I’m quite new at Auth0 developing but I guess what I’m trying to do is not impossible using rules. I’d like only approved users to be able to log in to my app.
For example, someone signs up, an email is sent to me asking if I approve or not their account and they cannot log in until I’ve approved it. Like an email verification thing but the email would be sent to me instead of the user.
You would first create a pre-user registration hook that sets a flag in the user’s app_metadata. You’ll use this flag to determine whether they have been approved.
From within this hook you call your own web service that will send the email to your administrator(s) for approval. This email would then include a link that when clicked your site’s backend would perform a management API call to set the flag you defined earlier in the newly registered user’s app_metadata.
You would then have a rule that checks this flag is true, and if not, would deny the user access. Here’s an example:
if (user.app_metadata && user.app_metadata.approved) {
return callback(new UnauthorizedError('Your registration must be approved by an administrator.'));
}
callback(null, user, context);