I’m working on an application where a user can invite another user to join the app, I’m able to invite him and verify the email without any problem, my issue is that if the user doesn’t accept the invitation and he try to login X days later (or even the same day) he get an error because the user already exists…My idea was to check if the user already exist in an hook or action and based on some value in the app_metadata delete it just before create the new one…is it doable? are there any better way to achieve this?
Hi @francesco.venica , if you want to do an invite flow I would recommend looking into the solution proposed here which utilises the password reset email to double up as an invitation email too:
This way the user could be created via the Management API, (e.g. your application could do a user search to check that the user existed or not, and if not, created the user), and then you can either trigger the password reset email, or alternatively create a password reset ticket to send in a customised invitation email you send directly to the new user’s inbox.
If you just trigger the password reset email, you will likely want to edit the template’s wording so it makes sense both as a password reset email and an invitation email to the end user.
hi @sgo, the invitation flow is already in place and it is working fine, I’m using the password ticket to reset the password and validate the email. The issue is when the user decide to not accept the invitation.
John invite Alex
Alex do not click on the invitation link
The next day Alex try to register in the app without using the password reset link
Alex get an error because the user already exits
my idea was (if possible) to delete the user (based on particular values in the app_metadata) in a pre-register hook/action but I’m not 100% sure it is possible
I’m not sure if that would be possible as I don’t think they’d get as far as triggering the hooks, but if it did work it could also open up the possibility of a kind of account takeover/griefing if you have an automated deletion of existing accounts.
I would recommend either disabling sign-ups for the connection, so they couldn’t attempt to register themselves and get into the user already exists issue; you would have a backend process that actually created the user and then the invite gives them a link to reset the password so they can access it.
Or, allow sign ups and have your invite be a link to a page on your site that will automatically redirect the user to an /authorize request which is configured to show the sign-up page instead of the default login page.
Please see this community FAQ for how to take a user straight to the sign-up page instead of the login page: