Hello Community,
I have defined an invite flow with organizations and now one of our Devs found a nasty loophole.
Our intentional idea was to only allow a self-registration for user invited via organizations. So we disable the activated the “Disable Sign Ups” via Authentication - Database, but enabled it via “Organizations - $org - Connections”.
We implemented the invitation flow into our application and we were able to send invitations via “Organizations - $org - Invitations - Invite Members”. The result is some Link the invited user needs to click, i.e.
https://${DOMAIN}/?invitation=mUAyChSPfcKW3GTwduA0Yb0mEcfURnJX&organization=org_3yKeg4skOalZDHBr&organization_name=acct-xxx
The problem with this is, you can manipulate the URL and remove this part: invitation=mUAyChSPfcKW3GTwduA0Yb0mEcfURnJX& i.e.
https://${DOMAIN}/?organization=org_3yKeg4skOalZDHBr&organization_name=acct-xxx
and create as many users as you want. It makes somehow sense, since it is allowed to signup in organizations (because of self-registration via invite link needs this). But still, somehow this feels fishy/broken and like a very potential candidate for Bots/DDoS. Our intention was to allow a self registration by invite link only! According to the Auth0 documentation:
Invited users must log in or create an account with the email address to which the invitation was sent.
Thats not true.
Now the next problem starts. I am not able to catch the case in the pre user registration, since the event object doesn’t contain enough information. I dont get i.e. the organization id and therefor am not able to prevent an successful registration. For sure I can iterate through all organizations and check for the email which tries to register, but this is a super expensive API call.
I would appreciate your help, because this is clearly some sort of loophole here.
Cheers,
Daedalus