generateSignInWithEmailLink Generates One-Time Link Which Becomes Invalid Due to Pre-Click by Antivirus

[AmilKey]

Operating System

Mac OS

Environment (if applicable)

Chrome 129

Firebase SDK Version

10.13.2

Firebase SDK Product(s)

Auth, Functions

Project Tooling

Native JS

Detailed Problem Description

Detailed Problem Description

I am experiencing an issue with the generateSignInWithEmailLink method in the Firebase JavaScript SDK. This method generates a link that is only valid for a single use. However, in many cases, users have antivirus software configured on their email accounts that automatically opens the link before the actual user does. As a result, the link becomes invalid, and the user receives an error message: auth/invalid-action-code.

This creates a significant usability issue since the user is unable to proceed with the email link sign-in process.

What I Was Trying to Achieve

I was trying to implement email link sign-in for users by generating a link using generateSignInWithEmailLink. The goal was for users to click the link in their email and sign in successfully.

What Actually Happened

Due to the default behavior of many antivirus solutions that scan incoming emails, the generated link gets "clicked" before the user has a chance to open it, rendering the link invalid with the error auth/invalid-action-code.

Steps and code to reproduce issue

1. Generate a sign-in link using generateSignInWithEmailLink.
2. Send the link to an email address that has an antivirus scanner active (most common email providers have this).
3. Attempt to open the link from the email as the end-user.
4. Observe the auth/invalid-action-code error indicating that the link is already used or expired.

const actionCodeSettings = {
  url: 'https://example.com/finishSignUp',
  handleCodeInApp: true,
};
firebase.auth().sendSignInLinkToEmail(email, actionCodeSettings)
  .then(() => {
    // Link sent successfully
  })
  .catch(error => {
    console.error(error);
  });

Possible Solution or Improvement

1. Allow specifying an expiration time for the sign-in link as an additional parameter when calling generateSignInWithEmailLink.

2. Alternatively, consider implementing an option to allow multiple uses of the link for a specified time window (e.g., 10 minutes), reducing the chance that antivirus pre-clicks invalidate it.

This feature would greatly improve usability for users who have email security features enabled and prevent unnecessary friction during the sign-in process.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[NhienLam]

Hi @AmilKey, thanks for filing this issue. We will track this as a feature request, but we are unable to promise any timeline for this.

We currently only allow the action code to be redeemed once for security reasons. Note that it's only redeemed when you call signInWithEmailLink, not necessarily when the email link is opened. Therefore as a workaround, instead of calling signInWithEmailLink when the page is opened, could you add a button and only call signInWithEmailLink when it is clicked? This will prevent signInWithEmailLink from being called when the antivirus software opens the link. One downside is that this will require your users to click the button to complete the sign-in.