Problems have been detected with email confirmation links

Description of the problem


Last week (week 37) we received feedback from users that the email confirmation link had not worked in their case. We started investigating and confirmed that there was a problem. It turned out that an extra record had appeared in the link in the email that was not in the link at the time it was generated on our server. We use an external email service to send all our emails and the record in question was automatically added by this email service (Sendinblue). The purpose of the extra parameter is to allow tracking in email campaigns so that we know whether a person comes to the website from the email campaign or from some other route. In so-called functional emails, such as email confirmation, such an additional record is of course completely unnecessary. In addition, the confirmation link in an email is done with a so-called “Signed URL” technique, which is supposed to ensure that the confirmation link that the user uses to confirm his email is exactly the same format as the one that was originally generated for the user. Of course, since the email service added its own parameter, this was no longer the case.

 

Measures


The problem has now been fixed, i.e. the confirmation links should work normally again. In addition, we have decided to send a new confirmation link to all users who have not yet confirmed their email.

 

How do we ensure that this does not happen in the future?

  • In the near future we will invest in automated regular testing, which will hopefully also help us to catch problems that occur for reasons beyond our control.
  • We have also sent feedback to the email service provider that they should not add additional parameters to functional emails sent over the interface, at least not automatically

 

Apologies again for any inconvenience this may have caused

 

Sincerely yours
Commu Team