Link activation already expired when sent


(Bruno) #1

Hey folks. We developed a custom plugin to integrate my payment system with Discourse.

Basically what it does is that it creates a new user based on a POST notification sent by my payment system where it creates a new user and then assign a expiration date for his access.

You can see the plugin here: GitHub - maysam/discourse_subscription_plugin: Deactivate users beyond their expiration date

It’s working fine with only one problem:

When a new user is created, an automatic email is sent out — the “Account Created” email.

When I click the link to create a new password (which is actually the password reset link), it opens a page saying:

“Sorry this is an old link. Please click ‘forgot password’ to get a new email”.
(or something along these lines)

We are not really sure why this happening. Why the %{email_token} is getting screwed up in that first email.

BTW, it’s just the first email. If I click to send a new email to set a new password, then this link works fine.

It seems that whenever we make a change to the user — activate it, change expiration date or whatever — the token will get expired.

If it’s indeed that, we need a way to first do everything we need (activating, setting groups, expiration date, etc) and then send that first email.

But no idea if that’s really what’s going on.

If anyone has any idea we’re more than happy to hear your out :slight_smile:

Thanks!
-Bruno


(Matt Palmer) #2

Although “only the first e-mail gets screwed up” is a new twist, one problem we’ve seen a lot with interaction link e-mails is certain security programs, which scan e-mail for links and visit those links looking for malware. We’ve done some things to try and guard against that, but it’s possible some over zealous scanning program is still managing to look enough like a person to make Discourse think the link has been used. Check your site access logs to see if there’s any requests to the link before your browser.


(Sam Saffron) #3

I recently change unsubscribe so it only acts on a POST, in the past it acted on a GET. In general this is the best approach, only make changes to data on POST


(Bruno) #4

That was really the case :slight_smile:

After we made it so that the email would only get sent out after everything was done, then there was no problem.

(PS: it’s great that I now get to accept my own answer as the solution for my own topic :stuck_out_tongue:)