Hey gg-dev, I understand your issue and upvoted it.
On a sidenote, cause you said auth0 might not work for you:
Since the Login flow is the only hook that triggers regardless of the concrete connection, this is where we put all the logic you described into and abandoned all the other hooks, which are exclusively for database connections.
In concrete this means that for social logins the only option right now is to create the users on login. Once you apply this logic you realize that the same logic can also be applied to database users. That leaves the other registration hooks totally useless once you decide to support social logins.
I’ve also hit this limitation and had to work around it. I ended up doing as @hendrik described - I have “complete user registration” login action which checks a flag in the user’s app_metadata and if the flag is missing, runs some code (in my case to assign roles and set user metadata based on a custom invitation it retrieves from an API in our systems), then sets the flag in app_metadata to prevent the same code running a second time. This works, but it feels hacky, and is vulnerable to somebody inadvertently messing with the flag I’ve set in app_metadata (I also check for logins_count > 1, but I found the action runs more than once with logins_count == 1 as I refresh my SPA app page after first login, so testing logins_count > 1 on it’s own is not a safe way of preventing the code running multiple times).
Thanks Dan. At the risk of hijacking this thread, I assumed it was reasonable to use app_metadata on the user object to store properties that describe something about the user which is never seen by the user and only written/read from server-side code (in this case a flag to preserve state that is written and read from an action script). Are you suggesting that isn’t safe? If so I’m not sure I understand what app_metadata on the user object is for.
How and when app_metadata is (or isn’t) presented to the user is going to depend on your implementation.
For example, it’s common that app_metadata is added to tokens, which could then be read by the user of a client side app, but the user would have no ability to manage its contents as it is in a signed token.
Thank you everyone for sharing additional context. We’ll analyze it at the beginning of next month in collaboration with our product team and potentially will add it to our engineering backlog. Thank you for your understanding!