I’m trying to creare a post-login action that performs this:
if (event.user.user_metadata.approved !== true) {
api.user.setUserMetadata("pending_approval", true);
api.access.deny("You need to be approved before being able to log in...");
}
I’ve noticed that the “pending_approval” field is not set if I deny the access to the user. if I remove the last line of code, it works as expected.
the doc says:
" Mark the current login attempt as denied. This will prevent the end-user from completing the login flow. This will NOT cancel other user-related side-effects (such as metadata changes) requested by this Action. The login flow will immediately stop following the completion of this action and no further Actions will be executed."
There is nothing logically wrong with your code. However, after testing this for myself, I found the same observations. Specifically, the user_metadata is never set before being denied access.
And as you hinted, our docs indicate that the metadata should be able to change as long as the api.access.deny() is called afterward.
Since I have confirmed your findings, I will reach out to our Engineering teams regarding this bug and have them resolve the issue.
Once there is new information, I will follow up with you with the updates.
I have reached out to our Engineers on this and waiting for a response.
I’d like to also add that we are currently on a Code Freeze, which we expect to remove after the new year, sometime in early January 2022.
With that said, I anticipate this issue to be part of the list of bugs fixed and will be reflected in the product once the code freeze has been lifted.
@rueben.tiow it’s now April and this bug is still present, we cannot write to app_metadata or user_metadata when api.access.deny() is called.
When will this bug be resolved please? We need a date for this bugfix being released
I have clarified with our Engineering Teams that this issue has been resolved and you should be able to set user_metadata before denying them access.
Moreover, I have not seen any further topics regarding this issue, could you please check again to see if you can set the user_metadata before denying them access?
Hi, same here. I have a custom parameter passed in auth0-react loginWithRedirect() function. And I have Auth0 post-login action configured (with debug printouts):
exports.onExecutePostLogin = async (event, api) => {
console.log(event.request.query);
console.log(event.request.query.intendedPrice);
console.log(event.stats.logins_count);
console.log(event.user.email_verified);
if (event.stats.logins_count === 1) {
console.log('First login');
if (event.request.query.intendedPrice) {
console.log(`Setting intended price ${event.request.query.intendedPrice}`);
api.user.setUserMetadata("intendedPrice", event.request.query.intendedPrice);
api.user.setAppMetadata("intendedPrice", event.request.query.intendedPrice);
}
}
//force email verification
if (!event.user.email_verified) {
api.access.deny("Verification email is sent. Please verify your email address to continue");
return;
}
... some other stuff for verified email login flow
}
I see expected printouts about setting the intendedPrice metadata field in the logs, but actual user metadata does not gets updated.
It there any progress with the fix mentioned above or some another way to pass parameters to the user’s metadata to use it once he or she verifies the email?
My use case is to allow someone to sign up to pre-selected subscription, but I also need to force them to verify the email first to avoid signing up with dead or mistyped email. Desired flow:
user selects the subscription plan
clicks ‘sign up’ and performs sign up procedure
goes to mailbox and clicks the verification link and gets redirected back to my application
my application checks the subscription plan id from the metadata and handles it appropriately