User-permissions confirmation email - Security bot opens the confirmation link before the user

Using the user-permissions plugin, I enabled the confirmation email and it works just fin when subscribing using a gmail account. Unfortunately, my app is made for my university and users might subscribe using their university mail (microsoft). It seems that the university has a security bot the validates links before the users get the mail, so when a user gets to click on the link it has expired because the bot used it and the account is confirmed already.

Any suggestion on how to prevent this? I was think captcha v3 could prevent the bot from validating the confirmation code, but I am not sure how to add this since the page is generated by the plugin (cms_url…/api/auth/email-confirmation) .
I could also just rewrite the confirmation manually to send a 6 digit random code and have the user input it, but that feels like too much rewriting for an existing system.

This topic has been created from a Discord post (1222218609623826432) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord

You could do two things:

  1. Detect if the clicker is a bot. Either via IP or with the user-agent.

  2. Detect how the link is clicked (e.g. how fast, or add an invisible link)

This blog could help: How can you avoid robot clicks in your emailing statistics?