Prevent linkbots from consuming tokens in one time links#4775
Merged
Conversation
frjo
added
Type: Feature
1 task
wes-otf
approved these changes
Mar 25, 2026
Contributor
wes-otf
left a comment
wes-otf
left a comment
There was a problem hiding this comment.
Overall this looks and works fantastic! This is the solution we needed - you were also so fast about this!
Contributor
There was a problem hiding this comment.
super nitpick but should we also add {% block body_class %}bg-base-200{% endblock %} after the title block? I like how that makes the card pop on the confirm template:
Member
Author
There was a problem hiding this comment.
Will look at that, we use the same style in many places so I make sure they all look the same.
Member
Author
There was a problem hiding this comment.
The background colour was missing from three templates, fixed now. Looks a lot nicer with it in place!
| <div class="flex flex-col justify-center items-center min-h-[60vh]"> | ||
| <section class="w-full max-w-2xl card shadow-xs bg-base-100 md:card-lg"> | ||
| <div class="items-center card-body"> | ||
| <span class="flex justify-center items-center mb-4 rounded-full bg-primary/10"> |
Contributor
There was a problem hiding this comment.
this is so slick! I love the shadowy circle behind the icon
Member
Author
|
Been thinking about a solution for weeks and worked on it since last week, so not so fast 😃. |
… defaults on all link timeouts. Add seperate PASSWORD_ACTIVATION_TIMEOUT.
frjo
force-pushed
the
feature/prevent-linkbots-consume-tokens
branch
from
7da74b7 to
c728fab
Compare
Contributor
|
great stuff, thanks @frjo ! |
wes-otf
pushed a commit
to OpenTechFund/apply-app
that referenced
this pull request
Apr 6, 2026
Fixes HyphaApp#4535 OBS! `PASSWORD_RESET_TIMEOUT` have a new sane default of 15 minutes. A new timeout setting `PASSWORD_ACTIVATION_TIMEOUT` was added that also default to 15 minutes. `PASSWORD_RESET_TIMEOUT` used to default to 3 days to allow new users some time to activate their account. Organisation that still want the old default for activation mails can set `PASSWORD_ACTIVATION_TIMEOUT = 259200`. This is mainly a fix for MS Outlook mail system habit of doing a preview of links in all e-mails. This preview expires the one time links so when a user tries to login or reset their password it does not work. The solution is to show an extra confirmation screen with a login button, so users need to click one extra time. This solves the MicrosoftPreview issue and should work for any similar issues as well. During the work I found a number of inconsistencies in various login related templates that I also attempted to fix. That is the reson so many files are changes in this PR. ## Test Steps - [ ] Use the signup and passwordless login and confirm that you by clicking the link in the email come to a confirmation screen. Clicking the button there log you in to the site.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #4535
OBS!
PASSWORD_RESET_TIMEOUThave a new sane default of 15 minutes. A new timeout settingPASSWORD_ACTIVATION_TIMEOUTwas added that also default to 15 minutes.PASSWORD_RESET_TIMEOUTused to default to 3 days to allow new users some time to activate their account. Organisation that still want the old default for activation mails can setPASSWORD_ACTIVATION_TIMEOUT = 259200.This is mainly a fix for MS Outlook mail system habit of doing a preview of links in all e-mails. This preview expires the one time links so when a user tries to login or reset their password it does not work.
The solution is to show an extra confirmation screen with a login button, so users need to click one extra time. This solves the MicrosoftPreview issue and should work for any similar issues as well.
During the work I found a number of inconsistencies in various login related templates that I also attempted to fix. That is the reson so many files are changes in this PR.
Test Steps