Pre-registration Action not triggering on signup with existing email

Hi,

We want to account for existing users trying to register with behavior other than the default “Something went wrong, please try again later” message provided by default.

Unfortunately, when using a pre-registration Action, the Action does not seem to run when a duplicate email is encountered.

When registering with a new email the pre-registration Action runs, and I see the “error” message in the UI. However, with an existing email, I’m still getting the default “Something went wrong, please try again later” error in the red box.

There must be a way to handle this right? Isn’t customizing this flow what the pre-registration hook is designed for?

Thanks.

exports.onExecutePreUserRegistration = async (event, api) => {
    api.access.deny("error","error");
}

Hi @evan.mcdaniel,

Welcome to the Auth0 Community!

Usually, the error message is left vague and does not mention whether a duplicate email exists to prevent potential threat actors from finding existing email addresses and performing attacks to gain access to those accounts, known as user enumeration attacks.

However, if you still prefer to make these changes, you can modify the text on the signup page by customizing the signup-password text prompt for the New Universal Login experience.

To do so, please go to Branding > Universal Login > Advanced Options, and then select Custom Text .
On that page, select the signup-password prompt and screen and make changes to the auth0-users-validation text field.

(Reference: Customize Universal Login Text Elements)

Thanks,
Rueben

Thanks for the response @rueben.tiow. The challenge for us is that we have custom signup process in which users can only signup if they are already in our system. We want to address the security concerns that the default flow is meant to prevent as well, but not be limited to only users in Auth0. Without control over duplicate user detection, a malicious actor could determine that an email is in our system, but just hasn’t completed their account setup (signing up with Auth0).

Here’s a specific example: Both user1@example.com, and user2@otherexample.com get added to our system (via an invite based on our business logic). They don’t exist in Auth0 yet. user1 signs up, goes through our customized signup flow (which initially responds the same way regardless of whether they exist in our database or not) and thus is now in Auth0.

If a malicious actor wants to know if user1 or user2 has an account with us they could validate this by checking the signup page - user1 would stay on your interface (which is different from our signup response page, regardless of whether we customize the message or not), while user2 would get our custom response page.

As you can see, in order to create a fully secure experience, we need a way to control the duplicate user flow fully.

How can we account for this?

Thanks

Hi @evan.mcdaniel,

Thanks for your reply.

Can you share how you check if the user exists in your system before you allow them to sign up on your Auth0 app?

And are you using a custom database?

Hi @rueben.tiow, yes, we’re calling out to our back-end (with a custom database) in a pre-registration Action to get the status of the user in our system. Statuses could be: exists and has already signed up with Auth0, exists but hasn’t signed up with Auth0, or doesn’t exist.

We’d like the user experience for the first case (exists and has already signed up with Auth0) to exactly match that of the other flows, which is to be taken to a custom page with messaging that explains that an email verification was sent if the account exists in our system.

Thanks.

Thanks.