A work around for email servers that open our one-time login links.

hc/accounts/tests/test_check_token.py

@@ -9,8 +9,12 @@ class CheckTokenTestCase(BaseTestCase):
         self.profile.token = make_password("secret-token")
         self.profile.save()
 
-    def test_it_redirects(self):
+    def test_it_shows_form(self):
         r = self.client.get("/accounts/check_token/alice/secret-token/")
+        self.assertContains(r, "You are about to log in")
+
+    def test_it_redirects(self):
+        r = self.client.post("/accounts/check_token/alice/secret-token/")
         self.assertRedirects(r, "/checks/")
 
         # After login, token should be blank
@@ -22,12 +26,12 @@ class CheckTokenTestCase(BaseTestCase):
         self.client.login(username="alice@example.org", password="password")
 
         # Login again, when already authenticated
-        r = self.client.get("/accounts/check_token/alice/secret-token/")
+        r = self.client.post("/accounts/check_token/alice/secret-token/")
         self.assertRedirects(r, "/checks/")
 
     def test_it_redirects_bad_login(self):
         # Login with a bad token
         url = "/accounts/check_token/alice/invalid-token/"
-        r = self.client.get(url, follow=True)
+        r = self.client.post(url, follow=True)
         self.assertRedirects(r, "/accounts/login/")
         self.assertContains(r, "incorrect or expired")

hc/accounts/views.py

@@ -105,6 +105,13 @@ def check_token(request, username, token):
         # User is already logged in
         return redirect("hc-checks")
 
+    # Some email servers open links in emails to check for malicious content.
+    # To work around this, we sign user in if the method is POST.
+    #
+    # If the method is GET, we instead serve a HTML form and a piece
+    # of Javascript to automatically submit it.
+
+    if request.method == "POST":
         user = authenticate(username=username, token=token)
         if user is not None and user.is_active:
             # This should get rid of "welcome_code" in session
@@ -119,6 +126,8 @@ def check_token(request, username, token):
         request.session["bad_link"] = True
         return redirect("hc-login")
 
+    return render(request, "accounts/check_token_submit.html")
+
 
 @login_required
 def profile(request):

templates/accounts/check_token_submit.html

@@ -0,0 +1,62 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <title>Continue to healthchecks.io</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+</head>
+<body>
+
+<form id="form-auto" method="post">{% csrf_token %}</form>
+<script>
+    document.getElementById("form-auto").submit();
+</script>
+
+<style>
+    body {
+        font-family: Arial;
+        text-align: center;
+        margin: 10em;
+    }
+
+    form {
+        text
+    }
+
+    input {
+        display: inline-block;
+        margin-bottom: 0;
+        font-weight: normal;
+        text-align: center;
+        vertical-align: middle;
+        touch-action: manipulation;
+        cursor: pointer;
+        background-image: none;
+        border: 1px solid transparent;
+        white-space: nowrap;
+        padding: 10px 16px;
+        font-size: 18px;
+        line-height: 1.3333333;
+        border-radius: 6px;
+        color: #ffffff;
+        background-color: #22bc66;
+        border-color: #1ea65a;
+    }
+</style>
+
+<noscript>
+    <p>You are about to log into healthchecks.io.</p>
+    <p>Please press the button below to continue:</p>
+    <br />
+    <form id="form" method="post">
+        {% csrf_token %}
+        <input
+            id="submit-btn"
+            type="submit"
+            class="btn btn-lg btn-primary"
+            value="Continue to healthchecks.io">
+    </form>
+</noscript>
+
+</body>
+</html>