lastlogin.io demo sends emails with invalid magic links

[BasMichielsen]

I just followed the instructions at the Demo section to try the obligator instance running at lastlogin.io using my email address. After a little while I recieved the email and clicked on the link but then it goes to lastlogin.io/magic?key...... and the error message "Invalid magic link" is displayed. Hower the URL seems to be fine having a key and an instance_id.

[anderspitman]

Hey @BasMichielsen, thanks for the report!

I'm not sure I understand what's happening. Note that LastLogin has change somewhat since that demo video was made, so you probably won't be able to follow the exact steps.

What email provider are you using?

[BasMichielsen]

Hi @anderspitman I am not using any email provider, I am following the Demo section in readme.md using openidconnect.net to test your public instance running at https://lastlogin.io . Following the instructions as stated, I registered with my email account. After a little while I received the email from your public instance and clicked on the link, and then the error appears.

[anderspitman]

I mean what email provider are you using for the email you give to LastLogin, ie gmail, apple, etc?

[BasMichielsen]

I have provided my University employee address, I reckon the University uses a Microsoft Exchange/Office365 subscription for all employees and students, as I can go to outlook.office.com and read my email within the outlook on the web client.

[anderspitman]

Hmm I also work at a University which uses outlook and it works there. Can you try a couple more things:

1. Right click on the link and copy it and make sure the copied version still looks valid.

2. Navigate to the page and make sure the link matches the one from the email (ie verify Outlook doesn't change it when you click on it).

3. Try using a gmail account and verify that works. That should rule out there being some weird problem with your device.

Thank you for your help! You've likely identified a bug that I'll need to get to the bottom of. If none of these work I'll put in some instrumentation so we can try to better track what's happening with your request.

[anderspitman]

FWIW I just tried using a VPN to log in from Amsterdam, switching between LastLogin server instances and it worked. That was my best guess about what was broken.

However, I also noticed that I'm deleting magic links after 2 minutes. This is likely not long enough. Do you think it might be taking longer than that before you click the link? Outlook in particular tends to have slow delivery in my tests.

Just in case, I went ahead and increased it to 5 minutes. Maybe we'll get lucky.

[BasMichielsen]

Hi @anderspitman

Highly likely it is that timeout. Because every time I tried, I received the email only after 10 maybe 15 minutes or so. I am unsure why, but it is possible that the university mail server works in batches or is simply being slow. In any case, given that you delete the magic links after 2 minutes, I can tell you that I never received the mail within 2 minutes, so that most likely is the issue (lex parsimoniae). As for a solution, any timeout is possibly too short, and maybe the problem is indeed on my end. I do however want to suggest that a more descriptive error message would have been appropriate, perhaps something like "your magic links was valid, but has expired, please try again" explains the issue a lot better than "invalid magic link" which makes the user think they did something wrong.

[anderspitman]

@BasMichielsen sorry for the super late response. 10 to 15 minutes is definitely not workable for a login system IMO. I'm hopeful that eventually we'll have better decentralized protocols than email to work with.

Going to leave this issue open since I agree this needs a better error message.