Hello, I’m new in the community. I’m having a strange problem with passwordless authentication with magic link. I’ve implemented an authentication process that works fine in most cases but some users have reported issues. Looking throw the logs, for one of the users I found this particular pattern repeatedly.
First a CLS request, this is sent from my web app
{…
“type”: “cls”,
“connection”: “email”,
“user_agent”: “Java/11.0.12”,
“date”: “… 15:15:25”,
}
five seconds later this “Success” from a user_agent that does not correspond to the user’s browser
{…
“type”: “s”,
“connection”: “email”,
“user_agent”: “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36”,
“date”: “… 15:15:30”,
}
And then one minute later the log is generated when the user opens the link for the first time
{…
“type”: “fp”,
“connection”: “email”,
“user_agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.99 Safari/537.36”,
“date”: “… 15:16:40”,
}
I have tried copying and pasting the link in the browser and still, the issue persists.
Any idea why this can happen? is it possible to block requests from a particular agent?
It sounds like the user’s email client may be opening the link by default. If you can narrow it down to this issue, and your users aren’t able to adapt to it, you may need to switch to OTPs instead of links.
Here are a couple of threads that describe this issue: