After opening a magic link, the user must click a confirmation button to log in and invalidate the token. I assume this exists to prevent email scanners from consuming links.
Could this be automated with a short JS setTimeout that submits the confirmation request automatically? Or is this a bad idea? I assume that scanners only fetch the HTML and don’t always have a headless browser or keep it open for long.
Current behaviour after the registration link is opened:
mix phx.new example --module=Example --database=sqlite3 --no-live
cd example
mix ecto.create
mix phx.server
mix phx.gen.auth Accounts User users # n - Using Phoenix.Controller only
mix deps.get
mix ecto.migrate
mix phx.server
I would say this is a dangerous assumption. If the scanners don’t use a headless browser that would make it trivial for bad actors to bypass the scanners with a simple React app. Given that the scanners and the bad actors are locked in an endless back-and-forth my guess would be that the scanners have been running JS for a while.
There is a mutual understanding between the scanner developers and web developers that scanners will not issue POST requests. Everyone is on the same page about this, so it is unlikely to change.
On the other hand, if you design a login page using some timeout, even if you test to ensure that it works today the scanner could always change its behavior tomorrow and break your website while you’re asleep.
I think it would be wise to stick with the standard method.
; it’s a small side project where I’m testing this out.
