Basic functionality like user or domain whitelisting should not require the use of rules + js code. That’s usually too hard for a regular user & it feels like developing your platform for you.
Surprisingly the use of social login (with google) allows creation of user in Auth0 interface even though the user is not whitelisted with rules. I’ve recieved feedback from less technical users that it looks insecure & they’d like to evaluate other authentication platforms without that problem.
Your engineer provided solution to remove the users which were created like that using m2m/api calls (Prevent user creation (with hook?) if user is not whitelisted with rule - #5 by stephanie.chamblee) but it feels wrong to allow to create them to any user on the internet in the first place.
Workaround from 2) cannot be used by some clients & as logins by external unauthorized google accounts can easily exhaust the number of api calls per month which is also a kind of ddos:
This feature is included in your current plan up to 1,000 calls per month: upgrade your subscription to [Developer Pro] or [Enterprise] for over 1,000 monthly calls in production.
I’m using Terraform to manage Auth0 & imo it’s not acceptable to limit the number of calls to your api like that. Putting some kind of hourly rate limit on it sound like a more fair option to me.
Please see discussion here: Prevent user creation (with hook?) if user is not whitelisted with rule - #6 by vainkop
The workaround provided by your engineer in 2) should be added to your public documentation & should be easy to find.