Auth0 post-login Action firing unexpectedly

dylanswartz · May 15, 2023, 3:12pm

Hey Folks!

I’m attempting to send a notification to slack every time a user signs up for an account for my application (as per this guide). Unfortunately, The post-user-registration doesn’t work as we have social logins enabled and I have confirmed the action does not run when a user authenticates with Google.

This led me down the path of using post-login and writing logic to only execute on first login (see this post). However I’m still seeing the action execute multiple times for users even though their login count is not incremented.

Here is the code for my action:

exports.onExecutePostLogin = async (event, api) => {

  // post-user-registration does not work for social logins so this solution was found here: 
  // https://community.auth0.com/t/how-to-distinguish-first-login-after-sign-up/94885
  // check if user has more than one login, or if this is a refresh token rotation, or a silent auth request
  const not_first_login = event.stats.logins_count > 1 ||
                          event.transaction?.protocol === 'oauth2-refresh-token' ||
                          event.request.query?.prompt === 'none';
  if (not_first_login) {
    console.log(`Skipping event for user ${event.user.user_id}`);
    return;
  }

  const initSlackNotify = require('slack-notify')

  const slack = initSlackNotify(event.secrets.SLACK_WEBHOOK_URL);
  const message = `New User: ${event.user.email}`

  slack.success({
    text: message
  })


};

I’ve received the slack notification at the following increments for one user that signed up on May 9th at 5:15am:
May 9th at 5:15am
May 10th at 10:20am
May 12 at 9:36am
May 15th at 6:07am

This user’s login count is still at 1 and the Auth0 dashboard shows that they logged in “6 days ago”. Any ideas?

Please pass this along as a formal feature request for post-user-registration to fire on social logins not just username/password database logins.

Dylan

gparascandolo · May 15, 2023, 4:05pm

Hi @dylanswartz

In addition to logins, the Post-Login Flow Auth0 Actions also execute when re-authenticating user sessions via refresh token rotations requests ( oauth2-refresh-token event transaction protocol) & silent authentication requests ( prompt=none in /authorize requests)

Depending on your implementation of Auth0, there may be other protocols that are triggering your Post-Login action that I didn’t take into account when writing the conditional. Sorry!
Take a look at the available protocols in the event.transaction object here: Actions Triggers: post-login - Event Object

There is also this existing feedback post that may interest you, if you’d like to vote on it.

dylanswartz · May 17, 2023, 3:39pm

Is there a way to identify via logs or something like that what other protocols are being used? We only use the email/password login and google social login on our React web app. Nothing too fancy.

gparascandolo · May 17, 2023, 6:10pm

@dylanswartz
You should be able to view your tenant logs and look at the event type that is triggering your Auth0 Actions - if you see the post-login Action under the “Action Details” tab for anything other than the “Successful login” event (type: “s”), that could help you discover the issue.
The different kind of Log Event codes can be found here: Log Event Type Codes
Let me know what event type you are seeing, and I’ll try to help you further

Also, if you’re able to replicate the Auth0 post-login action firing unexpectedly yourself, you can add console.log commands in your Auth0 Action and install the Real-time Webtask Log Extension to debug the issue.
But I suggest doing this on a development or staging tenant if possible.