"Invalid confirmation token" when clicking link in account activation email.

Hi everyone,

I've been having an issue in my own Flarum forum where clicking the link in the account activation email shows a "Invalid confirmation token" message. (But the account gets activated anyway.)

I know that there are several threads (one, two, three) where people mention this issue, but no solutions.

There's also a closed Github issue for this problem, but for me at least it still hasn't been fixed. In the comments, @Toby hypothesizes that Sparkpost (which I also use) might be the issue and then closes the issue as "fixed" but never explains what the actual fix was.

Does anyone know how to fix this problem? I've poked around the Sparkpost settings but didn't see anything obvious. I'm running v0.1.0-beta.6.

Thanks for your help!

So changing my forum's email settings to simply use 'mail' fixes the problem, which seems to indicate that Sparkpost is a likely culprit, but I'm still not sure what exactly is going on or whether there is anything I can do to fix it so that I can use Sparkpost. (Obviously, using 'mail' is not ideal.) If anyone has any insights, I'd greatly appreciate it. Thanks!

0E800 I'm sorry, I don't understand what you're suggesting.

0E800 Emails are getting sent from Sparkpost and I'm receiving them fine, so that's not the issue. The issue is that it appears that Sparkpost is automatically "clicking" the confirmation links in the email and thus automatically confirming new Flarum user accounts before the users themselves click the link in the email.

For now I've switched to elasticemail.com which is not causing this issue.

I received a response from Sparkpost about this issue, which seems to clear things up:

We have many malicious users that use link redirectors and shorteners to hide prohibited content. We have to aggressively monitor prohibited content to protect not only ourselves but all of the legitimate users on the platform. To help prevent this issue, while customers are building their reputation on our platform we will follow some of their links to ensure they are not doing bad things. We try to balance those algorithms to be aggressive enough to handle the bad users actively trying to circumvent the system while not being burdensome to legitimate users. In the case of your account we were clearly burdensome and for that I apologize. This is not in our documentation as it’s not a feature.

I have escalated your case to our Compliance team. They will evaluate your account and, if applicable, they will turn off the monitoring for your account.

So definitely an issue with Sparkpost specifically. I hypothesize that since Flarum is a very new and uncommon forum software, Sparkpost's algorithm doesn't yet know that it shouldn't "follow" the links in the activation emails.