I am trying to implement a user pre-registration hook in our passwordless login that will deny registration based on the results of a call to one of my servers.
To avoid exposing the results of the request to my server, I’d like to deny registration without an error response from /passwordless/start. My concern is that if /passwordless/start is conditionally returning error response based on my internal data, it is now vulnerable to phishing.
module.exports = function (user, context, cb) {
var response = {};
const canRegister = axios.get('myserver.com/validate')
if (canRegister) {
cb(null, response);
} else {
// bail out of registration process without error
cb(null, ?);
}
};
Can pre-registration hook handle stopping the process without errors?
The closest that you could achieve to this would be for the New Universal Login (but failing silently here would probably just be confusing):
module.exports = function (user, context, cb) {
var response = {};
const canRegister = axios.get('myserver.com/validate')
if (canRegister) {
cb(null, response);
} else {
// pass an empty string to not display an error in the new universal login
return cb(new PreUserRegistrationError(''));
}
};
It would be great to get your feedback about this in a feature request in our new Feedback category: Feedback - Auth0 Community