It has come to my attention that when opening a confirmation mail in outlook.com bingbot will directly visit the confirmation forum link, even if the reader doesn't want to confirm the account. I'm unsure if I should open an issue about this, as this causes activated accounts, even if somebody uses an email that is not owned by himself. It shouldn't be that difficult to add some logic to either ignore bots visiting confirmation links or to use additional javascript the bot won't execute.

    Kakifrucht a better solution would be to add a robots.txt, assuming bing adheres to it. Circumventing bot users in one page through js seems quite hackish ?

        luceos Good idea, added it as disallow rule, couldn't test if Bingbot listens yet as they cache it for a couple hours.
        However this also means that pretty much everybody using Flarum must add it to their robots.txt file, otherwise users could just use a random Outlook address to verify their accounts.

          Hmm, I could not find much information about this behavior on the internet. The only thing I found was this.

          Kakifrucht Could you please check whether you have enabled this setting in Outlook? If so, I would consider this a very rare edge case and bad behavior on their side. As the solution is non-trivial (for forums installed in a subfolder), I would rather not do anything about this in core, especially since nobody else seems to do so...

              Franz Yes the setting was enabled on my account, just disabled it. Thank you!

              Also just noticed that bingbot doesn't seem to care about robots.txt in that case, it still visits the link.
              Is this line in my robots.txt correct?

              Disallow: /forum/confirm/*

                2 months later

                Created a small extension that redirects a user to the main forum page in case there is no valid confirmation token, instead of throwing an ugly error:

                composer require flagrow/auto-confirm-fix
                  7 months later

                  First Timer ?
                  First off, Flarum is really cool! Thanks for the hard work of the developers and the community.

                  Ok, I just completed a fresh Flarum installation and discovered that when I made my first non-admin user, the confirmation link took me to a page that said "Invalid token confirmation" but the account was still made anyway.

                  I'm a little confused at the current state of this issue as discussed on the current thread and also here: https://discuss.flarum.org/d/4987-invalid-confirmation-token-when-clicking-link-in-account-activation-email

                  Some questions I have:
                  - Is Sparkpost something that Flarum uses internally?
                  - I accessed the email on gmail.com. Is there maybe a similar bot on gmail like the bingbot that's following the link before I have a chance to click it?
                  - What can I do to fix this? Or should I just be patient?

                  If it's a bot following the link, I'm guessing the solution would be luceos' extension he posted above, but before I try installing my first extension I thought I'd seek some clarification.

                    joevus - What can I do to fix this? Or should I just be patient?

                    Try flagrow/auto-confirm-fix which prevents the error page and redirects to the home page. Please understand the extension does not fix the underlying issue.