I have enabled Google Social Connection for my Regular Web Application.
I need to allow only some specific email domains from signing in so I have added a rule that checks and throws an UnauthorizedError if the domain is not valid.
The problem I have is that an user gets created no matter what, even when the validation fails and throws. At least they don’t get authorization but my questions are:
Is there any way to prevent this unwanted user from being registered in the first place?
Does this failed authorization attempt count towards my monthly limit of “External Active Users”?
If it does count, how can I protect my Auth0 account from a bad actor signing in just to raise the amount of users and my billing?
Would deleting the user in the same rule help?
On the database side we have pre-registration hooks to handle this scenario. What is the way to do this with social connections?.
I think using the rule as you have described is the best way to go about this at the moment. As you mentioned, there is no pre-reg hook to handle this, which means we must use rules.
It’s possible to delete the user in the rule. Are you expecting a lot of this type of signup?
The actual number of valid users I’m expecting is in the low hundreds so I have room to work, but this feels like a vulnerability. Somebody can consume resources from my Auth0 account and I don’t have a way to prevent it. Is this correct?
I can confirm, if the user is not issued a token in this instance they are not counted towards your quota. You can delete them in the rule if you’d like, but that is up to you.