Hi,
Is there a way to stop users from signup with the same email address across different connections?
E.g. We want to stop users that have already signup using a social account to signup again using Username and Password. When that happens we want to display an error to the user saying “That email is already in use”. I’ve been trying to create a rule to do this but I’m struggling.
Many thanks.
Hey there @hesperanca!
have you tried utilizing our account linking features that allow you to link accounts from different identity providers?
Here are our docs on that:
Hope it helps!
Hi Konrad.
Thanks for your reply. Yes at the moment we are using the account merging rule but we have discovered a big security hole where, if a user already has a social account (e.g. FB) and someone tries to signup with Username and Password using the same email address, they can get access to the original user’s account. When this happened the original user (that first logged in using FB) received an email asking to verify the email and he simply clicked the link on the email because he already had an account in our system and did not think much about it. This automatically gave the second user access to his account.
I know that it was a user mistake (he should not have clicked on the link in the email verification) but it’s an easy mistake to make and we want to stop it.
I hope this makes sense.
Regards
A pre-registration hook is probably a better option in this case. We use a pre-reg hook to do something similar (query a legacy DB to ensure a new user doesn’t grab a username in use by a legacy account).
Hi Mark,
Thanks for your reply. We did look at hooks but unfortunately it seems they only fire for Database Connections which means that we will not be able to stop users using the same email but two different social providers.
Regards
Hi @hesperanca
A possible technique I would suggest (as we do this in our organization) is to not merge identities in Auth0 and keep them separate and handle the merging in your system.
The advantage of this is by default the identity will be treated as a separate user so there will be no accidental merging of accounts.
The disadvantage is that instead of linking Auth0 to your system using email, you must link Auth0 using the Auth0 ID number provided.
This method will give you more control on how the users are merged but will also require more work on your end so you’ll need to consider the pros and cons.
Hope this helps!
In addition to what @charsleysa said, I also reported the feedback on behavior to our product teams so they can eventually investigate it.