UnsubscribeAction in FrontendController handles http HEAD request

[yodaXX]

It recently happened that a customer received the message "he already is unsubscribed" even he only clicked the unsubscribe link in the mail once.

Digging through logs i have seen that a HEAD request to the exact same unsubscribe Url is made prior to the regular GET request (Maybe caused by a Mail Client).

The UnsubscribeAction processes this HEAD request and does its job, unintentional i would assume.

Because this behaviour caused some confusion, i xclassed the FrontendController adding an initializeUnsubscribeAction to only handle GET requests, according to this example https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/ExtensionArchitecture/HowTo/BackendModule/SecurityConsiderations.html#backend-modules-security

use TYPO3\CMS\Core\Http\AllowedMethodsTrait;

class LuxletterFrontendController extends \In2code\Luxletter\Controller\FrontendController
{

    use AllowedMethodsTrait;
    /**
     * enforce get method for unsubscribe
     *
     * @return void
     */
    public function initializeUnsubscribeAction(): void
    {
        $this->assertAllowedHttpMethod($this->request, 'GET');
    }
}

[einpraegsam]

Nice, I didn't know how to filter the params in extbase to a request type so far.
Nevertheless, I'm wondering why the mail client didn't use GET params when checking the unsubscribe URL.
Any ideas?

[yodaXX]

I don't know and i didn't ask about the Mailclient, maybe its something security related or the client is polling metadata to show with the link.
But i guess the intended use of this action is with GET.

[einpraegsam]

The more I'm thinking about the issue and the described solution I'm wondering if we should fix this issue in a different way. Maybe your solution works in your case, but there are other "anti spam" methods built in Microsoft Mail accounts that scan every link. And - even if I'm not totally sure - I guess those methods also using GET.
I think we should rework the unsubscribe action to a solution where the newsletter receiver sees a page where he must confirm his unsubscribe a second time by clicking a button.

@lefloe can you please add this to our feature backlock