Hi! 
I’ve set up a rule to notify us when a user signs up (well, at least when they first sign in).
Following the guide here https://auth0.com/docs/rules/current I am using the following code to break out of the rule if the user had previously logged in, or is requesting a refresh token
if (context.stats.loginsCount > 1 || context.protocol === 'oauth2-refresh-token') {
return callback(null, user, context);
}
Unfortunately the context.protocol is always set to “oidc-implicit-profile” regardless of whether the request is a login or requesting a refresh token. The documentation says refresh tokens should set context.protocol to “oauth2-refresh-token”
This means that we are getting alerts for every refresh, until the a user logs in again and increases their “loginsCount”.
I have only tested this using database logins so far and using auth0.checkSession to get the token.
Is this a bug, or am i misunderstanding something? We’d like to only send the alert on the first login (or ideally signup). I could potentially solve this by setting meta-data but I’m trying to avoid that solution, especially since the documentation says that technique isn’t needed.