API access denial from Action shows no error

Problem statement

We have New Universal Login, a passwordless connection and a pre-user-registration Action that conditionally denies access with api.access.deny(“ERROR FOR LOGS”, “ERROR FOR USER”).
When the access denial is triggered, the NUL widget doesn’t show the “ERROR FOR USER” message.

Cause

In the passwordless flow, the api.access.deny gets encountered by server when the postUsers call happens during initialization of the passwordless prompt (which prompts for the OTP code). However, all failures to send an OTP code are only logged and not shown on the prompt UI.

This is currently by design, since this also includes scenarios where an OTP failed to get sent to a non-existing user when sign ups are disabled and showing an error here creates a user enumeration risk.

Solution

Our engineering team has an item for it in their backlog and as soon as it is released we will make sure to let you know. Thank you!

1 Like