Post-Login Actions do occur for silent authentication requests.
A reliable solution would be to see if stripe_customer_id already exists in the user app_metadata object, and skip the action for the user if it does.
However, if you need to rely on first logins only in the Post-Login Action flow instead, something like below might help
// check if user has more than one login, or if this is a refresh token rotation, or a silent auth request
const not_first_login = event.stats.logins_count > 1 ||
event.transaction?.protocol === 'oauth2-refresh-token' ||
event.request.query?.prompt === 'none';
if (not_first_login) {
console.log(`Skipping event for user ${event.user.user_id}`);
return;
}
This will skip the action for the user if the user’s login_count is greater than one, or if the Post-Login Action was triggered by refresh token rotations & silent authentication requests.
Hope this helps!