Auth0 Home Blog Docs

Using pre registration Hooks to prevent duplicate account creation

We’re looking to use a pre registration hook to prevent users creating dupicate accounts ie username-password accounts when they have already created one via a social login.

Currently doing something similar via rules but moving to hooks will enable us to actually prevent the account creation rather than just disabling the duplicate post creation.

Anyway strugging to get it to work possibbly because i can’t see how to get the access token needed for the api. Using rules you use “auth0.accessToken” what is the equivalent when using Hooks?

module.exports = function (user, context, cb) {
var response = {};

response.user = user;

// Add user or app metadata to the newly created user
// response.user.user_metadata = { foo: ‘bar’ };
// response.user.app_metadata = { vip: true, score: 7 };

var request = require(‘request@2.56.0’);

var userApiUrl = ‘https://XXDomainXX/api/v2//users’;
var userSearchApiUrl = ‘https://XXDomainXX/api/v2/users-by-email’;

request({
url: userSearchApiUrl,
headers: {
Authorization: ???
},
qs: {
email: user.email
}
},
function(err, searchresponse, body) {

if (err) return cb(err);
if (searchresponse.statusCode !== 200) return cb(new Error(body));

var data = JSON.parse(body);

if (data.length === 0) {
  return cb(null, response);
}

if (data.length > 0) {
  // duplicate so throw error
  
  return cb(new Error('Duplicate user'));
}

});

};

Hi @dan_k,

Welcome back to the Auth0 Community Forum!

Before diving into a solution; have you considered the automatic account linking feature? It solves this problem, although it is not exactly the same result.

Hope this helps!

Thanks,
Dan

Hi Dan,

I’ve looked at that and we’ll want to use it for some situations. However that doesn’t solve the situation where a user creates an account via social login and then a hacker creats a new username - password account with the same email and accesses their account. The other way round is fine and we can use account linking but we need to prevent the username - password account from being created if a social login already exists.

Hope that makes sense.

I see what you mean. They could create an unvalidated account that is not linked.

To your original question:

I am assuming you are referring to this example. This is using a node auth0 module, which you should be able to use in a hook exactly like in rules.

Let me know if you have problems!

Thanks,
Dan

In principle yes.

In the end as there is no management api token in Hooks as there is in Rules i’ve had to get the token directly.

eg:

var options = {
method: ‘POST’,
url: ‘https://’ + domain + ‘/oauth/token’,
headers: {‘content-type’: ‘application/x-www-form-urlencoded’},
form: {
grant_type: ‘client_credentials’,
client_id: client_id,
client_secret: client_secret,
audience: ‘https://’ + domain + ‘/api/v2/’
}
};

tokenRequest(options, function (error, tokenResponse, body) {
if (error) throw new Error(error);