Problem statement
Some users from a custom DB connection were blocked by Brute-Force Protection. We use the “|” pipe character in the username and can’t unblock them.
Symptoms
I tried the GET/api/v2/user-blocks Management API endpoint to get the blocks for the user (e.g. username@mail.com|test) and receive an empty array:
{
"blocked_for": []
}
I also tried the DELETE/api/v2/user-blocks Management API endpoint to unlock the user, but they still couldn’t log in.
Cause
This could be due to the “|” character being used internally on the API V2 endpoint for parsing the connection.
For example, when parsing username@mail.com|test, we incorrectly parse ‘test’ as the connection.
The following doc has the list of allowed characters for the username attribute.
Adding Username for Database Connections. Pipe “|” is not on the list.
Also, as explained in the same doc, “No other characters/symbols are allowed, and Auth0 does not validate or sanitize custom database inputs.”.
Solution
As a workaround, with the example above, you can use username@mail.com|test| connection-name instead to retrieve such users.