Posting this solution here for anybody that might use “magic links” for login. I’m sure there are other use cases as well that entail sending out a link via email, and then performing some action based on that linked being clicked.
Some email systems (eg. Outlook) have “safe links”, that do a HEAD request (rather than GET) to see if they will allow the user to continue to the link destination. If this link is an API action, the request will be processed on the HEAD request AND the GET request, thus creating the potential for unexpected results.
To fix just wrap the whole api in a condition that will allow the HEAD request to pass safely, but it won’t process any actions.
$_SERVER.REQUEST_METHOD == 'GET'
I was struggling with a working magic link api that would remove a token from the database after it was successfully used by the user. Then along comes hotmail with safe links. The HEAD request would produce a valid code and thus be removed from the database, but then the GET request had no token to be found!