Last Updated: Sep 26, 2024
Overview
Users mistakenly created an account using gmai.com instead of gmail.com . Some of these users have been verified with the @gmai.com email addresses.
Given that the users are verified, it is possible that the owner of the gmai.com domain received verification emails and accessed the verification URL in them. There are concerns about this situation since the gmai.com owner could take over the users.
Note that users are signing up using email-password scheme. Not SSO with Google Account.
Applies To
- User Authentication
- User accounts
Cause
This issue occurs due to a typo from the user when signing up.
Solution
To solve this issue, delete the users with the incorrect domain. Users can be deleted through the Auth0 Dashboard or the Management API.
To delete the users via the Dashboard:
- Navigate to Auth0 Dashboard > User Management > Users.
- Search for the affected user and Access their profile.
- Click on Actions.
- Click on Delete.
As a possible workaround to prevent this issue, it is recommended to set a Pre-User-Registration Action that validates whether the user entered an incorrect gmai.com domain and display an error accordingly. To achieve it, use the event.user object to set a conditional to avoid creating users with the incorrect domain.
A sample Pre-User-Registration that prevents user signup with gmai.com domain looks like this:
exports.onExecutePreUserRegistration = async (event, api) => {
var email = event.user.email;
var atSymbol = email.indexOf("@");
var domain = email.slice(atSymbol + 1);
if(domain === 'gmai.com'){
api.access.deny("Incorrect Email Domain", "The email address may be wrong. Did you mean gmail.com?");
}
};
The image below shows how the error is rendered in the New Universal Login Page.
To learn more about the Pre User Registration flow, click here.