Advice for iOS user having trouble with magic link

iOS “helpfully” previews links when someone long-presses to copy the link in many iOS apps.

So a user who is trying to copy the login link will trigger iOS to preview the link, which expires it.

“your new site has some issues trying to “sign in” from a mobile device. Since it seems to be passwordless, it sends a link to my email. But that link seems to be single use, which means when I try to copy it, iOS helpfully generates a preview, which expires the link.”

Other than telling the user how to disable preview globally on their device, is there any good advice/workaround I can give?

Appreciate any help as I’m Android user here who doesn’t know iOS well

don’t have a solution…but this is the bane of my existence…I don’t know why it’s necessary to make the login expire after a single use, given this behaviour by email systems…I’m not trying to safeguard state secrets…is this really necessary to protect a blog?

Even if a user gets their email hacked (which would be their own issue)…the only data that can be revealed about my users is their email address and the last 4 digits of their credit card

Even my all my vaccine related logins, created by government, use a number based code for login, rather than a link

1 Like

To piggyback off your comment, I would like it if we had the option for our members to use passwords instead of login links.

Some explanation as to how this functionality seems to work and how to disable it for a self-hosted instance:
Looks like single use token functionality comes from SingleUseTokenProvider which under the cover uses the single-use-token model. And there, within “findOne” method, it deletes the token once it is accessed, after 10 seconds:

if (model) {
            setTimeout(async () => {
                try {
                    await this.destroy(Object.assign({
                        destroyBy: {
                    }, {
                        transacting: null
                } catch (err) {
            }, 10000);

So a very basic, but a crude way of disabling this would be commenting out this block completely (putting /* at the beginning and */ at the end) , so a destroy would not be executed and the token lives on. I tested this and it works, I can use same login link unlimited times. The validity check is still valid, the link expires after 24 hours as usual.

Also, this code is part of the core and any changes to it might be removed with each upgrade.