Setting user_metadata in Action does not work if login is denied


I’m trying to creare a post-login action that performs this:

if (event.user.user_metadata.approved !== true) {
    api.user.setUserMetadata("pending_approval", true);
    api.access.deny("You need to be approved before being able to log in...");

I’ve noticed that the “pending_approval” field is not set if I deny the access to the user. if I remove the last line of code, it works as expected.

the doc says:

" Mark the current login attempt as denied. This will prevent the end-user from completing the login flow. This will NOT cancel other user-related side-effects (such as metadata changes) requested by this Action. The login flow will immediately stop following the completion of this action and no further Actions will be executed."

so it should work as expected…

what’s wrong with my code?

thank you.

Hi @alberto.ornaghi,

Welcome to the Auth0 Community!

There is nothing logically wrong with your code. However, after testing this for myself, I found the same observations. Specifically, the user_metadata is never set before being denied access.

And as you hinted, our docs indicate that the metadata should be able to change as long as the api.access.deny() is called afterward.

Since I have confirmed your findings, I will reach out to our Engineering teams regarding this bug and have them resolve the issue.

Once there is new information, I will follow up with you with the updates.

Thank you.