Auth0 Home Blog Docs

How to restrict sign ups for certain users

auth0
login
#1

We have a scenario where we need to restrict the sign up to the specific types of users. We use lock v11. Currently, the signup flow is as follows:

  1. User signs up using the form.
  2. The new user is created in the default database of the auth0.
  3. We run some rules regarding register action and send a verification email.

But we have a scenario where we need to restrict sign up access to specific users. Following are the approaches we tried:

  1. We tried using the “signup submit” event to perform certain checks but the signup information such as ‘email’ is not passed to the event handler. Moreover, the event handler is invoked only after calling the “dbconnections/signup” API. So a new user will be created in auth0 anyway.

  2. We tried to restrict the signup in the auth0 rules. The first time, the user tries to signup, we return the “Not allowed” error and consequently, the signup is prevented. However, the rules are also invoked after creating the user so when the same user tries to signup immediately after, auth0 returns the error “User Already Exists”.

So we can remove the created user from the auth0 rule but I am not sure if it is doable from the rule or even if it is, I am wondering if there is a better and cleaner way to achieve this.

We do not want to disable the signup option completely or we could have used invite only signups. Furthermore, the Pre-User-Registration extensibility point also gets invoked after the user is created in the Auth0 database.

Any suggestions on how this scenario can be addressed? Thank you.

#2

Hello @bhushan.chaudhari,

I would suggest having another look at the pre user registration hook. It should do what you want. We use a pre-reg hook to look up a new user’s chosen username in a legacy user database, in order to prevent the new user from choosing a username already in use by a legacy user who has not yet been migrated into our Auth0 database. This works as expected and the new user is required to chose a new username and no account is created until they do so.

This was the solution that we implemented with the assistance and at the recommendation of Auth0 Professional Services.

1 Like
#3

Thank you. I could prevent the sign up in the hooks but as we are using the Lock widget for the front end, we have to send the custom error message code from the hook to detect certain scenario.

Just for the testing purposes, we tried sending the ValidationError object with error code and created the error message with the same error code in languageDictionary of the lock options.

module.exports = function (user, context, cb) {
var response = {};
response.user = user;

cb(new ValidationError(‘user-error-code’, ‘User Error"’), response);
};

But somehow the hook does not have access to the ValidationError object. Do i need to import anything or am I missing something here?

#4

Not sure if this is helpful or not (I’m not a developer) but I had a look at the hook we are using. If the hook finds the new user is trying to use a username already taken by a user in our legacy system (LDAP directory) we are sending an Error back like so:

        } else {
          console.log("Username already taken.");
          return callback(new Error("Please select a different username."));
        }

We are using Lock as well. Now I am curious to see how this actually manifests in the Lock UI. I’ll try testing it to see if it shows anything useful.

#5

If you return a generic error, lock UI too displays generic message like “…Something went wrong…”.

In the lock UI the customized error messages can be displayed. However, it needs sending the “ValidationError” object as described here: https://auth0.com/docs/libraries/lock/v11/customizing-error-messages. But that is the issue; in hooks environment, ValidationError object cannot be found, so I was wondering if there is any way to import it there.