Api.access.deny Not Working as Expected in Pre/Post User Registration Action

Overview

This article addresses an issue where a pre/post-user registration action fails to deny authentication despite api.access.deny being called in code similar to the following:

exports.onExecutePreUserRegistration = async (event, api) => {
  // rest of code omitted for brevity
  auth0.users.getByEmail( event.user.email, function ( err, users) {
    if(users[0] == undefined){
       api.access.deny("Email is not present in primary connection", "Email is not allowed to register");
    }
  }
}

Applies To

  • Pre/Post User Registration
  • Actions

Cause

In this example, the issue occurs due to the asynchronous nature of the getByEmail function and that api.access.deny is called within a callback. This allows the action to continue executing before api.access.deny triggered, resulting in the user being registered despite the intention to deny registration.

Solution

The getByEmail function is asynchronous, and it is necessary to use await to ensure the correct order of execution. Otherwise the rest of the action may finish executing before api.access.deny can be called.

Here is how the original example would be rewritten:

exports.onExecutePreUserRegistration = async (event, api) => {
  // code omitted for brevity
  const users = await auth0.users.getByEmail(event.user.email); 
  if (users[0] == undefined) {
    api.access.deny("Email is not present in primary connection", "Email is not allowed to register");
  } 
}

It is generally recommended to use async/await syntax instead of callbacks to ensure proper order of execution.

1 Like