I’m not the first one to ask this: Enforce terms consent for social login via lock. But I haven’t seen a satisfying solution.
mustAcceptTerms: true option set in Locks, users who signup with an IdP are forced to check the terms-and-conditions checkbox. Great! However, as has been pointed out, they can still login with that IdP, bypassing the terms-and-conditions check.
The linked solution suggests adding a rule to check for a
app_metadata.terms_accepted flag. However, no such flag gets set when the user checks the checkbox. You can create an addition hidden property, but that only works for database accounts.
As far as I can tell, there is no way to tell if a IdP user has check the terms-and-conditions checkbox the first time the login or signup. So the solution is to…always assume they haven’t checked it? That would be a terrible user experience for users who actually did.
Am I missing something obvious here? I worked on this problem for nearly twelve hours yesterday and have not come up with a viable solution.