Hello!
I’ll start by spelling out my end-goal: For the immediate future, I don’t want users to be able to change their email addresses during registration.
We’ve got a workflow wherein we forward account creation to our Auth0 tenant after the user sets an email address on a page we own/host. We send the user directly to the password entry “phase” of account creation on Auth0 with a query string parameter login_hint
, the value of which is the email address the user set before selecting continue.
The problem is, this Auth0 screen invites users to change their email addresses at will, and as far as I know, I can’t turn that off anywhere else.
My hope is to create a pre-registration Action that compares the value of event.transaction.login_hint
(which is defined in the spec for the event object in question) to that of event.user.email
. If they don’t match, block the registration; otherwise allow the flow to continue.
The problem is, login_hint
does not exist on event.transaction
when I attempt to execute this flow. What kills me about that, is it’s present in the transaction
object of the Context Data in the logs that result from the call to api.access.deny()
.
Is it a bug that event.transaction.login_hint
is not a thing for the pre-registration event object?
Is there another way to accomplish my goal?
Here’s basically what I want to do in my Action:
exports.onExecutePreUserRegistration = async (event, api) => {
const userMessage = 'You shall not pass! 🧙'; // Not the real message, of course.
const userEmail = event.user.email.toLowerCase();
// This is where my problem is: `login_hint` is never present on `event.transaction`,
// which, as far as I can figure out, makes it impossible for me to detect whether
// the user changed email address.
const loginHint = event.transaction?.login_hint?.toLowerCase() ?? "loginHint";
// As a result of the above, my `loginHint` const always has a value of "loginHint",
// so this will block registration 100% of the time.
if (userEmail !== loginHint) {
const internalReason = `Changed email from '${loginHint}' to '${userEmail}'.`;
api.access.deny(internalReason, userMessage);
}
};
Thanks, in advance, for your help!