How to delete the user and prevent the deleted user re-sign up only with App client side?

jason8 · April 19, 2024, 2:33am

My App upload the App Store, due to its policy, I need provide a button to let user “Delete Account”. But the Auth0 delete account api need the backend service, now I want use the default trigger to call it, here is what I do.

User press on the “Delete Account” button at App side;
App auto modify user name as “Delete Account+{username}”
App call the modify password api to set the user password as random string.
Action call the Post Change Password trigger.
at onExecutePostChangePassword function, if username contain “Delete Account”, then call the M2M Application that bind the API(delete:users) to delete the user account.

exports.onExecutePostChangePassword = async (event, api) => {
  if (event.user.username.includes("delete-account")) {
    const { ManagementClient } = require('auth0');
    const management = new ManagementClient({
      domain: 'my-app.auth0.com',
      clientId: '<MyApp MtM clientId>',
      clientSecret: '<MyApp MtM clientSecret>',
      scope: 'delete:users'
    });
    try {
      await management.deleteUser({ id: event.user.user_id });
      console.log('Auth0 user deleted');
    } catch (err) {
      console.error('Failed to delete Auth0 user:', err);
    }
  }
};

My second question is, How to prevent the user deleted re-sign up? Because all of the user info has deleted from auth0 and my related system.

tyf · April 24, 2024, 11:14pm

Hey there @jason8!

It sounds like the utilizing the post password change action is working for your use case of deleting the user?

In order to prevent a user from signing up, you’ll need to create some sort of block list and implement logic in an action to act on it. Depending on the size of the list, storing a list of blocked usernames in application metadata may be an option. Example:

exports.onExecutePreUserRegistration = async (event, api) => {
  // Load blocked usernames from application metadata
  const blockedUsernames = JSON.parse(event.client.metadata.blockedUsernames);

  // Check if the signing up username is in the blocked list
  if (blockedUsernames.includes(event.user.username)) {
    // Deny the registration with a custom message
    api.access.deny(`The username ${event.user.username} is not allowed.`);
  }
};

If scalability is of concern, then you may want to store the blocked usernames external to Auth0 and access that via an Action:

exports.onExecutePreUserRegistration = async (event, api) => {
  const username = event.user.username;
  const apiUrl = 'https://your-api-url.com/check-username'; 
 
 try {
    const response = await fetch(`${apiUrl}?username=${encodeURIComponent(username)}`, {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer YOUR_API_TOKEN'
      }
    });

    const data = await response.json();

    if (data.isBlocked) {
      api.access.deny(`The username ${username} is not allowed.`);
    }
  } catch (error) {
    // Handle potential errors
  }
};