Thank you for your reply.
(Sorry for many edits)
We are considering the following UI operation process, if we can:
A user will sign-up from our mobile app (Universal Login with Lock UI) with a user’s email address and password (and with First/Last name in a custom additional form via Lock UI).
We send a verification email to the user from Auth0 platform (with our external email provider) after the user’s sign-up.
We also show the Lock UI in our mobile app with the message, “Thanks for signing up. Please check our email to verify your email.” ; this can be done with “loginAfterSignup: false” option configuration in Lock UI to block automatic login after sign-up. We don’t know if we can customize the message in the UI.
The user will go to an email app to verify his/her email and open an email verification link (which we sent via verification email) via any browser.
The user will go back to our mobile app to go back to the login form ; if we can show login form in our mobile app automatically after step #4, that’s great. Or If we can customize “Thanks for signing up” dialog of Lock UI to add a link to go back to “Login form”, that’s great also.
After email verification, then the user will fill username/password to login and he/she can login.
If the user will skip step #4 or input invalid email for the registration at step #1, we would like to block any login of the registered user from our mobile app, and we want to tell the situation to the user more explicitly at Lock UI (or login UI) with a message like “Your email is not verified yet, and please find your email verification link in our email we have sent.” etc. etc.
I think that it’s more understandable for end-users (from the user experience perspective) if this feedback will happen at login form. Also we don’t like to make the app responsible to handle such detailed situation, in order to separate the role of app codes.
That’s why we are seeking a solution in Lock UI, since Lock UI is very nice.
Also, if users in the username/password database will keep the login state “never” more than two weeks (14 days), we want to remove the users automatically via Auth0 Management APIs. The rule solution will make the login count up even before the email verification.
The rule solution you suggested in your first reply will not match with this objective. Because your auth0 internal logic actually “allows” the “login” to accounts even with unverified email (this means you can register your account with any wrong or non-existing email address - because the email verification is not required by default). Please see the screenshots below to confirm the login count and pending state of the account.
If my understanding is correct, the root cause of our problem is:
- The login process of Lock UI will call two APIs in our case: 1) https://tenant name.au.auth0.com/usernamepassword/login, then 2) https://tenant_name.au.auth0.com/login/callback
- The custom Rule for blocking unverified email account makes an effect to the second callback API to return an login error, but no effect to the first API (login).
- API call of https://tenant_name.au.auth0.com/usernamepassword/login will return a successful result even with unverified email account.
- Then the Lock UI will call the second API (callback) and will return the login error.
If we can customize a kind of hook in the first API (https://tenant name.au.auth0.com/usernamepassword/login) above, then it seems that we can achieve what we want.