Actions access.deny message not showing in new universal login

aledev · July 11, 2023, 12:23am

Hi, i need help displaying error messages in passwordless auth with new universal login and identifier first.

Im trying to implement an action that prevent users to sign in/up with an email i dont want, i would like to check the email first and then move to the passwordless-email-challenge (send the code to their email), so i added an action on pre-user-registration and in the action im using api.access.deny(reason,usermsg).

Like this:

The thing is that no message is displayed to the user, and i see on the logs the errors:

Failed login → failed to send email notification (i dont understand why it continues and tries to send email with code i tried everything but always continues)
Failed signup → PreUserRegistrationError on pre-user-registration: email_no_habilitado (my action works but no message is displayed to user)

To the user feels like the email they input its valid and even says validate your account, and waits for the code even no code was sent.

Is there something im missing here?

Any help is appreciated.

rueben.tiow · July 12, 2023, 1:34am

Hi @aledev,

Welcome to the Auth0 Community!

I have just tested your Action script on my end and could not reproduce the same issue. Instead, I could see the error message that I define on my Action script on the login page.

See the screenshot below:

Now, could you please confirm if you see the same results?

Thanks,
Rueben

aledev · July 12, 2023, 11:17am

Hi @rueben.tiow, thanks for your response.

Im using identifier first with passwordless using email only, i see no error message on the login but i see the errors in the logs. The login process is not stopped when the user inputs their email and clicks continue, it goes to the next step and waits for the code, even tho as you see on the logs the action indeed prevented the user from signup and the failed login also prevented the email with the code to be sent.

For the moment i change to custom html login and use the extensibility_error solution (found here) that indeed works, but that only let me show one error message for all actions errors.

I really would like to keep the New universal login.

If you need any other details let me know,

thank you!

rueben.tiow · August 31, 2023, 12:20am

Hi @aledev,

Thank you for the clarification and update.

After looking into this, it seems that using Identifier First with Passwordless is leading to this behavior where the error is not shown. This is by design to prevent user enumeration attacks by not exposing a legitimate user’s email address.

Let me also add that you can check your Auth0 Logs to see what actually happens when a user is prevented from logging in. In this scenario, you should expect a Failed Login log event with the “Failed to send email notification” error description.

I hope the explanation was clear!

Please let us know if you have any additional questions.

Thanks,
Rueben

system · September 14, 2023, 12:20am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Passwordless New Universal Login doesn't halt on Pre-registration Action api.access.deny Help login-experience , new-universal-login-experience	4	486	October 10, 2024
Auth0 Action api.access.deny is not displaying the provided error message to the user Help auth0 , login	4	3687	December 20, 2022
"Access Deny" from Action Shows No Error Knowledge Articles	1	651	September 27, 2023
Api.access.deny error display in New Universal Login widget Feedback	3	735	February 22, 2024
Pre-Registration Action calls api.access.deny, how to show specific message in Universal Login Help management-api , users	5	4004	November 29, 2022

Actions access.deny message not showing in new universal login

Related Topics