Antivirus softwares that scans emails eat the magic link token

[aaly00]

Provider type

Email

Environment

System:
OS: macOS 13.0.1
CPU: (10) arm64 Apple M1 Pro
Memory: 38.09 MB / 16.00 GB
Shell: 5.8.1 - /bin/zsh
Binaries:
Node: 18.15.0 - ~/.nvm/versions/node/v18.15.0/bin/node
npm: 9.5.0 - ~/.nvm/versions/node/v18.15.0/bin/npm
pnpm: 8.6.1 - ~/.nvm/versions/node/v18.15.0/bin/pnpm
Browsers:
Brave Browser: 115.1.56.14
Edge: 117.0.2045.40
Safari: 16.1

Reproduction URL

https://github.com/aaly00/email

Describe the issue

We are seeing an issue where antivirus softwares which scan emails click on the magic link and eats up the token. It would be nice to have the option to have a redirect after a settimeout to initiate the login that way automated email scanners don't eat up the token.

Not sure how to create a reproduction repo as you need some kind of email scanner to be able to see the issue and an email server.

How to reproduce

Use an automated email that has a scanner that clicks the magic link

Expected behavior

for the robot not to eat the token

[aaly00]

I am willing to work on a PR, if you decide to address this issue within Auth.JS. Right now we are sending our own custom email template which sends an email with a link to a page that redirects you to the auth page after a timeout.

[michaelhays]

I noted the same thing here: #7363

[ThangHuuVu]

For next-auth we have already fulfilled the feature by sending the magic link with token & validate it correctly, so I marked it as not a bug, and I see that you've already found a workaround at #7363 (reply in thread)
We'll see how the community think about this feature before building a built-in way to mitigate this issue. Right now, this is not a priority, unfortunately. 🙏