Do not throw any exception if confirmation token couldn't be found

[aarongerig]

Q	A
Bug report?	yes
Feature request?	no
BC Break report?	no
RFC?	yes

Not sure if this could be seen as a bug, but it is for sure an issue. As of lately the Microsoft Office 365 platform introduced some changes regarding the security of links in emails. If you now want to open links from within an email, MS Outlook first opens the link in the background and does some security checks on the opened web page. If no security alerts have been triggered, the user is then redirected to the links origin.

Therefore the request is sent twice to the server and thus creates some issues, which are also related to some Pimcore Members functionality. Prime example of that would be the registration process. During registration a confirmation token is generated and saved on the user object.

Now, once the user wants to confirm the registration by clicking the mail link, the following problem occurs:

1. During the security check, the user account is being confirmed and the confirmation token is set to null here.
2. The user gets redirected to the confirmation action in his browser and now an error occurs, because it cannot find the user object with the given token here.
3. The user now is presented with the error page and does not know if the account has been confirmed (even though it was).

@solverat Any smart idea, that could prevent such behavior? Maybe not reset the confirmation token after confirmation? Or trigger a custom exception/event where the devs could react to?

[solverat]

@aarongerig This is crazy! Thanks for your detailed investigation! 💪

But again: Crazy? All those "confirmation-link" on this planet would run into this?

However, this requires even more investigation. The only quick solution: checking request headers (or operation), there has to be something, we can identify to skip resetting the token

[solverat]

@aarongerig I can't find anything on the web about this... We're not the only one with One-Time-Confirmation-Links, right?

However, a simple solution could be: Pass the user to the "Confirmed!" Page all the time, regardless if the token has been found or not. Event better: Pass an additional parameter tokenFound to the view. There you could change the message to "token not found or already confirmed" or something like that.

[aarongerig]

@solverat That's what I thought as well, pretty weird to not find much about that topic on the web.

I would prefer that solution, as it is more user-friendly anyways. I also like the idea of the tokenFound param, makes it more flexible/customizable, so +1 from me.

[solverat]

@aarongerig please check #181, i guess that's all we need, right?

BTW: I still can't believe this is a real thing, or maybe there is a misunderstanding: Is outlook requesting a "preflight check" before you've clicked on the link or after (basically a "security-redirect").

It would be crazy, if it's first one because you would automatically subscribe any spam newsletter subscription, so it has to be the second option… 👀

[aarongerig]

@solverat Whenever we click a link in our Outlook emails, the following popup appears at the bottom of the screen and the link gets opened in the background. After the link's content was checked, it redirects the user to the link in the end, but at that time the link's destination was already visited.

[solverat]

@aarongerig scary scary. However, thank you so much for the insights! This has been fixed in #181!