Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"Invite User" Tokens Are One-Time Use #18229

Open
stephen-sherman opened this issue Feb 4, 2025 · 1 comment
Open

"Invite User" Tokens Are One-Time Use #18229

stephen-sherman opened this issue Feb 4, 2025 · 1 comment
Labels

Comments

@stephen-sherman
Copy link

stephen-sherman commented Feb 4, 2025

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

13.6.0

Bug summary

The tokens generated by the Invite User function are valid for only a single use. When the "accept invitation" URL is visited, the token is rendered invalid and the invitation must be resent for the user to be able to complete the sign up process.

Some mail servers perform deep scans of incoming URLs for security hazards. This can render the token expired before the user has a chance to open the invitation.

A possible improvement would be for there to exist an Umbraco security setting that allows these tokens to remain valid until the invitation is either rescinded, completed, or timed out.

Specifics

No response

Steps to reproduce

  • Create a new Umbraco 13.6.0 site and configure with appropriate SMTP credentials
  • Send an Umbraco back office user invitation
  • Click the link to accept the invitation
  • Leave the site without completing the accept invitation user flow
  • Click the link to accept the invitation a second time

Expected result / actual result

Expected result:

  • The accept invitation user flow can be restarted without a second invitation being sent

Actual result:

  • The user invitation must be sent again for it to be accepted
Copy link

github-actions bot commented Feb 4, 2025

Hi there @stephen-sherman!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

  • We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
  • If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
  • We'll replicate the issue to ensure that the problem is as described.
  • We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot 🤖 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant