How to delete the user and prevent the deleted user re-sign up only with App client side?

jason8 · April 19, 2024, 2:33am

My App upload the App Store, due to its policy, I need provide a button to let user “Delete Account”. But the Auth0 delete account api need the backend service, now I want use the default trigger to call it, here is what I do.

User press on the “Delete Account” button at App side;
App auto modify user name as “Delete Account+{username}”
App call the modify password api to set the user password as random string.
Action call the Post Change Password trigger.
at onExecutePostChangePassword function, if username contain “Delete Account”, then call the M2M Application that bind the API(delete:users) to delete the user account.

exports.onExecutePostChangePassword = async (event, api) => {
  if (event.user.username.includes("delete-account")) {
    const { ManagementClient } = require('auth0');
    const management = new ManagementClient({
      domain: 'my-app.auth0.com',
      clientId: '<MyApp MtM clientId>',
      clientSecret: '<MyApp MtM clientSecret>',
      scope: 'delete:users'
    });
    try {
      await management.deleteUser({ id: event.user.user_id });
      console.log('Auth0 user deleted');
    } catch (err) {
      console.error('Failed to delete Auth0 user:', err);
    }
  }
};

My second question is, How to prevent the user deleted re-sign up? Because all of the user info has deleted from auth0 and my related system.

tyf · April 24, 2024, 11:14pm

Hey there @jason8!

It sounds like the utilizing the post password change action is working for your use case of deleting the user?

In order to prevent a user from signing up, you’ll need to create some sort of block list and implement logic in an action to act on it. Depending on the size of the list, storing a list of blocked usernames in application metadata may be an option. Example:

exports.onExecutePreUserRegistration = async (event, api) => {
  // Load blocked usernames from application metadata
  const blockedUsernames = JSON.parse(event.client.metadata.blockedUsernames);

  // Check if the signing up username is in the blocked list
  if (blockedUsernames.includes(event.user.username)) {
    // Deny the registration with a custom message
    api.access.deny(`The username ${event.user.username} is not allowed.`);
  }
};

If scalability is of concern, then you may want to store the blocked usernames external to Auth0 and access that via an Action:

exports.onExecutePreUserRegistration = async (event, api) => {
  const username = event.user.username;
  const apiUrl = 'https://your-api-url.com/check-username'; 
 
 try {
    const response = await fetch(`${apiUrl}?username=${encodeURIComponent(username)}`, {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer YOUR_API_TOKEN'
      }
    });

    const data = await response.json();

    if (data.isBlocked) {
      api.access.deny(`The username ${username} is not allowed.`);
    }
  } catch (error) {
    // Handle potential errors
  }
};

system · May 8, 2024, 11:15pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Update and delete user profile with Auth0 (React + express) Help auth0 , api , react , express	3	3562	October 21, 2024
Feature: New flow/action "Post Delete User" Feedback actions	13	5108	September 4, 2024
Rules that run before user deletion Help auth0 , management-api	9	4209	January 22, 2024
How to Trigger Password Reset From Post User Login Action Help management-api , users	6	848	February 23, 2024
Spring Boot With Auth0 And Google Play Account Deletion Requirement Help user-profile , user-management	0	15	September 25, 2024

How to delete the user and prevent the deleted user re-sign up only with App client side?

Related Topics