Bug: Magic link cannot be validated after URL Rewrite by ATP #1260
Description
PHP Version
8.3.16
CodeIgniter4 Version
4.6.0
Shield Version
1.1.0
Which operating systems have you tested for this bug?
Linux
Which server did you use?
apache
Database
MariaDB 10.5.22
Did you customize Shield?
Yes, I added custom user fields and stuff, but I think this does not apply to this problem.
What happened?
So I have the vanilla magic-link functionality to be used when a user forgets their login password and for the most part this works just fine.
But we have a client who runs (i guess) Hornet Security with ATP which rewrites the links that are getting sent via email to something like this:
https://atpscan.global.hornetsecurity.com/?d=OPVB0l7gHwSO9RSoHtNCMyXynpoSXra7Pt9FsF84GFQ&f=ct4fDeEE1ILWli4ZSjSPgSOrV1ZGxvtxTMg-MmpfWG-stj6hdLwDutDjI6zX1k-1&i=&k=QwqN&m=k5COMc5Q5a6qKL-mihOkoYlxqf6LVxZ5vCNWBhXr1x_9ELfwqQaOnB3eOSazWujP5T0CdK135Q16YE8npO_fLxLseT6kBtf8ccpRgWQeZI6FxkBtCAlTZsbbL_bV1Vur&n=wEjcu5d3KVbQGoo_TU8T2ii_SYDFkHVUZ6OxgShsPSk&r=SyOc0_1XWVEXhx-Xn2Vc7OcM5dmDinkxWaTQTYyTfUaqEL3nX64n9c5nqH4V3Fa-&s=ef1250c1d052072aecd6bc6692bc5ee17180ee1e451af3e6f3e7e6bc4b8a4ca6 &u=https%3A%2F%2Fwebsite.de%2Flogin%2Fverify-magic-link%3Ftoken%3DTOKEN
Result is that the MagicLinkController's verify method cannot verify the link and fails.
Steps to Reproduce
Can't reproduce this myself as we do not own a version of this security program.
Expected Output
A usable link^^
Anything else?
I'm just posting this here to find out if there is a solution or workaround for this problem as i could not find any solutions for this online.
For now I'm resetting the passwords for this single client by hand, so this is not urgent, but would be nice to get that fixed.