Conditionally apply custom email validation in Lock

Hi,

We’re using the classic universal login (w/ Lock) and need to conditionally apply restrictions to signup email domains (we’re conditionally applying this check based on values passed through to config.extraParams, which don’t appear to be available in Rules or Actions, so we can’t use those). There doesn’t appear to be any way to pause/cancel the authentication process from within the "signup submit" event handler, which we’d expect – even throwing an error there seems to have no effect. Is there something we’re missing? Or is there a way to provide a custom email validation function via the Lock options?

Thanks!

Hi @acrlq,

Thanks for reaching out to the Auth0 Community!

Firstly, I do not recommend using the config.extraParams as a method to conditionally apply restrictions to sign up since a user can simply bypass the restriction by omitting that query parameter. Moreover, there is no way to prevent sign-up in the HTML code.

In this case, I recommend using a Pre-User Registration action to prevent users from signing up if they do not meet your requirements for email validation.

I recommend checking out our Users are registering with email domains that we don't want to allow FAQ as well.

Please let me know how this works for you.

Thanks,
Rueben

1 Like

Hi @rueben.tiow Thanks for the reply. We do need to be able to conditionally restrict the email domains based upon parameters that we provide – specifically, we need to confirm that users are signing up with domains that match their intended use (corporate, personal, academic, etc) - how can we provide custom parameters to the pre-user reg action to know when to apply the checks? Without that, the actions are useless in this case.
Thanks!

Hi again @rueben.tiow is it possible to access config.extraParams from within the Rules or Actions functions?

Hi @acrlq,

Thank you for your responses.

Unfortunately, this is not possible, as you have discovered, and to reiterate, I would not recommend using the config.extraParams for this since an attacker could bypass any restrictions by omitting or passing the correct query parameter. Access control logic should never be determined by query parameters because it is a security risk.

Now, could you please provide an example of a condition that would pass and one that would fail based on the user’s email domain? I will try my best to see if I can offer a solution or workaround.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.