How to bail out of a Pre-registration Hook without an error

jyi · February 11, 2021, 7:10pm

Hi,

I am trying to implement a user pre-registration hook in our passwordless login that will deny registration based on the results of a call to one of my servers.

To avoid exposing the results of the request to my server, I’d like to deny registration without an error response from /passwordless/start. My concern is that if /passwordless/start is conditionally returning error response based on my internal data, it is now vulnerable to phishing.

module.exports = function (user, context, cb) {
  var response = {};
  const canRegister = axios.get('myserver.com/validate')
  if (canRegister) {
      cb(null, response);
  } else {
      // bail out of registration process without error 
      cb(null, ?);
  }
};

Can pre-registration hook handle stopping the process without errors?

stephanie.chamblee · February 12, 2021, 9:00pm

Hi @jyi,

Welcome to the Community!

Unfortunately, I don’t believe it is possible to prevent the 400 error or customize the response to the /passwordless/start endpoint.

The following will be returned when a pre-registration error is raised:

{
    "error": "extensibility_error",
    "error_description": "undefined"
}

The closest that you could achieve to this would be for the New Universal Login (but failing silently here would probably just be confusing):

module.exports = function (user, context, cb) {
  var response = {};
  const canRegister = axios.get('myserver.com/validate')
  if (canRegister) {
      cb(null, response);
  } else {
      // pass an empty string to not display an error in the new universal login
      return cb(new PreUserRegistrationError('')); 
  }
};

It would be great to get your feedback about this in a feature request in our new Feedback category: Feedback - Auth0 Community

system · February 27, 2021, 9:01pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.