Hi, I have been playing around with supertokens pa...
# support-questions
Hi, I have been playing around with supertokens passwordless email. It's really cool and thanks for the great work! I have some issues where the magic link are sometimes not valid. It seems to be working fine with my private email, but when I try it on my work email the link doesnt work on my work PC. But I also have outlook in my work phone and there it works!? So the email link is correct! Not sure what is going on here, could there be some software on my Windows work PC breaking ? Any tips on troubleshooting? Stack: * golang API with gin v0.5.5 * react app * API hosted on fly.io * React built and hosted on cloudflare pages * sendgrid API for sending emails * Using the supertokens.io managed service, dev environment These are the logs from my API on fly when I click the link on my work PC: Returns a 200? https://logpaste.com/10OExlHs I'm not that used to discord so please correct me if I'm submitting this question wrongly 🙂
Do your frontend logs show any errors?
And what is the response body of that api call?
Hi! No errors in the console, the response from the POST to /auth/signup/code/consume/ is "status: 'RESTART_FLOW_ERROR'"
with a 200 OK status
Hmmm. That could mean that the magic link has already been consumed
Maybe it’s possible that the email client opens the link on its own and loads the page which causes the code to be consumed?
Do u see the comsume api being called on the backend without you clicking on the link?
Yes it is being called by a Microsoft based IP actually!
I see
about 20 seconds after I enter my email the Microsoft IP first does this: POST "/auth/session/refresh" then this: POST "/auth/signinup/code/consume"
then I get it to my inbox around 30 seconds later
This could be quite tricky to solve then..
haha yeah! If Microsoft is involved this won't be easy 😅
My corporation does a lot of funny stuff with https=>http proxy that breaks a lot of things for me as a developer there. So Im not surprised that they are readin all the emails as well
If we restrict the link from being consumed only on the device it was created, it could interrupt the user flow in case they generate the link on their pc and click on it on their mobile
The other thing that you could do is to override the consume API on the backend and check the request’s IP. If it’s from Microsoft’s IP, then reject the request. This way, even if the email opens it, when the user clicks it, it will work
U less the user is working at Microsoft
One more solution would be to handle the link click on your own. In this case, you could ask the user to click on a button that says “continue on this device” and when they click it, it would call the API to consume the code
all right, thanks for the help! We'll see what I do with this. It's just a hobby project so I might just keep it as is and not bother with corporate users 😁
I'll reach out if I ever find a workaround for this issue 🙂