Pre-registration Action not triggering on signup with existing email

Hi,

We want to account for existing users trying to register with behavior other than the default “Something went wrong, please try again later” message provided by default.

Unfortunately, when using a pre-registration Action, the Action does not seem to run when a duplicate email is encountered.

When registering with a new email the pre-registration Action runs, and I see the “error” message in the UI. However, with an existing email, I’m still getting the default “Something went wrong, please try again later” error in the red box.

There must be a way to handle this right? Isn’t customizing this flow what the pre-registration hook is designed for?

Thanks.

exports.onExecutePreUserRegistration = async (event, api) => {
    api.access.deny("error","error");
}

Hi @evan.mcdaniel,

Welcome to the Auth0 Community!

Usually, the error message is left vague and does not mention whether a duplicate email exists to prevent potential threat actors from finding existing email addresses and performing attacks to gain access to those accounts, known as user enumeration attacks.

However, if you still prefer to make these changes, you can modify the text on the signup page by customizing the signup-password text prompt for the New Universal Login experience.

To do so, please go to Branding > Universal Login > Advanced Options, and then select Custom Text .
On that page, select the signup-password prompt and screen and make changes to the auth0-users-validation text field.

(Reference: Customize Universal Login Text Elements)

Thanks,
Rueben

Thanks for the response @rueben.tiow. The challenge for us is that we have custom signup process in which users can only signup if they are already in our system. We want to address the security concerns that the default flow is meant to prevent as well, but not be limited to only users in Auth0. Without control over duplicate user detection, a malicious actor could determine that an email is in our system, but just hasn’t completed their account setup (signing up with Auth0).

Here’s a specific example: Both user1@example.com, and user2@otherexample.com get added to our system (via an invite based on our business logic). They don’t exist in Auth0 yet. user1 signs up, goes through our customized signup flow (which initially responds the same way regardless of whether they exist in our database or not) and thus is now in Auth0.

If a malicious actor wants to know if user1 or user2 has an account with us they could validate this by checking the signup page - user1 would stay on your interface (which is different from our signup response page, regardless of whether we customize the message or not), while user2 would get our custom response page.

As you can see, in order to create a fully secure experience, we need a way to control the duplicate user flow fully.

How can we account for this?

Thanks

Hi @evan.mcdaniel,

Thanks for your reply.

Can you share how you check if the user exists in your system before you allow them to sign up on your Auth0 app?

And are you using a custom database?

Hi @rueben.tiow, yes, we’re calling out to our back-end (with a custom database) in a pre-registration Action to get the status of the user in our system. Statuses could be: exists and has already signed up with Auth0, exists but hasn’t signed up with Auth0, or doesn’t exist.

We’d like the user experience for the first case (exists and has already signed up with Auth0) to exactly match that of the other flows, which is to be taken to a custom page with messaging that explains that an email verification was sent if the account exists in our system.

Thanks.

Thanks.

1 Like

Hi @rueben.tiow, haven’t heard back on this yet. Is there some other way I should work to get this resolved?

Thanks.

2 Likes

Hello, we do have exactly the same issue. It looks like Pre Registration Action is NOT fired when Type of the event is “Failed Signup” (in our case because of duplicate email). We have a use case where we want to send external notification IF user with this email already exists and this is exactly the place to do that. According to the docs it is explicitly stated that this action SHOULD fire in that case. How do we check that:

exports.onExecutePreUserRegistration = async (event, api) => {


  const ManagementClient = require('auth0').ManagementClient;
  const management = new ManagementClient({
      domain: event.secrets.domain,
      clientId: event.secrets.clientId,
      clientSecret: event.secrets.clientSecret,
  });

  const userRecords = await management.usersByEmail.getByEmail({ email: event.user.email });

  if (userRecords) {
    const results = userRecords.data
    if (results.length> 0) {
      // TODO send slack NOTIFICATION HERE AS USER EXISTS
      console.log("SEND SLACK NOTIFICATION HERE")
    }
  }

};

This action triggers when registration succeeded, IF user with email already exists, error is returned to our form as it should, but the action is NOT fired (but it should).

1 Like

Hi @evan.mcdaniel,

Thanks for the replies and clarification.

Unfortunately, when a user exists and has already signed up with Auth0, you cannot avoid the “The user already exists” error message. This means that you won’t be able to redirect your users to a custom page with a message explaining that an email verification was sent if the account exists in your system.

The hope is that the user will realize that their account exists and will try to log in or reset their passwords.

I have also confirmed that the Pre-User Registration Action does not trigger when there is a failed sign-up event, such as when a user exists. This leads to the only option of customizing the error message to be generic and vague enough to inform your users that they might have to try logging in if sign-up fails.

I hope that helps!

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.