Pre Registration Action - No `login_hint` in `event.transaction`

Hello!

I’ll start by spelling out my end-goal: For the immediate future, I don’t want users to be able to change their email addresses during registration.

We’ve got a workflow wherein we forward account creation to our Auth0 tenant after the user sets an email address on a page we own/host. We send the user directly to the password entry “phase” of account creation on Auth0 with a query string parameter login_hint, the value of which is the email address the user set before selecting continue.

The problem is, this Auth0 screen invites users to change their email addresses at will, and as far as I know, I can’t turn that off anywhere else.

My hope is to create a pre-registration Action that compares the value of event.transaction.login_hint (which is defined in the spec for the event object in question) to that of event.user.email. If they don’t match, block the registration; otherwise allow the flow to continue.

The problem is, login_hint does not exist on event.transaction when I attempt to execute this flow. What kills me about that, is it’s present in the transaction object of the Context Data in the logs that result from the call to api.access.deny().

Is it a bug that event.transaction.login_hint is not a thing for the pre-registration event object?

Is there another way to accomplish my goal?

Here’s basically what I want to do in my Action:

exports.onExecutePreUserRegistration = async (event, api) => {
  const userMessage = 'You shall not pass! 🧙'; // Not the real message, of course.

  const userEmail = event.user.email.toLowerCase();
  // This is where my problem is: `login_hint` is never present on `event.transaction`,
  // which, as far as I can figure out, makes it impossible for me to detect whether
  // the user changed email address.
  const loginHint = event.transaction?.login_hint?.toLowerCase() ?? "loginHint";

  // As a result of the above, my `loginHint` const always has a value of "loginHint",
  // so this will block registration 100% of the time.
  if (userEmail !== loginHint) {
    const internalReason = `Changed email from '${loginHint}' to '${userEmail}'.`;
    api.access.deny(internalReason, userMessage);
  }
};

Thanks, in advance, for your help!

Hi @bt_jjones

Welcome to the Auth0 Community!

I am sorry about the late reply to your inquiry.

I believe the best possible solutions to your use case would be the following approaches:

  1. Send an Email Invitation for Application Signup whenever a user sets an email address on your page. That way, they will receive an email with a link which will redirect them to your Auth0 Tennant directly on the “password change” screen, setting their password and authentication. This is quite a secure approach since you will be able to disable sign-ups to prevent any unwanted users creating accounts. You can do a similar approach stated in this knowledge article regarding forcing users to change password on first login.
  2. Ask users to set their password on your page and then make an API call to the Auth0’s Management API to create the user on the Auth0 Tenant, this information is available in our documentation.

Feel free to leave a reply with additional questions regarding the matter.

Kind Regards,
Nik

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.