webAuth.signup does not detect email conflicts when an existing user was created through a social identity provider


I’m currently encountering a weird edge case that I’m hoping someone might be able to shed some light on. My current application allows for Social Sign-on with Google & Github, as well as a customized form to sign-up using the auth0js WebAuth configuration. I have existing rules setup that will normalize emails & merge profiles that match email addresses, but I’ve noticed a very unique edge case that I can’t seem to resolve with rules or hooks, and I’m honestly not sure why I’m encountering it.

The bug is as follows:

  1. A user signs up using a Social Identity Provider (Google)
  2. Once their account is created, a user navigates back to the Sign-up page to create a new user using the form this time. They submit the request using the same email address as the one they user for their Google sign-up, and are returned the new profile rather than user that was merged into the existing one.

I’ve tried creating rules & hooks to resolve this, but each seems limited in their own way. One solution I tried to implement was a pre user registration rule to check to see if the user exists in the database (calling the /api/v2/users-by-email) from a hook, but I don’t have access to the auth0.accessToken here. Would anyone happen to have experienced this / have any thoughts on how to resolve this? I’m not sure why auth0 isn’t automatically detecting email collisions at the outset of the request like it would if a user tried signing up through the form twice in a row

For anyone experiencing the same issue, my solution was similar to what I had tried, in the description:

  • Query the API endpoint to request a valid token
  • Query all the users within the database for any matches to the email submitted
  • If a matching user was found, throw an error
  • Otherwise continue with the registration process
1 Like

Glad you have figured it out and thanks for sharing with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.