How to deal with unverified users

raph90 · October 5, 2022, 6:32am

Hi everyone,

I’m using a basic username - password flow, but I’m worried about spam bots clogging up my MAU count.

What would be the best way to deal with unverified users? Perhaps a cron job script that calls the API every week and deletes users that aren’t verified and who haven’t tried to login within x amount of time?

It would be great to hear feedback on this. Thanks!

rueben.tiow · October 6, 2022, 6:37pm

Hi @raph90,

Thanks for reaching out to the Auth0 Community!

The best way to deal with unverified users is to set up a Post-Login Action that checks if the user has verified their email.

If so, they can continue onto the application as usual. Otherwise, this will prevent them from consuming your Monthly Active Users (MAU) count.

Below is the Post-Login Action script needed to accomplish this:

exports.onExecutePostLogin = async (event, api) => {
  if (!event.user.email_verified) {
    api.access.deny(`Please verify your email address to continue onto ${event.client.name}.`);
  }
};

Please let me know if there’s anything else I can do to help.

Thanks,
Rueben

raph90 · October 9, 2022, 11:57am

Hi Rueben, thank you for your reply.

If I call api.redirect.sendUserTo instead of api.access.deny in that callback, will I still not be consuming my MAU count?

As it is, that callback is sending me back to my application with the error embedded in the URl.

Thanks,

Raph

fhn · October 11, 2022, 8:38pm

Calling “api.redirect.sendUserTo” instead of “api.access.deny” in that callback, will it account in MAU count?
Exactly same question to How to deal with unverified users - #4 by raph90

rueben.tiow · October 12, 2022, 3:20pm

Hi @raph90 and @fhn,

Thank you for both of your responses.

To answer both of your questions, using the api.redirect.sendUserTo will consume your MAU count, whereas the api.access.deny will not consume your MAU count.

This is because the redirect call requires a /continue endpoint to be called to resume authentication, thus increasing your MAU count.

I hope this helps!

Please reach out if you have any additional questions.

Thanks,
Rueben

fhn · October 13, 2022, 9:20pm

Thanks for conforming.
Now question is how to redirect user to a page using “api.access.deny” .

My requirement is not use MAU and also redirect to a page showing blocker message in good UI etc.

rueben.tiow · October 14, 2022, 5:27pm

Hi @fhn,

Thank you for your response.

When redirect users after denying them access, you will have to use a combination of both the api.access.deny() and api.redirect.sendUserTo() methods.

Allow me to clarify, the first step is to deny the user access by calling the api.access.deny() method, and then you can proceed with calling the api.redirect.sendUserTo() method to redirect them to your preferred page.

Please let me know if you have any additional questions.

Thanks,
Rueben

system · October 28, 2022, 5:28pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Resend email verification without increasing MAU Help email-verification , user-management	2	1392	April 10, 2023
Verifying users in Actions Knowledge Articles extensibility , actions	1	4359	June 6, 2022
How to redirect unverified users to email verification page? Help email-verification , user-management	1	2242	April 28, 2023
How to send verification email if un-verified login attempted? Help verification-email	3	3414	December 22, 2022
Code donation for action that ensures email is verified only for auth0 connections Help emails , management-api	1	10	October 1, 2024

How to deal with unverified users

Related topics