I have this React button:
<button className="btn" type="button" onClick={(e) => {
window.location.href = `/api/createAccount/${token}`
}}>
Is there any chance an email client (or browser based email client) could prefetch /api/createAccount/${token}?
I'm wondering if I should update the createAccount() action method to be POST instead of GET, and use an HTML form instead and have the button POST to the action method.
I understand action methods that handle GET requests should be safe and idempotent, otherwise web crawlers and browser prefetch could result in undesired behaviour.
However, the action method has logic in place so that it is idempotent, ie. it won't create an account if it already exists, and the URL contains a token which cannot be easily guessed.
Because of the idempotency and the token, is it then safe to have this as a GET request instead of POST?