ACUL user/app metadata

Hello,

We recently switched from classic login to ACUL as it gives you the same control over the page’s look and styling without the headache of routing and security, which is awesome.

However, I noticed that access to existing user metadata is limited. I’m implementing an invitation flow, and the invited user gets an email with a link to reset their password. I want to show different texts and more context to the invited user as it’s not simply resetting a password.

The invited user looks something like this:

{
    "created_at": "...",
    "email": "...",
    "email_verified": false,
    "identities": [...],
    ...
    "user_metadata": {
        "test": "test_user_metadata"
    },
    "app_metadata": {
        "test": "test_user_app_metadata"
        // invitation metadata
        ...
    }
}

My reset-password screen is set to include custom data:

User metadata: test
App metadata: test

However, I don’t get anything in the ResetPassword context:

JSON.stringify(new ResetPassword().user) =>

{
  "id": null,
  "username": null,
  "email": null,
  "picture": null,
  "phoneNumber": null,
  "userMetadata": null,
  "appMetadata": null,
  "enrolledFactors": null,
  "enrolledEmails": null,
  "enrolledPhoneNumbers": null,
  "enrolledDevices": null,
  "organizations": null
}

Is metadata not accessible in reset-password? Or am I missing something?

Any help would be greatly appreciated.

Hi @amin.kchaou

Welcome to the Auth0 Community!

After looking into this matter, it appears to be a design choice not having access to all user data within the ResetPassword context, as the user is not considered fully authenticated at that point and the system will not return the full details of the user. The password reset flow in ACUL is treated as a “pre-authentication” state and the transaction seems to restrict some user data.

Looking at our documentation on how to Update User Metadata from Within a Post Change Password Action, while it does not cover our ACUL feature, it outlines the logic used within the password reset/change flow, where it is not possible to update user metadata directly within this flow, as the event.user object will not include details like app_metadata and user_metadata.

Reading and changing user metadata is possible via a Post-Login Action for example, as the user is in an authenticated state at the time when this Action is triggered, which does grant access to more information about the user.

While this currently appears to be a limitation, I recommend submitting a Feature Request where others can vote on the idea. As our Product team monitors this page, high traffic on a Feature Idea can help speed up it’s development.

Hope this helped!
Gerald

1 Like

Hi @gerald.czifra

Thank you for the clarification! I suspected that it had something to do with the authentication state of the user. I’ll make a feature request for it as it makes sense to me to allow us to choose if user data should be passed to ACUL or not.

In the meantime, do you have a recommendation on how to handle this invitation flow in ACUL:

User A invites user B. User B gets a customized invitation email saying they got invited by user A as Role (already done). User B clicks the invitation link and gets redirected to reset-password screen. User B should see Set new password instead of Reset password, and optionally some flavor text like “You got invited by user A as Role”.

Thanks