We’re using the classic universal login (w/ Lock) and need to conditionally apply restrictions to signup email domains (we’re conditionally applying this check based on values passed through to config.extraParams, which don’t appear to be available in Rules or Actions, so we can’t use those). There doesn’t appear to be any way to pause/cancel the authentication process from within the "signup submit" event handler, which we’d expect – even throwing an error there seems to have no effect. Is there something we’re missing? Or is there a way to provide a custom email validation function via the Lock options?
Firstly, I do not recommend using the config.extraParams as a method to conditionally apply restrictions to sign up since a user can simply bypass the restriction by omitting that query parameter. Moreover, there is no way to prevent sign-up in the HTML code.
In this case, I recommend using a Pre-User Registration action to prevent users from signing up if they do not meet your requirements for email validation.
Hi @rueben.tiow Thanks for the reply. We do need to be able to conditionally restrict the email domains based upon parameters that we provide – specifically, we need to confirm that users are signing up with domains that match their intended use (corporate, personal, academic, etc) - how can we provide custom parameters to the pre-user reg action to know when to apply the checks? Without that, the actions are useless in this case.
Thanks!
Unfortunately, this is not possible, as you have discovered, and to reiterate, I would not recommend using the config.extraParams for this since an attacker could bypass any restrictions by omitting or passing the correct query parameter. Access control logic should never be determined by query parameters because it is a security risk.
Now, could you please provide an example of a condition that would pass and one that would fail based on the user’s email domain? I will try my best to see if I can offer a solution or workaround.