Redirect In Rule Before Successful Login

I am having an issue where my rules do not seem to execute unless the user successfully logs in. I am bulk importing users so they do not have a password on their account and I want to redirect them on their first failed password attempt to a password reset warning and fire off an email to them using the password reset ticket api call.

When I add a redirect in my rule it does not fire unless the user successfully logs in. Please help me to redirect a user before the login actually succeeds.

I have searched many other topics that talk about the same thing and they all point to the redirect documentation but those don’t seem to fire on a failed password attempt.

I also am unable to get the logs working on my app it just errors and says talk to support but I am on the free plan so cant debug it.

Thanks,
Ryan

1 Like

Hi @ryanwhite,

Rules run after a successful authentication.

This wouldn’t be a recommended pattern. Confirming the user’s email/username without successful authentication can leave your application open to user enumeration attacks.

We recommend an automatic migration, or importing password hashes if that is an option.

Hmm okay we are coming from memberspace so we don’t have a databse. We just have a list of usernames and no passwords, so we need them to do a password reset right away anyways so I dont really see the point in setting up a database which does nothing anyways.

We already have the emails we want to add though for the users so could I add those users with a custom metadata value and run the rule only for those users?

Weare not super worried about attacks as we essentially just want this rule in place for a short period of time as we move our users over from memberspace to auth0.

Ryan

@dan.woda would the above be possible? Do a redirect on a failed login if the user has a specific metadata to a reset password screen in our app, or a page saying “Check your email” and we create a password reset ticket.

I just need to know what our options are here as the automatic migration does not suit our needs as we have no passwords to begin with, just emails and other info.

@dan.woda any suggestions, kind of stuck here with what to do.

Let me reach out to the team on this and see what they recommend.

1 Like