In my application, user can delete their account. They should also be able to reactivate their account using the same sign up form that is used to register new users. We are using Auth0 for our authentication and sign up flows. So, when user tries to reactivate his existing account using the sign up form, Auth0 returns “The user already exists.” error, which makes me wonder what is the best way of achieving the behavior that I described above?
If I should do it through Sign up form, how to override this check of “user exists therefore we should return an error”, and instead sign in the user, sending a request to backend to /reactivate?
If users are experiencing the “The user already exists” error, then it means that their account was not completely deleted. If a user were deleted permanently, not only would they be unable to “recover” their account, they would also be forced to sign up again.
If you need the users to “recover” their account, consider a soft delete (suspend account) option, where the account isn’t fully deleted, by adding a user_metadata boolean field to enforce this.
For example:
user_metadata:{
"soft_delete": true
}
If they would like to recover that account in the future, you would change the field and restore full access to the user’s profile.
As a nuclear option, you can also have a permanent delete option, and this would warn the user that deleting their account is irreversible.
Let me know if you have any follow-up questions on this.
Thanks for your answer! soft_delete indeed blocks the user. However, the user is still not able to “sign up” into that blocked user to “recover” the account. To make it possible, I am trying to set up an Auth0 action that checks whether the user was deleted in pre-user-registration action, and if so, reactivate the user automatically.
I have another problem: How do I actually perform the request from an Auth0 action to my backend? In particular, maybe there is a webhook for that? Or do I have to do an HTTP request. If so, what is the best practice of storing secrets for authorization? Maybe I can access the Auth0 management token from my action and use that?