How to prevent user-password when user is already registered via passwordless

bencip19 · February 28, 2023, 2:25pm

Scenario:

User logs in via oauth / passwordless.
Another user creates an account, using the same password

Right now, this allows the second user to log into the system as the first user, as (a) we don’t require email verification before login and (b) our auth0 config treats these two as different users (we do not on our backend side).

Rather than requiring a user to verify their email before they can log in, I’d rather prevent re-registeration via email/password when there’s a passwordless account.

Is there a canned hook for doing this? And is this a fairly standard thing to do? I’m a bit surprised by the defaults here.

james.merrigan · March 3, 2023, 9:37am

Hi @bencip19

Welcome to the Community!

You can leverage the Management API within Auth0 Pre-Registration Action to check if the user with the same email already exists in another connection, and if so, block the user from registering.

I would recommend reading over this post that details how you can do this, along with some sample code to point you in the right direction.

I hope this helps. Let me know how you get on!

bencip19 · March 3, 2023, 3:14pm

Hey @james.merrigan !

Ya, I saw those examples and actually implemented one. But it struck me as odd that I would have to do that, and wondered why the out-of-the-box behavior is permissive. i.e. I feel like I’m missing something on why this isn’t the default - which I wanted to check before implementing.

cholayt0 · March 4, 2023, 7:13pm

Thanks for providing such a great solution to the problem, very satisfied.

system · March 18, 2023, 7:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.