Restrict signup to invited emails only

shachi · July 19, 2024, 10:42am

I am using Auth0 for SSO to a white-labeled custom app (web and mobile). The app requires that the signup flow also be handled by the SSO provider, which I have set up.

The issue is that my app is private, so I want to allow signups only by email addresses that have been invited (invitations are sent directly from my CRM via Zapier through the custom app server).

What’s the best way for me to restrict users from signing up with non-approved email addresses?

How can I restrict social logins at signup but allow them during log in?

rueben.tiow · July 22, 2024, 11:25pm

Hi @shachi,

Welcome to the Auth0 Community!

The best way to block non-approved email addresses is to use a Pre-User Registration Action.

This one is trickier since social logins are triggered only in the post-login flow. The pre-user registration flow only runs before a user is added to a database or passwordless connection.

One way to handle this is to use a post login action to block social logins when it is the user’s first time logging. This works because users automatically log in when they sign up.

Here’s an example of how you might implement this:

exports.onExecutePostLogin = async (event, api) => {
  if (event.stats.logins_count <= 1 && event.connection.strategy === event.connection.name){
    api.access.deny("access denied")
  }
};

This code will only allow users who have previously signed up using a social login to log in again.
Let me know if you have any questions.

Thanks,
Rueben

system · August 5, 2024, 11:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.