Passwordless connections - send params to PreUserRegistration action

roee · January 16, 2024, 4:56pm

hi
I was able to send a code to auth0 using

 this.webauth.passwordlessStart(
        {
          connection: "email",
          send: "code",
          email: email,
          authParams: authParams,
           
        },
        (error: any): void => {
          console.log(error);

          debugger;

          error ? reject(error) : resolve();
        }
      );

in the authParams I have the following object

 
const authParams = {
      redirect_uri: redirUrl,
      organization: org_id,
      custom:123456
    };

how can I read this in the action?
I go to PreUserRegistration event and did not see that in the event object
thanks

dan.woda · January 19, 2024, 6:12pm

Hi @roee,

Try using the event.request.query param in a Post-login Action.

If you want to have this run on first login, you can use a conditional statement with event.stats.logins_count.

Hope that helps!

roee · January 23, 2024, 6:45pm

well I am trying to user the pre registration event to verify some data that I want to pass from a link

dan.woda · January 23, 2024, 9:10pm

Can it be done post login? There is currently a limitation and that would be the best approach.

roee · January 24, 2024, 12:09pm

I Can but I don’t want to do that there → I need to check some params from my app and check them in the pre registration action and if so - don’t create the user at all

dan.woda · January 24, 2024, 3:30pm

Using params from a public client to prevent a signup is prone to manipulation by the end user.

If you provide some more context I can help figure out a more secure solution.

roee · January 24, 2024, 11:19pm

sure. this is actually a nice use case:

I sent an email to a new user with a link. this link contains a base64 hashed object with some data (name , email, role etc) and one spacial key with some of that data encrypted.
the link looks like this:

http://localhost:4200/auth/passwordless?p=eyJjb2RlIjoiYzI5YjdhZTcxMWZjY2YxZDBjYWU4N2ZjNzllMmVhMjk1YmU3YTJlMGQxNjcwMWQxMGY5ZDMxOTU1YjQ3N2YxZSIsImVtYWlsIjoicm9lZUBjeXBhZ28uY29tIiwiZW50aXR5IjoiMTQwZjJhM2MtNDVmOC00YWM3LWJlZTEtMjNhZWRmYjUwYjI2IiwiaWQiOiI2YjVhZGQ4Ny04MDg3LTQzN2UtYWE3MC1kZDE3Njk1MmY2YjYiLCJvcmdhbml6YXRpb24iOiJvcmdfa1JUTmJybWVKRldYYUNwVCIsInR5cGUiOiJ1YXIiLCJ1c2VyQWNjZXNzUmV2aWV3ZXJJZCI6I

once I open the base64 string I get my obj:

{
  "code": "c29b7ae711fccf1d0cae87fc79e2ea295be7a2e0d16701d10f9d31955b477f1e",
  "email": "roee@someemail.com",
  "id": "XXX-XXX-437e-aa70-dd176952f6b6",
  "YYY": "XXX",
  "XXX": "XXXX",
... 

}

On the passwordless page in my app I use the webAuth and send the fist email to the user. somthing like that:

this.webauth.passwordlessStart(
        {
          connection: "email",
          send: "code",
          email: email,
          // authParams: authParams,
        },

and the authParams will contain my object

The main idea was to use the " Pre User Registration" flow to verify the the object was not changed on the way.
Something like:

const crypto = require("crypto");


      const base64Obj = // get my data from the request


      const stringToHash = base64Obj.XXX + base64Obj.YYY + base64Obj.id + base64Obj.email;

      // Calling createHash method
      const hash = crypto.createHmac('sha256', event.secrets.PASSWORDLESS_SECRET)
        // updating data
        .update(stringToHash)
        // Encoding to be used
        .digest('hex');

      if (hash !== base64Obj.code) {

              api.access.deny('some error msg', event);

      }

in this case I prevent the creation of the user .

Unfortunately, I was unable to pass parameters to this action, or read anything from there. I tried to use redirect_url or additional parameters defined in the connection but without successץ

now I have to sign him up. and make this validation in the Post Login flow, and delete the user if something went wrong.
This is bad in a lot of ways, since I dont want to create the user in the first place (if someone is trying to attack me), and since I am using so auth0 management scripts this also cost me with rate limit

is that making sense now?

Thanks for reading all of this, and for taking the time to help

dan.woda · January 25, 2024, 7:17pm

Thanks for sharing the additional info.

Just to be clear, this object is encoded, not hashed.

The code param in the object is hashed, not encrypted.

If I understand this correctly, you’re essentially creating a signed token, similar to a JWT and confirming it matches the token sent with the magic link.

Can I propose an alternative?

Turn off signups in your passwordless connection and then create users via the management API. You can store the required info in the user profile metadata properties.

Doing this will prevent unwanted signups, and also doesn’t require any passing of tokens, no Actions, and no rolling your own encryption/tokens.

roee · January 29, 2024, 8:36am

Hi !
Thanks again for your response! I will look into this with the PO and see how this working with the flow

dan.woda · January 30, 2024, 3:15pm

Sounds good! Let me know if you have any questions.

system · February 13, 2024, 3:16pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.