Overview
This article addresses an issue where a pre/post-user registration action fails to deny authentication despite api.access.deny being called in code similar to the following:
exports.onExecutePreUserRegistration = async (event, api) => {
// rest of code omitted for brevity
auth0.users.getByEmail( event.user.email, function ( err, users) {
if(users[0] == undefined){
api.access.deny("Email is not present in primary connection", "Email is not allowed to register");
}
}
}
Applies To
- Pre/Post User Registration
- Actions
Cause
In this example, the issue occurs due to the asynchronous nature of the getByEmail function and that api.access.deny is called within a callback. This allows the action to continue executing before api.access.deny triggered, resulting in the user being registered despite the intention to deny registration.
Solution
The getByEmail function is asynchronous, and it is necessary to use await to ensure the correct order of execution. Otherwise the rest of the action may finish executing before api.access.deny can be called.
Here is how the original example would be rewritten:
exports.onExecutePreUserRegistration = async (event, api) => {
// code omitted for brevity
const users = await auth0.users.getByEmail(event.user.email);
if (users[0] == undefined) {
api.access.deny("Email is not present in primary connection", "Email is not allowed to register");
}
}
It is generally recommended to use async/await syntax instead of callbacks to ensure proper order of execution.