09 FEB 2026

David debugged: Investigated mobile signup handoff bug burning tokens before users clicked them

David uncovered that 65 recovery email tokens had been consumed by automated prefetchers before real users clicked them, leaving those users stuck at 'link already used'.

After sending apology recovery emails to 97 mobile users stuck at incomplete onboarding, David noticed the data was strange:

'The tight clustering of consumed_at timestamps (all within 19:17–19:20 UTC, the tail of the campaign) is consistent with automated prefetching rather than organic human clicks.' but you said when the bug was there there was 0 consumed_at? hows that possible if theres auto clicks?

He then caught the key consequence:

those 65 tokens are burned. mobile_signup_handoffs.consumed_at is set. When the real human clicks the same link, /exchange returns 409 TOKEN_ALREADY_USED and they see 'This link has already been used.'

David proposed a targeted fix:

'mobile-signup-handoff-controller.js:274-279: if record.consumed_at is not null, returns 409 TOKEN_ALREADY_USED' why cant you just set it to null then for those users if they haevtn finished onboarding?

The fix was applied: consumed_at records from the scanner IP with a bot user-agent were reset to null, restoring the links for real human clicks.

kerra debug onboarding mobile signup tokens claude-code