Setting user_metadata in Action does not work if login is denied

Hello,

I’m trying to creare a post-login action that performs this:

if (event.user.user_metadata.approved !== true) {
    api.user.setUserMetadata("pending_approval", true);
    api.access.deny("You need to be approved before being able to log in...");
}

I’ve noticed that the “pending_approval” field is not set if I deny the access to the user. if I remove the last line of code, it works as expected.

the doc says:

" Mark the current login attempt as denied. This will prevent the end-user from completing the login flow. This will NOT cancel other user-related side-effects (such as metadata changes) requested by this Action. The login flow will immediately stop following the completion of this action and no further Actions will be executed."

so it should work as expected…

what’s wrong with my code?

thank you.

1 Like

Hi @alberto.ornaghi,

Welcome to the Auth0 Community!

There is nothing logically wrong with your code. However, after testing this for myself, I found the same observations. Specifically, the user_metadata is never set before being denied access.

And as you hinted, our docs indicate that the metadata should be able to change as long as the api.access.deny() is called afterward.

Since I have confirmed your findings, I will reach out to our Engineering teams regarding this bug and have them resolve the issue.

Once there is new information, I will follow up with you with the updates.

Thank you.

any update on the issue? do you have an ETA for the fix?

thank you

Hi @alberto.ornaghi,

Thank you for your reply.

I have reached out to our Engineers on this and waiting for a response.

I’d like to also add that we are currently on a Code Freeze, which we expect to remove after the new year, sometime in early January 2022.

With that said, I anticipate this issue to be part of the list of bugs fixed and will be reflected in the product once the code freeze has been lifted.

Thank you.

Hi! We bumped into a similar scenario when porting our Rules to Actions, so a fix would be greatly appreciated here too. Thanks!

1 Like

Hi @andres,

Thanks for reporting this issue as well.

Once our code freeze has been lifted, these issues will be resolved.

I’ll follow up when that happens.

Thanks!

1 Like

@rueben.tiow it’s now April and this bug is still present, we cannot write to app_metadata or user_metadata when api.access.deny() is called.
When will this bug be resolved please? We need a date for this bugfix being released

Hi @jack.macdonald,

Thank you for your response.

I have clarified with our Engineering Teams that this issue has been resolved and you should be able to set user_metadata before denying them access.

Moreover, I have not seen any further topics regarding this issue, could you please check again to see if you can set the user_metadata before denying them access?

Thank you.

I can confirm this is still not working, for user_metadata and app_metadata. I am tracking this in support ticket 00714794.

1 Like

Hi, same here. I have a custom parameter passed in auth0-react loginWithRedirect() function. And I have Auth0 post-login action configured (with debug printouts):

exports.onExecutePostLogin = async (event, api) => {
  console.log(event.request.query);
  console.log(event.request.query.intendedPrice);
  console.log(event.stats.logins_count);
  console.log(event.user.email_verified);

  if (event.stats.logins_count === 1) {
    console.log('First login');
    if (event.request.query.intendedPrice) {
        console.log(`Setting intended price ${event.request.query.intendedPrice}`);
        api.user.setUserMetadata("intendedPrice", event.request.query.intendedPrice);
        api.user.setAppMetadata("intendedPrice", event.request.query.intendedPrice);
    }
  }
 //force email verification
  if (!event.user.email_verified) {
    api.access.deny("Verification email is sent. Please verify your email address to continue");
    return;
  }

... some other stuff for verified email login flow
}

I see expected printouts about setting the intendedPrice metadata field in the logs, but actual user metadata does not gets updated.

It there any progress with the fix mentioned above or some another way to pass parameters to the user’s metadata to use it once he or she verifies the email?

My use case is to allow someone to sign up to pre-selected subscription, but I also need to force them to verify the email first to avoid signing up with dead or mistyped email. Desired flow:

  1. user selects the subscription plan
  2. clicks ‘sign up’ and performs sign up procedure
  3. goes to mailbox and clicks the verification link and gets redirected back to my application
  4. my application checks the subscription plan id from the metadata and handles it appropriately

Thanks in advance

We’ve had to use the auth0 package within the action, and use the ManagementClient on that to set users app metadata instead. Similar to Is there a way to access user management api from a post-password-change action? - #2 by thameera

2 Likes

Thanx Jack, I was thinking about the same approach as a possible workaround.

Although, I really hope that Auth0 team will fix this issue anyway. @rueben.tiow could you please inform us when this happens.

1 Like

Hi @ivan.mikhalitsyn and @jack.macdonald,

Thank you for your responses.

I have gotten clarification that this issue is still in our backlog to be fixed.

As soon as our Engineers resolve the issue, I will follow up on this thread.

Thank you.

Just adding a comment that we are also very interested in this being fixed. Has there been any update?

Hi,

When will this be resolved ? Also facing same issue.

Hi @rrmakatu,

Thank you for sharing that you are encountering the same issues.

After checking with our Engineering teams, they have confirmed that this issue has been resolved.

Moreover, I have tested this myself and confirm that updating the user_metadata persists through subsequent Actions.

Please reach out if you have any further questions or concerns.

Thank you.

1 Like

Hi @rueben.tiow
This still isn’t working for us.

For example I have the following code

api.user.setUserMetadata("failed_login", "deactivated customer");
api.access.deny(`Oops, something went wrong! #7833`);

but when I look up logs for users that have failed login in this way, I don’t see the metadata.

Hi @shannon.paige and @rrmakatu,

Thank you for your replies.

Previously, I had seen this issue resolve and work synchronously. However, after some tests, I managed to reproduce the same issue again.

I will investigate this issue with our Engineers and follow up once I have more information.

Thank you.