I’m encountering a problem when a user attempts to use the “password reset” functionality. If they attempt to use this functionality with an email that is not currently linked to an Auth0 account then they are prompted to create an account (or more precisely, they are prompted to set a password and doing so would create an account). However, due to the nature of the application I’m using Auth0 for, this means that some critical data is not created / stored, effectively creating a bugged account.
In order to mitigate this I would like to disable the creation of a new account through the “password reset” functionality. However I could not find any information about how to achieve something like this. If anyone can point me in the right direction it would be much appreciated.
Before we proceed, I am having trouble understanding if the user is resetting their passwords or if they are signing up.
Given that, could you please clarify if the user is creating an account (sign up page, new user) or if they are resetting their passwords (password reset page, existing user)?
Secondly, could you please explain in more detail how the account is bugging out? Is there a specific error or behavior you are noticing?
Generally, there is no way to prevent users from resetting their passwords. This is consistent with our Post Change Password Flow docs where there is no API Object, meaning that you will not be able to call the typical api.access.deny() method to deny users from setting their passwords.
Depending on your use case, one suggestion I can currently offer is to toggle on the Disable Sign Up switch to prevent new accounts from being created unless it’s done through your API credentials or Management Dashboard.
Update: Disable Sign up was already enabled and sadly does not resolve this issue.
To answer your questions:
The user is using the reset password feature, but are inputting an email that is not linked to an already existing Auth0 account within our tenant.
This creates a bugged account because we need to not only have their Auth0 account, but also link it to multiple bits of data within our own database. Normally this is handled when a user is created the conventional way, but when using the reset password way of creating an Auth0 account this crucial bit of linked data is missing.
My apologies if I was unclear on this is my original post. In no way do we want to disable the reset password functionality. However we do want to disable the creation of a new Auth0 account through setting a password when inputting an unknown email address when requesting a password reset.
I am still unsure how the user gets prompted to create an account. Do they get redirected to the signup page at this point? Or is a Create user endpoint called at this point?
In general, the Password Reset functionality cannot prevent existing users from resetting their passwords. Moreover, this functionality will not have any effect on non-existent users.
But if a user is being created at this point, there must be a signup functionality invoked. If so, I recommend using a Pre-User Registration Action script to deny user creation. See here for an example.
I will also add that the Management API has a Link a user account endpoint, which you may find useful for manually linking these users.
