Using pre registration Hooks to prevent duplicate account creation

dan_k · October 12, 2019, 6:08pm

We’re looking to use a pre registration hook to prevent users creating dupicate accounts ie username-password accounts when they have already created one via a social login.

Currently doing something similar via rules but moving to hooks will enable us to actually prevent the account creation rather than just disabling the duplicate post creation.

Anyway strugging to get it to work possibbly because i can’t see how to get the access token needed for the api. Using rules you use “auth0.accessToken” what is the equivalent when using Hooks?

module.exports = function (user, context, cb) {
var response = {};

response.user = user;

// Add user or app metadata to the newly created user
// response.user.user_metadata = { foo: ‘bar’ };
// response.user.app_metadata = { vip: true, score: 7 };

var request = require(‘request@2.56.0’);

var userApiUrl = ‘https://XXDomainXX/api/v2//users’;
var userSearchApiUrl = ‘https://XXDomainXX/api/v2/users-by-email’;

request({
url: userSearchApiUrl,
headers: {
Authorization: ???
},
qs: {
email: user.email
}
},
function(err, searchresponse, body) {
if (err) return cb(err);
if (searchresponse.statusCode !== 200) return cb(new Error(body));

var data = JSON.parse(body);

if (data.length === 0) {
  return cb(null, response);
}

if (data.length > 0) {
  // duplicate so throw error
  
  return cb(new Error('Duplicate user'));
}
});

};

dan.woda · October 14, 2019, 9:50pm

Hi @dan_k,

Welcome back to the Auth0 Community Forum!

Before diving into a solution; have you considered the automatic account linking feature? It solves this problem, although it is not exactly the same result.

Hope this helps!

Thanks,
Dan

dan_k · October 15, 2019, 7:20am

Hi Dan,

I’ve looked at that and we’ll want to use it for some situations. However that doesn’t solve the situation where a user creates an account via social login and then a hacker creats a new username - password account with the same email and accesses their account. The other way round is fine and we can use account linking but we need to prevent the username - password account from being created if a social login already exists.

Hope that makes sense.

dan.woda · October 15, 2019, 6:30pm

I see what you mean. They could create an unvalidated account that is not linked.

To your original question:

I am assuming you are referring to this example. This is using a node auth0 module, which you should be able to use in a hook exactly like in rules.

Let me know if you have problems!

Thanks,
Dan

dan_k · October 17, 2019, 4:32pm

In principle yes.

In the end as there is no management api token in Hooks as there is in Rules i’ve had to get the token directly.

eg:

var options = {
method: ‘POST’,
url: ‘https://’ + domain + ‘/oauth/token’,
headers: {‘content-type’: ‘application/x-www-form-urlencoded’},
form: {
grant_type: ‘client_credentials’,
client_id: client_id,
client_secret: client_secret,
audience: ‘https://’ + domain + ‘/api/v2/’
}
};

tokenRequest(options, function (error, tokenResponse, body) {
if (error) throw new Error(error);
…

dan.woda · October 18, 2019, 6:05pm

Yes, alternatively if you wanted to use the auth0 node package you could obtain the token and initiate the management client this way:

var ManagementClient = require('auth0').ManagementClient;
var auth0 = new ManagementClient({
  domain: '{YOUR_ACCOUNT}.auth0.com',
  clientId: '{YOUR_NON_INTERACTIVE_CLIENT_ID}',
  clientSecret: '{YOUR_NON_INTERACTIVE_CLIENT_SECRET}',
  scope: 'read:users update:users'
});

It may help shrink your code a bit, but the same result can be achieved without it.

Hope this helps!

Thanks,
Dan

dan.woda · November 1, 2019, 10:05pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.