Last Updated: Dec 17, 2024
Overview
One or more users from a custom DB connection were blocked by Brute-Force Protection. The “|” pipe character was used in the username. It does not seem to work to unblock these users.
When trying the GET/api/v2/user-blocks Management API endpoint to get the blocks for the user (e.g. username@mail.com|test), an empty array is received:
{
"blocked_for": []
}
When trying the DELETE/api/v2/user-blocks Management API endpoint to unlock the user, they still could not log in.
Applies To
- Custom Database
- Brute-Force Protection
- Blocked Users
- Special Characters
Cause
This is likely due to the “|” character being used internally on the API V2 endpoint for parsing the connection.
- For example, when parsing “username@mail.com**|**test”, we incorrectly parse “test” as the connection.
This could also be because that is not one of the allowed characters for usernames, as described here.
- No other characters/symbols are allowed, and as our documentation also describes, Auth0 does not validate or sanitize custom database inputs. That is why it is not possible to use that character to log users in with the custom database connection.
Solution
To confirm this is the cause of the issue, bypass this behavior by appending the connection name to the identifier in the DELETE/GET request. Using the example from above: “username@mail.com**|** test**|** connection-name” should solve the issue.