In my application, user can delete their account. They should also be able to reactivate their account using the same sign up form that is used to register new users. We are using Auth0 for our authentication and sign up flows. So, when user tries to reactivate his existing account using the sign up form, Auth0 returns “The user already exists.” error, which makes me wonder what is the best way of achieving the behavior that I described above?
If I should do it through Sign up form, how to override this check of “user exists therefore we should return an error”, and instead sign in the user, sending a request to backend to /reactivate?
If users are experiencing the “The user already exists” error, then it means that their account was not completely deleted. If a user were deleted permanently, not only would they be unable to “recover” their account, they would also be forced to sign up again.
If you need the users to “recover” their account, consider a soft delete (suspend account) option, where the account isn’t fully deleted, by adding a user_metadata boolean field to enforce this.
For example:
user_metadata:{
"soft_delete": true
}
If they would like to recover that account in the future, you would change the field and restore full access to the user’s profile.
As a nuclear option, you can also have a permanent delete option, and this would warn the user that deleting their account is irreversible.
Let me know if you have any follow-up questions on this.
Thanks for your answer! soft_delete indeed blocks the user. However, the user is still not able to “sign up” into that blocked user to “recover” the account. To make it possible, I am trying to set up an Auth0 action that checks whether the user was deleted in pre-user-registration action, and if so, reactivate the user automatically.
I have another problem: How do I actually perform the request from an Auth0 action to my backend? In particular, maybe there is a webhook for that? Or do I have to do an HTTP request. If so, what is the best practice of storing secrets for authorization? Maybe I can access the Auth0 management token from my action and use that?
If you soft delete a user, they should be able to log in to their account without signing up again. This is because their account has not been permanently deleted. Therefore, if they try to sign up, they will run into the “The user already exists” error for this scenario.
For this to work, you could use a post-login action instead to check the user_metadata.soft_delete field. If it’s true, you could redirect them to another page to see if they would like to recover their account. If it’s false, they can continue logging in as usual.
As for your second question, you can perform an HTTPS request to your backend in your Action. I suggest referring to this knowledge article for an example to make this request.
For storing secrets, you can include them in the Secrets section in your Action script. I recommend checking out this documentation on how to accomplish this.