Creating new user (security issue)

It looks like any one can create new user if they get hold of Client Id (easily available to public) using below code,
axios.post(https://${process.env.REACT_APP_AUTH0_DOMAIN}/dbconnections/signup, formData ). Is there any way to restrict user creation?

Thank You
Sri

Hi @sri1,

Welcome to the Auth0 Community!

Signup is an open endpoint and can’t require an authenticated user (they don’t exist yet).

If you want to disable signups, you can do so in the connection settings.

Thanks for reply @dan.woda,
I understand there can not be an authenticated user for new Signup. There should be an option to set minimum security around the signup. example, give an option to set CORS sites so that other websites can not simply call the API and create users on Auth0. This will avoid DDoS kind of attacks.

That would not prevent DDoS attacks. A cors policy is only in place for browsers and won’t prevent malicious requests from other servers.

If you want to set up some custom parameters of who can sign up for your app, you can use Pre User Registration Flow Actions.

That endpoint also supports our Bot Detection features/CAPTCHA.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.