Skip to content

Passwordless login - links invalidated on security checks #16743

New issue
New issue
Open
Bug
Open
Passwordless login - links invalidated on security checks#16743
Bug
Labels
bugThe issue in the code or project, which should be addressed.
@MaticSulc

Description

@MaticSulc
MaticSulc
opened on May 8, 2025

Bug report

Summary

While using passwordless login in MODX 3, it seems like security checks from e.g. Office365 invalidate the url before they are opened by the user - resulting with the error Your login link is not valid. Please request a new one..
By copying the URL and pasting in the browser manually, it works normally.

Suggested solutions

  1. Before validating the magiclink GET parameter, the user has to click a button "Log in"
  2. Somehow determine if the request comes from a user (research if the problematic requests are only HEAD - maybe it could be separated that way)
  3. Try to add a javascript redirect on the page, that probably won't be followed by crawlers

Step to reproduce

Enable the passwordless_activated system setting, enter an e-mail that uses Office 365 and click the URL. It will show as invalid.

Environment

MODX 3.1.2, running on MODX Cloud, PHP 8.1.29.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThe issue in the code or project, which should be addressed.

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions