We have a scenario where we need to restrict the sign up to the specific types of users. We use lock v11. Currently, the signup flow is as follows:
- User signs up using the form.
- The new user is created in the default database of the auth0.
- We run some rules regarding register action and send a verification email.
But we have a scenario where we need to restrict sign up access to specific users. Following are the approaches we tried:
We tried using the “signup submit” event to perform certain checks but the signup information such as ‘email’ is not passed to the event handler. Moreover, the event handler is invoked only after calling the “dbconnections/signup” API. So a new user will be created in auth0 anyway.
We tried to restrict the signup in the auth0 rules. The first time, the user tries to signup, we return the “Not allowed” error and consequently, the signup is prevented. However, the rules are also invoked after creating the user so when the same user tries to signup immediately after, auth0 returns the error “User Already Exists”.
So we can remove the created user from the auth0 rule but I am not sure if it is doable from the rule or even if it is, I am wondering if there is a better and cleaner way to achieve this.
We do not want to disable the signup option completely or we could have used invite only signups. Furthermore, the Pre-User-Registration extensibility point also gets invoked after the user is created in the Auth0 database.
Any suggestions on how this scenario can be addressed? Thank you.