Deactivate account after sign up

Hi,
I would like to deactivate users based on user role selected in my custom signup field. Essentially I want to restrict access to my app until the user account has been reviewed and approved. How can I do this with auth0? after signup, can i send a request to block the user and also do a get request to check the status of the block?
Please advise.

Thanks!

Hi @jerryforcode

Thanks for getting in touch with us here at Auth0 Community!

You could certainly do as you suggest i.e. block user via the Management API, useful endpoints for this would be:

Useful Management API Endpoints for this:

Search for user by email:
https://auth0.com/docs/api/management/v2#!/Users_By_Email/get_users_by_email

Update a User: https://auth0.com/docs/api/management/v2#!/Users/patch_users_by_id

body=

{
"blocked": true
}

However there might be a simpler way via Auth0 Rules https://auth0.com/docs/rules and user profile app_metadata https://auth0.com/docs/users/metadata

You could create a rule (they fire on user login) to check the app_metadata for a flag, if the flag is not set then disallow login to a certain app (or all apps). You set the flag manually against the user account (a possible approval process) to indicate the account is approved and the user can then login.

I played with a possible rule and the below should work for the above scenario (chop and change according to your use case)

function checkLoginStatus(user, context, callback) {
  if (context.clientName === 'My App 2') {
    user.app_metadata = user.app_metadata || {};
    if (user.app_metadata.LoginStatus !== "Reviewed") {
      return callback(
        new UnauthorizedError('This account need to be reviewed before it can login')
      );
    }
  }

  callback(null, user, context);
}

Approved user accounts will have this flag in app_metadata, any account without this flag cannot login e.g. new sign ups:

{
  "LoginStatus" : "Reviewed"
}

I hope this helps get you started, any questions feel free to come back to me.
Regards
Saqib.

1 Like

I appreciate this :slight_smile:

everything worked - i just left out the if (context.clientName === 'My App 2') since its only going to be one app (dont know if you recommend this for security reasons? )
However, I have a question with regards to the callback error denying access - that works and all, but how do get that response when a user tries to log in? I want to show a modal or something to indicate an error. I was trying to subscribe to this.auth.loginWithRedirect to see if it would return an error response but no luck.
Please advise

seems like this.auth.error$ helps to determine this

Hey @jerryforcode
The UnauthorizedError will redirect back to your callback URL with error and error_description query parameters so you can harness that information on your client.

You can also review this post about custom error pages https://community.auth0.com/t/render-a-custom-error-page-from-rule/61010
Regards

1 Like

thanks @saqib.hussain … also, how can i clear the session after the attempt has been made. Because everytime i click login button again after, i get redirected to the error and its a loop i cant get out of unless the user app_metadata value is changed to “Reviewed”. but if i clear my browser cookies it goes away. i dont see the cookie set in my browser though (kinda confused)

Hi @jerryforcode
Thanks for getting back in touch with us.
It sounds like when you present your error page you will also need to clear you application session. How you do this depends on what SDK/Library you’re using but it would be something you need to manage yourself. Some SDK’s when you implement the logout will clear the application session as well maybe you can piggy back on some of the functionality to clear your application session/cookie. Please review this doc on session layers as it would be worth looking at that to understand the different sessions https://auth0.com/docs/users/sessions/session-layers and your relevant Auth0 library should be listed here https://auth0.com/docs/libraries the Quickstarts also help in breaking down the logout requirements https://auth0.com/docs/quickstarts

Please let me know if you need any further assistance on this.
Regards