Clicking Outlook safelink protection links in emails seems to be executing the code twice

Question

This is not really related on coding per-se, my project is in Laravel 7.1 but more in Outlook's security measurements.

Basically I have a function that sends an email which contains a button, it's a link with a token and a route in my Laravel project to perform something (in this case, the confirmation of an appointment cancellation). When the button is clicked it redirects the user to a page displaying a message saying that the appointment was cancelled successfully or that the token expired (because ofc doing the operation once ends up in removing the token from the database, so trying to do it again will fail and display the message).

This works as intended in testing environments, clicking the same button in Gmail or copying and pasting the link in the browser address bar.

But with Outlook and their masked links with safelink protection, is not working right, once the button is clicked it redirects the user to a expired token message, BUT the operations were performed as they should. This happens because safelink is visiting the link and checking if it's secure before letting the user open a new tab, issue is that the "fake" visit is making my application to perform the actions as it normally should: (it cancels the appointment based on that token, and it removes the token from database), so by the moment the user is redirected that is counting as a second visit to the link and what the user is getting outputted is the expired token message, which is misleading of course.

This is basically a problem for any one time use links and that's probably affecting other applications out there.

This is a recent change from Microsoft though as this was working a couple months back, safelink is not something new but they introduced that new security feature. It may be happening with other mail providers too, but I just tested with Gmail which is not doing the same and it worked.

So I don't really know what could I do from my part to fix this, is there a way to detect if the click is not coming from a real user or something? are there measurements put in place by Laravel to overcome this?

Thanks in advance.

Answer 1

Safelink protection initiates a HTTP HEAD request to the website for the URL it's planning on rewriting and then rewrites the URL in the email to bounce through the MS platform.

Many web applications process HEAD requests like GET request. If that happens on single-use URLs then the SafeLink's HEAD request triggers the actions, meaning when the browser makes the 'real' request, the link's expired.

A solution I've used for this is to check the HTTP method being used on the incoming request and only action it if it's a GET; returning a 405 Method Not Allowed status or similar if it's something else.