I have enabled Google Social Connection for my Regular Web Application.
I need to allow only some specific email domains from signing in so I have added a rule that checks and throws an UnauthorizedError if the domain is not valid.
The problem I have is that an user gets created no matter what, even when the validation fails and throws. At least they don’t get authorization but my questions are:
- Is there any way to prevent this unwanted user from being registered in the first place?
- Does this failed authorization attempt count towards my monthly limit of “External Active Users”?
- If it does count, how can I protect my Auth0 account from a bad actor signing in just to raise the amount of users and my billing?
- Would deleting the user in the same rule help?
On the database side we have pre-registration hooks to handle this scenario. What is the way to do this with social connections?.