Hi all,
I have an app for which I would like to prevent a blocked (bruteforce) user from resetting his password trough the link in the login window.
Yet, I want the non-blocked users to have this possibility.
Is this somehow possible trough a custom action or a template change? I tried changing the “reset password” email template, but was not able to detect if the user is blocked or not, inside of the email template using liquid operators.
Welcome to the Auth0 Community!
Unfortunately there is no out of the box solution that would disable the forgot password link only for specified users such as blocked ones, since this is an all-or-nothing setting and Brute Force Protection was designed this way, to allow users to login after a successful password reset. As already suggested in community post it would be beneficial to create a feedback request since others might be interested as well.
However you can try a workaround method as you have previously mentioned. Checking for a blocked user inside the reset password template can not be done directly, but if you can set a flag in app_metadata, then you can append this condition to template:
{% if user.app_metadata.blocked == true %}
<p>Your account is currently suspended.</p>
<p>Please contact support at support@yourapp.com to restore access.</p>
Or based on the metadata flag you could also deny access to the blocked user using the Password Reset Triggers
The tricky part would be setting the true flag after a user is being blocked from Brute Force Protection. Different ways that I can think of would be:
limit_wc. Use an external log streaming service to capture this event, then update the user’s app_metadataThank you for your post and if you have other questions please let me know.
Best regards,
Remus
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.