DevDay 2022: Keynotes, workshops, and more. Join us in Sydney, London & Berlin.Register for Free
Actions

Limit User Registration to Specific Dates with Auth0 Actions

With Auth0’s Actions, it’s easy to ensure that users can sign up for an account only between a specific start date and end date.

February 17, 2022

Actions

Limit User Registration to Specific Dates with Auth0 Actions

With Auth0’s Actions, it’s easy to ensure that users can sign up for an account only between a specific start date and end date.

February 17, 2022

Some applications have a limited lifetime. A website or app for limited-time events such as a conference, convention, or concert will only be useful when the event takes place. Since there’s no point in allowing people to sign up for an account after the event is over, you may want to limit registration to a specific set of dates.

It usually takes a considerable amount of work to limit the dates when new users could register an account. However, if you’re using Auth0 to authenticate your users, this task became a lot easier thanks to Actions!

Actions are a new feature that allows you to extend Auth0 beyond what it can do “out of the box”. They’re Node.js functions that you can add to various flows within Auth0’s processes, including logging in, changing passwords, and signing up for a new account. You write and store these functions in the Auth0 dashboard, where they’re part of your tenant’s settings, and Auth0’s servers execute them.

In this article’s exercise, you’ll learn how to write an Action that limits when users can sign up for an account for a specific application. If a user signs up for an account outside the defined valid registration period, their attempt to sign up will be canceled, and they will see a message explaining why.

Prerequisites

You’ll need the following for this exercise:

  • Auth0 account: Actions are an Auth0 feature, which means you need an Auth0 account to use them. You can sign up for free, and the process is pretty painless.
  • Any application that uses your Auth0 tenant to provide Universal Login. Any web-based, mobile, or desktop application will do, just as long as it is one of your tenant’s applications. You’ll need it to log in and see how defining Actions changes how login works. If you don’t have any applications that use Auth0 for authentication, you can download one from the Auth0 Quickstarts page.

Create a New Action

The first step in creating a new Action is navigating to the appropriate authentication flow. Do this by selecting Actions from the left-side menu, then select Flows from the sub-menu that appears:

The Auth0 dashboard’s “Getting Started” page, with instructions to select “Actions” and “Flows” from the left side menu.

You’ll be at the Choose Flow page, where you can select the flow for your Action. In this case, we want to create an Action that runs immediately after the user submits an email address and password to sign up for an account. Do this by selecting the Pre User Registration flow:

The “Choose Flow” page, with an instruction to select “Pre User Registration”.

This will take you to the Pre User Registration flow page, which contains a flowchart depicting the pre-user registration flow in the center of the page, and a column labeled Add Action, which lists Actions you can add to the flow.

It’s time to create an Action to add to the flow. Do this by clicking the + button in the Add Action column, then select Build Custom from the menu that appears:

The “Pre User Registration” page, with instructions to click the “+” button, then select “Build Custom”.

The Create Action dialog box will appear. Give the Action an appropriate name in the Name field. I chose Limit App 001 registration to Jan 2022. Leave the Trigger and Runtime menus at their default settings, and click the Create button:

The “Create Action” dialog box.

You’ll be taken to the code editor for your newly created Action:

The code editor for the newly created Action.

Write Code for the Action

Let’s write a quick specification for the Action before we code it.

The Action should:

  • Only affect sign-ups for a given application. In this exercise, we’ll call it “App 001”. It should not affect sign-ups for any other applications in the tenant.
  • Limit registration so that users can sign up for an account only between a given start date and end date. For this exercise, let’s limit registration to January 2022.
  • If a user tries to sign up before or after the registration period above, their attempt should fail, and they should be shown a message explaining why.

Here’s the code that implements that specification. It limits registration to the month of January 2022. You should adjust the start and end dates for the registration period as you see fit:

exports.onExecutePreUserRegistration = async (event, api) => {
  if (event.client.client_id === /* CLIENT ID GOES HERE */) {
    // Remember, Date objects are GMT by default!
    const startDate = new Date(/* START DATE/TIME GOES HERE */) 
    const endDate = new Date(/* END DATE/TIME GOES HERE */)
    const now = new Date()

    if (now < startDate || now > endDate) {
      const LOG_MESSAGE = "APP 001 registration outside January 2022"
      const USER_MESSAGE = "Registration for this app is limited to January 2022."
      api.access.deny(LOG_MESSAGE, USER_MESSAGE)
    }
  }
}

You’ll need to customize the code above for your situation:

  • Replace the /* CLIENT ID GOES HERE */ comment with the application’s client ID that this Action should apply to. The Auth0 dashboard’s Applications list (select ApplicationsApplications from the menu on the left side of the page) shows the client ID of every application in your tenant.

Copying a client ID from the “Applications” page.

  • Replace the /* START DATE/TIME GOES HERE */ comment with the date and time of the start of the valid registration period. Since we want to limit registration to January 2022, use a start date value of “2021-01-01T00:00:00”.
  • Replace the /* END DATE/TIME GOES HERE */ comment with the date and time of the start of the valid registration period. For this exercise, use an end date value of “2021-01-31T23:59:59”.

Auth0 calls the onExecutePreUserRegistration() function just after the user has provided an email address and password to sign up for an account but before the account is created. Any code entered into this function can examine the credentials provided by the user or use any other information to decide if the registration should take place or be canceled.

onExecutePreUserRegistration() takes two parameters, whose properties you can use to perform tasks prior to the user being registered:

  1. event: An object that contains details about the request to register a new user. The Action uses event ’s client.client_id property to identify the application that triggered it. Remember, the limited registration period should apply only to App 001.
  2. api: An object with methods that you can use to change the behavior of the Pre User Registration flow. The Action uses api’s access.deny() method to cancel registration. access.deny() has two parameters:
    • reason: A string containing an internal-facing reason why registration is being canceled. This value will appear in your tenant’s logs.
    • userMessage: A string containing an external-facing reason why registration is being canceled. This value will be displayed to the user to explain why they can’t sign up for a new account.

With the code entered, click the Deploy button to save it.

Add the Action to the Flow

Now that you now have a working Action, it’s time to incorporate it into the flow.

Go back to the Pre User Registration page. There are a couple of ways to do this:

  • Select ActionsFlows from the menu on the left side of the page, then click on Pre User Registration.
  • If it’s onscreen, click on the Back to Flow link. It will be near the upper left corner of the code editor).

Once you’re on the Pre User Registration page, you should see the Action you just created in the Add Action column:

The “Pre User Registration” flow, with an instruction to start dragging the newly-created action.

Drag the Action into the flow, as shown in the screenshots above and below.

The “Pre User Registration” flow, with an instruction to drag the newly-created action into the flow.

Click the Apply button near the upper right corner of the page. The change you just made to the flow will not take effect until you do so.

Try to Sign Up for an Account

At this point, your Action is now part of the Pre User Registration flow. Whenever a user submits their email address and password to sign up for a new account, your Action will be triggered and execute its code.

Run the app that you wrote the Action for. Sign up for a new account instead of logging in when you reach the login screen. As long as the current date is outside your Action’s start date and end date, you should be able to enter any valid email address and password because the registration will never happen. You should see the following instead:

The login box for the application, with a message under the “Password” field that says “Registration for this app is limited to January 2022.”

Experiment!

Now that you know the basics of restricting new registrations, you might want to try some different test conditions, such as:

  • Limiting sign-ups to users in specific countries. There may be legal, business, or security reasons for letting only users in specific countries sign up for an account. The event object provides a lot of information about the request to create a new user account, including the user’s geographical location based on their IP address, which you can access using event.request.geoip.countryName. Check out our article, Country-Based Access with Auth0 Actions, to see how you can apply this technique to logins.
  • Disallowing sign-ups from certain IP addresses. If you see a lot of malicious activity from certain IP addresses, you can block their sign-up requests. This is another use case where the event object comes in handy. Use event.request.ip to determine the address of the user attempting to register and deny their registration if it appears in a list of known malicious addresses.
  • Limiting sign-ups to weekdays. You can use JavaScript’s getDay() function to see if the current date/time falls is a weekend day. Keep in mind that while Saturday (for which getDay() returns 6) and Sunday (for which getDay() returns 0) constitute the weekend in most places, some regions have different weekend days. Once again, you may also have to account for time zone differences.
  • Twitter icon
  • LinkedIn icon
  • Faceboook icon