Prevent password reset for blocked users

We use Auth0 for single sign-on.
Sometimes we mark users as inactive if they haven’t signed in for a while. However they are still able to reset their password, which we don’t want. We would rather they received a different email when they tried to reset their passwords, to the effect of “Contact your administrator”.
i thought a way around this could be to block inactive users, but it seems that blocked users can still reset their passwords.
Is there another way to do this?

Hi @Paul.Buck

Even if a blocked user resets their password, an unauthorized response should be returned with a description of “user is blocked” when they sign in and are redirected to your callback URL. You could handle this in your application to show a message to contact an administrator.

Hope this helps

thanks for the response.
However, we want to send a different email to the reset email if the user is blocked, as we feel this would provide a better user experience.
We don’t want the user to go through the reset process if this is ultimately going to be pointless.
Is this possible?

Hey @Paul.Buck ,

Thinking about it further, if you are using a paid subscription, you could try customising the Change Password email template using Liquid Syntax. The docs are:

I would still advocate handling this specific unauthorized response in your application, as a belt and braces approach.

Hope this helps

1 Like

Thanks for sharing that @andyck!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.