email safe URL leads to obfuscated invitation token and cryptic error message

Description

Filing this in web, but could quite well be platform.

User reported getting strange error message when trying to join a team. Further inspection of the invitation email revealed that the URLs were replaced by Outlook. For example:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.synapse.org%2F%23!SignedToken%3AEmailInvitation%2F7b22686d6163223a226b313433596f587956464258546d536451304e62707a5834534d383d222c2276657273696f6e223a312c22657870697265734f6e223a22323031392d30322d31375431383a33333a32362e3630315a222c22637265617465644f6e223a22323031392d30312d31385431383a33333a32362e3532385a222c22757365724964223a2233333637373331222c227465616d4964223a2233333739363435222c226d656d6265724964223a2233333637373331227d&data=02%7C01%7CFoo.Bar%40domain.com%7C13e94e4073b74ef9173d08d67d800a9c%7C296b38384bd5496cbd4bf456ea743b74%7C0%7C0%7C636834386226033594&sdata=yvBxd8NJorTU7oCjeEgmxUaAetvyV1EUzLJI5XtzlIQ%3D&reserved=0

(email address was redacted/obfuscated from the above to Foo.Bar@domain.com).

They then received a error (red bar in Synapse, see screenshot when I replicated):

"Sorry, you do not have sufficient privileges for access. Unauthorized to access membership invitation null(Token signature is invalid.)"

The URL that I got redirected to was:

https://www.synapse.org/#!EmailInvitation:7b22686d6163223a226b313433596f587956464258546d536451304e62707a5834534d383d222c2276657273696f6e223a312c22657870697265734f6e223a22323031392d30322d31375431383a33333a32362e3630315a222c22637265617465644f6e223a22323031392d30312d31385431383a33333a32362e3532385a222c22757365724964223a2233333637373331222c227465616d4964223a2233333739363435222c226d656d6265724964223a2233333637373331227d

Environment

None

Assignee

Jay Hodgson

Reporter

Kenneth Daily

Labels

Validator

Xavier Schildwachter

Development Area

None

Release Version History

None

Sprint

None

Fix versions

Priority

Major
Configure