Auth0 Home Blog Docs

Correct way to handle allowing user to update email address

We use Auth0 as the source of truth for our users information.

In our API we want to allow a user to change their email address.

One option is to search Auth0 to check that the new email address isn’t already registered and if not update the user’s email address to the new one they have entered. The issue being there is slight race condition in that in between the check to see if if doesn’t exist and the the command to change it, someone else could register with that email address.

The other option ideally would be a webhook in that a management API call is made to Auth0 and it sends a hook back to tell us if it was successful or not.

I see Auth0 has a webhook which is triggered via the management API but in this scenario it’s pointless as the API call will fail if the user email address is already registered and therefore there is no need for a webhook.

I feel like as Auth0 is the commodity in charge of the information it should provide the infrastructure to handle race conditions/distributed transactions etc rather than the user of Auth0.

Is there an alternative approach to take here?

Hi @jonathan.channon,

Welcome to the Auth0 Community Forum!

If you attempt to update the users’ email address via PATCH /api/v2/users/{id} and the email already exists you will receive:

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "The specified new email already exists",
  "errorCode": "auth0_idp_error"
}

Doesn’t this eliminate the need to check if the email exists? Let me know if I am missing something here.

Thanks,
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.