email and transforms it into something like https://nam02.safelinks.protection.outlook.com/?url=devise_password_reset_link_here.

This means (for example password resets from devise) when clicked the referrer/origin is the safelinks URL, which currently triggers Rails CSRF and the password reset made by the user is a bad request.

I see two solutions here and trying to understand what is correct - figured other business app users are going to have the same issue.

  1. Disable rails CSRF on the password reset controller method - but this seems potentially dangerous?
  2. Check the origin and allow it if it is from safelinks?

alexanderholder avatar Aug 28 '25 04:08 alexanderholder

OK I think skipping CSRF is fine as require_no_authentication doesn't allow a signed in user to reach the passwords controller and therefore there will be no risk of an authenticated session token being used in CSRF.

alexanderholder avatar Aug 29 '25 02:08 alexanderholder