Limiting Social Signups

I have enabled Google Social Connection for my Regular Web Application.
I need to allow only some specific email domains from signing in so I have added a rule that checks and throws an UnauthorizedError if the domain is not valid.
The problem I have is that an user gets created no matter what, even when the validation fails and throws. At least they don’t get authorization but my questions are:

  • Is there any way to prevent this unwanted user from being registered in the first place?
  • Does this failed authorization attempt count towards my monthly limit of “External Active Users”?
    • If it does count, how can I protect my Auth0 account from a bad actor signing in just to raise the amount of users and my billing?
    • Would deleting the user in the same rule help?

On the database side we have pre-registration hooks to handle this scenario. What is the way to do this with social connections?.

Hi @diego.torres,

I think using the rule as you have described is the best way to go about this at the moment. As you mentioned, there is no pre-reg hook to handle this, which means we must use rules.

It’s possible to delete the user in the rule. Are you expecting a lot of this type of signup?

The actual number of valid users I’m expecting is in the low hundreds so I have room to work, but this feels like a vulnerability. Somebody can consume resources from my Auth0 account and I don’t have a way to prevent it. Is this correct?

Since the user is never issued a token, I suspect they won’t count towards quota but will need to confirm this.

I can confirm, if the user is not issued a token in this instance they are not counted towards your quota. You can delete them in the rule if you’d like, but that is up to you.

Thanks, that’s what I needed to know.

1 Like

No problem, let us know if you have any other questions.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.