Overview
This article provides guidance on creating an Auth0 Action to prevent social signups. This action is a replacement for the deprecated ‘No Social Signups’ Rule, as Auth0 is migrating from Rules to Actions for extensibility
Applies To
- Actions
- Social Connection
Solution
const CLIENTS_ENABLED = ['YOUR_CLIENT_IDS_HERE']; //List of client_id's to block social signups on
exports.onExecutePostLogin = async (event, api) => {
if (CLIENTS_ENABLED.indexOf(event.client.client_id) === -1) {
//Do nothing, client does not have disable social signups enabled
//console.log('Social signups are allowed on ${event.client.name}');
} else {
//Line below works for 'built in' social connections only, e.g. 'google-oauth2','github' etc.
//const is_social = event.connection.strategy === event.connection.name;
const is_social = event.user.identities[0].isSocial; //This supports built in and custom social connections, provided social connection is primary identity for user
//console.log('isSocial is:', is_social);
if (is_social && event.stats.logins_count === 1 ){
//User is logging in for the first time with a social connection
// A metadata entry is needed here because logins_count will be incremented even if the first login attempt is denied.
api.user.setAppMetadata('is_signup',true);
api.access.deny(`Signups to ${event.client.name} are not allowed for Social Accounts.`);
}
if (event.user.app_metadata.is_signup) {
//Blocks users who have attempted signup on social connection previously
api.access.deny(`Signups to ${event.client.name} are not allowed for Social Accounts.`);
}
}
};
See above code example for how to block social signups with actions