Preface: I am NOT looking for the “Disable Sign Ups” behavior.
With Universal login, /u/login endpoint with connection: 'email' prompts the user for their email, and then sends them a code and prompts them for that code. Underneath that, there is a " Don’t have an account yet?" link that takes them to /u/signup which behaves similarly, but with the link “Already have an account?” that links back to /u/login. However, no matter which of these pages I’m on, if the user enters an email that does not yet exist, it creates a new user.
I don’t want this. I only want a user to be created from the /u/signup page. For login with an invalid email, I want it to appear successful and move on the “enter code” screen, but not actually send the email (otherwise a malicious user could “mine” for valid email addressess).
I can block it using api.access.deny in the pre-user-registration action. However:
I don’t see any way to differentiate between the cases of /u/login/ and /u/signup from the event body in there
It displays an error message to the user, so we’re back to being able to checking addresses for validity
Thank you for reaching out to Auth0 Community regarding the issue that you are facing!
I am sorry for the late reply to your inquiry.
Unfortunately, the feature that you are looking for during a Passwordless authentication is not available within Auth0. By not disabling the user sign-up, you would expose your application to the following vulnerabilities:
Account Enumeration Concern: Attackers could try to discover valid accounts. (As you have stated yourself in the post.
Automated Account Creation Concern: Bots could create many accounts automatically
For your approach, I would recommend to implement an invite only flow where use’s are send an invitation email on sign-up.
There are ways to mitigate the these vulnerabilities within your implementation, you can review this community post on possible solutions or advice.
If you have any extra questions regarding the issue or if you have came up with a solution yourself, feel free to leave a reply on the post.
The behavior I’m describing would not worsen either of those vulnerabilities. I’m not talking about a change in the behavior of the UI, only the process behind the scenes. If I enter an email address on /u/login and I end up on the “enter code” flow, unless I have control of the address, I don’t know whether the email is sent or not. I would get no information about the email’s current status either way.
I don’t see how it changes anything related to bots either. If their intent is to create lots of accounts – for emails they own – they can do so on the /u/signup page. This would remove one mechanism for creating accounts, so that problem would be at least the same if not slightly better.
The current behavior means that every typo on that email field sends out an email and triggers pre-user-registration unnecessarily. That’s somewhat trivial on its own, but the problematic case is when a user enters the wrong email that they do own. E.g. I get 5 different gmail addresses in the same inbox. If carelessly I enter the wrong one, I get a code, enter it into the form, and end up signing up rather than logging in.
Thank you for providing further insight on the matter.
I understand the issues that you are facing with the passwordless authentication flow that you have implemented for your application.
Unfortunately, the behaviour that you have been describing seems to be the intended one. It can be quite difficult managing users in situation that you have described above since it is completely up to them to avoid making those mistakes.
I would recommend to visit our Feedback page in order to create a post addressing this behaviour and propose a possible solution/feature which can be implemented by us.
If you have any other questions or inquiries regarding the matter, feel free to leave another reply on the post.
