Auth0 Home Blog Docs

Prevent a blocked user from requesting email link

Is it possible to prevent a ‘blocked’ user from receiving a requested passwordless email using the Authentication API (and/or rules)?

At the moment the current flow just denies access to the supplied magic link, which isn’t great UX - we would prefer to reject the user either at the point of request, or at least just not send the email.

Let me check if there is anything we can do about this flow!

Hey Konrad, thanks for looking into this, any ideas?

Hey there @ollyskinner!

After some initial discussion it seems not doable cause the blocked email/password identity is different than the passwordless identity. However I encourage you to place it as product feedback directly to our product managers providing all the context via our feedback site (you should be contacted by one of them in a few days):

the blocked email/password identity is different than the passwordless identity

But in that case how come an unregistered user can’t request a magic link? In that scenario we get this response:

{"error":"bad.connection","error_description":"Public signup is disabled"}

Surely the passwordless ‘magic link’ request has to reference the list of signed-up users to generate that response?

Hmm yep gotchya. Let me discuss it once more with the team!

Hey @konrad.sopala, did you have any joy looking into this?

For anyone who might find this useful, since Auth0 have been unable to offer a solution – fortunately my SPA has a basic Node backend for managing new user registration, so I set up a route for checking users-by-email on the management API, and only calling passwordlessStart if the user requesting the link isn’t blocked. It’s not ideal but at least it prevents a blocked user being sent an email link to nowhere (well, a rather unhelpful alert box).

It would be great to get a more direct and UX-friendly solution tho…