Skip to content

fix(auth): send explicit User-Agent from ResendClient so Cloudflare stops blocking magic-link emails#239

Merged
saitejesh-cyber merged 4 commits into
mainfrom
fix/magic-link-resend-cloudflare-ua
May 22, 2026
Merged

fix(auth): send explicit User-Agent from ResendClient so Cloudflare stops blocking magic-link emails#239
saitejesh-cyber merged 4 commits into
mainfrom
fix/magic-link-resend-cloudflare-ua

Conversation

@saitejesh-cyber
Copy link
Copy Markdown
Collaborator

@saitejesh-cyber saitejesh-cyber commented May 22, 2026

Summary

Magic-link sign-in emails have been silently dropped in production since the developer-auth feature shipped. The cause is not the email account, the API key, or DNS — it is the HTTP User-Agent.

api.resend.com sits behind Cloudflare. ResendClient.send() calls it with Python's urllib, which sends the default User-Agent: Python-urllib/3.x. Cloudflare bot protection blocks that signature with HTTP 403 / "error code: 1010" before the request ever reaches Resend's API.

Symptom

  • POST /api/v1/developers/signup returns 202 and the UI shows "Check your inbox" (the endpoint deliberately never 500s on an email failure).
  • No email arrives.
  • wot-api logs show resend_send_exception: HTTP Error 403: Forbidden — with no response body, so the real cause was invisible.
  • Resend dashboard: 0 logged sends; the API key shows 0 uses — the request never reached Resend's application layer.

Root cause — proven

Two identical curl calls to api.resend.com/emails — same key, same IP, same TLS — differing only in the User-Agent:

User-Agent Result
Python-urllib/3.11 HTTP 403error code: 1010
a normal browser UA HTTP 200{"id":"..."} (email delivered)

The 200 call delivered a real email to the account inbox, confirming the API key, the verified aixcelerator.ai domain, and the noreply@aixcelerator.ai sender all work. The block is entirely User-Agent-string based.

Changes

world_of_taxonomy/auth/email.pyResendClient:

  • Sends an explicit User-Agent: WorldOfTaxonomy/1.0 header.
  • HTTP 4xx/5xx is now caught as urllib.error.HTTPError and logged with the response body (resend_send_failed: status=... body=...). The previous code logged a bare HTTP Error 403, hiding whether the cause was the API (bad key / unverified domain) or the Cloudflare edge. The old if response.status >= 400 branch was also dead code — urllib raises HTTPError for 4xx/5xx, it never returns them.

tests/test_magic_link.py:

  • New TestResendClient — covers the request payload, the User-Agent header (regression guard: asserts it is set and is not python-urllib), and the swallow-and-log behaviour on HTTP errors.

Testing

  • TestResendClient (3 tests) — verified via a mocked urlopen, no network or key needed.
  • Live: a curl send with a normal User-Agent delivered to inbox — DKIM + SPF pass and align, clearing the aixcelerator.ai p=reject DMARC policy.

Deployment context (already provisioned — no action in this PR)

On the wot-api Cloud Run service:

  • RESEND_API_KEY — GCP Secret Manager
  • RESEND_SENDER=noreply@aixcelerator.ai
  • aixcelerator.ai verified in Resend (DKIM + SPF DNS records)

Merging to main triggers wot-main-autodeploy, which builds and deploys wot-api. After deploy, a sign-in request on https://www.worldoftaxonomy.com/login should deliver the magic link.

Risk

Low. Two-file change scoped to ResendClient: one added request header plus improved error logging. No change to the sign-in flow, token handling, or any other code path.

🤖 Generated with Claude Code

github-actions Bot and others added 4 commits May 8, 2026 13:25
@github-actions
chore(generated): refresh derived artifacts after merge [skip ci]
72b69bb
@saitejesh-cyber
Merge branch 'colaberry:main' into main
4ffe216
@saitejesh-cyber
Merge branch 'colaberry:main' into main
2c2f700
@saitejesh-cyber @claude
fix(auth): send explicit User-Agent from ResendClient
1bc9594 
api.resend.com sits behind Cloudflare, which blocks urllib's default
`Python-urllib/x.y` User-Agent with HTTP 403 ("error code: 1010")
before the request reaches Resend's API. Every magic-link sign-in
email was silently dropped in production as a result: Resend logged
zero send attempts and the API key showed zero uses, while wot-api
logged a bare `resend_send_exception: HTTP Error 403: Forbidden`.

Proven by two identical curl calls to api.resend.com differing only
in the User-Agent string: `Python-urllib/3.11` -> 403 "error code:
1010"; a normal UA -> 200 with a message id.

Changes:
- ResendClient sends an explicit `User-Agent: WorldOfTaxonomy/1.0`.
- HTTP 4xx/5xx is now caught as urllib.error.HTTPError and logged
  with the response body, so an edge block ("error code: 1010") is
  distinguishable from an API error (bad key / unverified domain).
- Adds TestResendClient: payload, User-Agent, and error-handling
  regression coverage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@saitejesh-cyber saitejesh-cyber merged commit 3fa77c7 into main May 22, 2026
6 checks passed
@saitejesh-cyber saitejesh-cyber mentioned this pull request May 22, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ramdhanyk ramdhanyk Awaiting requested review from ramdhanyk ramdhanyk is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@saitejesh-cyber