Get client original API address in a custom login action script

petriv.roma · December 12, 2019, 1:37pm

Hi, have a custom database connection with a custom login action script, like described here Login Script Templates. I want to get user original IP address and send it to my BE. So then my backend knows what is the user client IP on login. Is it possible?

dan.woda · December 12, 2019, 11:05pm

Hi @petriv.roma,

Welcome to the Auth0 Community Forum!

I found this from a previous support case:

First off, assuming you are using the Universal Login Page, you could customize that page with some code to get the user’s IP/GeoIP information. For example: jquery - How to get client's IP address using JavaScript? - Stack Overflow.

Next, once you have the IP details of the client, you could add this to the user’s metadata during the signup process. If you are using the Lock widget for login/signup, you would do that via a hidden additional field (only applicable for database connections). For example…

additionalSignUpFields: [{
        type: "hidden",
        name: "ip",
        value:  *<client-ip-obtained-from-above>*
      }]

Would that work for you?

petriv.roma · December 13, 2019, 1:02pm

Hi @dan.woda. Thanks for the reply. We are using a custom login page. But anyway we can’t rely on IP set from the FE side. I assume auth0 should know the real client IP since login request is processed on auth0 side. So I am looking for a way to send that real client IP to the BE. Is it possible somehow?

dan.woda · December 13, 2019, 7:28pm

I see. I am not sure you will be able to get the IP info in your custom DB script. However, you should be able to get the IP data from a rule, which you could set up to either send a request to your BE with the data or you could use it directly in the rule to block authentication etc.

petriv.roma · December 15, 2019, 8:22pm

@dan.woda Is it possible to determine if request is a login request within a rule?

dan.woda · December 20, 2019, 2:53pm

They will run on successful authentication. You can see some information about the authentication event via the context object. I am not sure what you mean by determine if it is a login, as they should all be some sort of login.

What are you wanting to do with the IP data? You can whitelist or blacklist IPs using rules too if that is your end goal.

petriv.roma · December 23, 2019, 9:48pm

I mean is there a way to run a rule only on log in? Because rules run on every authentication. Maybe it’s possible to determine if authentication is requested with email/password or something? IP data we need for an internal audit.

ashish · December 23, 2019, 10:00pm

You can look up context.protocol value for that. If it is oauth2-resource-owner then it is for database connection with email/pwd authentication. Please note that rules run on every successful authentication and you don’t have access to anything else other than user email and password in your custom database login script.

dan.woda · January 7, 2020, 2:00am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.