I’ve implemented a password reset post-challenge action that validates email domains before sending reset emails. The action works (logs show api.access.deny() is called and emails aren’t sent), but users still see the generic “Check Your Email” message instead of my custom error.
exports.onExecutePostChallenge = async (event, api) => {
const email = event.user?.email
// Validate email domain against whitelist
if (!isValidDomain(email)) {
return api.access.deny('unauthorized', 'Your email domain is not authorized.')
}
}
User sees “Check Your Email” even when deny is called. But Error message should be displayed.
s there a way to show custom error messages in password reset flows like we can with api.prompt.render() in login flows? Or is this prevented by user enumeration protection?
Thanks,
Gowtham