auth icon indicating copy to clipboard operation
auth copied to clipboard

Published 20 hours ago verified publisher icon supabase

Make the `ReferrerURL` variable available in the email templates

Open leynier opened this issue 3 years ago • 2 comments

Feature request

Is your feature request related to a problem? Please describe.

Enterprise email systems are consuming password recovery links and the alternative is to use the OTP which is worse for the user experience.

Describe the solution you'd like

Make the ReferrerURL variable (which comes from emailRedirectTo) available in the email templates, it could be combined with the Token variable to create custom links that are not consumed by the enterprise email systems.

For example: {{ .ReferrerURL }}/change-password?email={{ .Email }}&code={{ .Token }}

Describe alternatives you've considered

An alternative would be that the password recovery links not to be consumed by enterprise email systems.

Additional context

  • https://github.com/supabase/gotrue/issues/739
  • https://github.com/supabase/gotrue/issues/713

leynier avatar Oct 23 '22 08:10 leynier

Hey @leynier,

I don't see how passing the referrer URL solves the issue. Email security systems break magic links because they visit the link. The way to stop them from doing that is to make sure that the link is visited by a human instead of a robot. There are different strategies which can be done for this to be prevented such as:

  • Serve a HTML + JavaScript page that will visit the actual magic link after some short timeout (half a second)
  • Do a Turing test before visiting the actual magic link
  • Ask for a user to click a button before visiting the magic link

You can customize the magic link email template today with whatever URL you want, though.

hf avatar Oct 28 '22 10:10 hf

Hi @hf, thanks for the response.

The link that contains the variable ConfirmationURL even when an invalid value is used in redirect_to (invalid because nothing really exists at that address and this value is declared in the allowed redirect URLs) when it is visited by an email security system consumes it making it invalid for "real" use. The "invalid value" part of the redirect_to is important because it proves that what is consuming the link is not the final address, it is the Supabase server in the redirection step that is consuming the link.

My ConfirmationURL has the following format: https://<projectId>.supabase.co/auth/v1/verify?token=<token>&type=magiclink&redirect_to=<redirectTo>

Is it possible to make that ConfirmationURL have the format <redirectTo>/custompath/magiclink/<token>? In order to then build in that final address the necessary logic to prevent the token from being consumed by email security systems, such as waiting a few seconds, putting a button, etc.

In the case that is not possible that ConfirmationUrl to have that format then will be good to have the ReferrerURL variable (aka redirect_to) to build manually the URL that I need. The only parameter that I don't have available in the template to build that URL is the ReferrerURL (aka redirect_to).

By the way, I think that the correct parameter of filepath of getSiteUrl in the MagicLinkMail method is m.Config.Mailer.URLPaths.MagicLink instead of m.Config.Mailer.URLPaths.Recovery.

https://github.com/supabase/gotrue/blob/41668b77c23003296ef642f7565fb97375b4fef2/mailer/template.go#L250

leynier avatar Oct 28 '22 21:10 leynier