How to delete the user and prevent the deleted user re-sign up only with App client side?

jason8 · April 19, 2024, 2:33am

My App upload the App Store, due to its policy, I need provide a button to let user “Delete Account”. But the Auth0 delete account api need the backend service, now I want use the default trigger to call it, here is what I do.

User press on the “Delete Account” button at App side;
App auto modify user name as “Delete Account+{username}”
App call the modify password api to set the user password as random string.
Action call the Post Change Password trigger.
at onExecutePostChangePassword function, if username contain “Delete Account”, then call the M2M Application that bind the API(delete:users) to delete the user account.

exports.onExecutePostChangePassword = async (event, api) => {
  if (event.user.username.includes("delete-account")) {
    const { ManagementClient } = require('auth0');
    const management = new ManagementClient({
      domain: 'my-app.auth0.com',
      clientId: '<MyApp MtM clientId>',
      clientSecret: '<MyApp MtM clientSecret>',
      scope: 'delete:users'
    });
    try {
      await management.deleteUser({ id: event.user.user_id });
      console.log('Auth0 user deleted');
    } catch (err) {
      console.error('Failed to delete Auth0 user:', err);
    }
  }
};

My second question is, How to prevent the user deleted re-sign up? Because all of the user info has deleted from auth0 and my related system.

tyf · April 24, 2024, 11:14pm

Hey there @jason8!

It sounds like the utilizing the post password change action is working for your use case of deleting the user?

In order to prevent a user from signing up, you’ll need to create some sort of block list and implement logic in an action to act on it. Depending on the size of the list, storing a list of blocked usernames in application metadata may be an option. Example:

exports.onExecutePreUserRegistration = async (event, api) => {
  // Load blocked usernames from application metadata
  const blockedUsernames = JSON.parse(event.client.metadata.blockedUsernames);

  // Check if the signing up username is in the blocked list
  if (blockedUsernames.includes(event.user.username)) {
    // Deny the registration with a custom message
    api.access.deny(`The username ${event.user.username} is not allowed.`);
  }
};

If scalability is of concern, then you may want to store the blocked usernames external to Auth0 and access that via an Action:

exports.onExecutePreUserRegistration = async (event, api) => {
  const username = event.user.username;
  const apiUrl = 'https://your-api-url.com/check-username'; 
 
 try {
    const response = await fetch(`${apiUrl}?username=${encodeURIComponent(username)}`, {
      method: 'GET',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': 'Bearer YOUR_API_TOKEN'
      }
    });

    const data = await response.json();

    if (data.isBlocked) {
      api.access.deny(`The username ${username} is not allowed.`);
    }
  } catch (error) {
    // Handle potential errors
  }
};

system · May 8, 2024, 11:15pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
User Delete in auth0 Help user-profile , user-management	5	457	March 12, 2024
Secure flow to let user delete their own account Help management-api , users	5	25	November 12, 2024
Safely delete a user via Management API Help delete-user	3	4028	June 2, 2020
How do i delete a user from auth0? Help delete-user	2	13981	March 2, 2018
Allow currently logged in user of Web App to delete their account Help api	4	7998	April 10, 2021

How to delete the user and prevent the deleted user re-sign up only with App client side?

Related topics