Post-Change Password

Post-Change Password

At the Post-Change Password extensibility point, Hooks let you execute custom actions after a successful user password change. The action can be initiated by a user for their own password or by a tenant administrator for another user's password. For example, you can send an email to a user to notify them that their password has been changed.

Hooks at this extensibility point are non-blocking (asynchronous), which means the Auth0 pipeline continues to run without waiting for the Hook to finish its execution. Thus, the Hook's outcome does not affect the Auth0 transaction.

The Post-Change Password extensibility point is available for database connections. To learn more, see Database Connections.

To learn about other extensibility points, see Extensibility Points.

Starter code and parameters

When creating a Hook executed at the Post-Change Password extensibility point, you may find the following starter code helpful. Parameters that can be passed into and used by the Hook function are listed at the top of the code sample.

/**
@param {object} user - affected user
@param {string} user.id - user's ID
@param {string} user.username - user's username
@param {string} user.email - user's email
@param {string} user.last_password_reset - date/time the user's password was last changed
@param {object} context - Auth0 context info, such as connection
@param {object} context.connection - connection info
@param {object} context.connection.id - connection ID
@param {object} context.connection.name - connection name
@param {object} context.connection.tenant - connection tenant
@param {object} context.webtask - Hook (webtask) context
@param {function} cb - function (error)
**/

module.exports = function (user, context, cb) {
  // Perform any asynchronous actions, e.g. send notification to Slack.
  cb();
};

Was this helpful?

/

Default response

Hooks executed at the Post-Change Password extensibility point ignore any response object. If an error is returned, a tenant log entry is created, but this does not affect the Auth0 transaction.

Starter code response

Once you've customized the starter code, you can test the Hook using the Runner embedded in the Hook Editor. The Runner simulates a call to the Hook with the appropriate body and response.

When you run a Hook based on the starter code, the response object is:

{
  "user": {
    "id": "abc123",
    "username": "user1",
    "email": "user1@foo.com",
    "last_password_reset": "2019-02-27T14:14:29.206Z"
  },
  "context": {
    "connection": {
      "id": "con_xxxxxxxxxxxxxxxx",
      "name": "Username-Password-Authentication",
      "tenant": "my-tenant"
    }
  }
}

Was this helpful?

/

Sample script: Send a notification email upon password change

In this example, we use a Hook to have SendGrid send a notification email to the user upon password change.

module.exports = function (user, context, cb) {

  const request = require('request');
  const sendgridApiKey = context.webtask.secrets.SENDGRID_API_KEY;

  // https://sendgrid.api-docs.io/v3.0/mail-send
  request.post({
    url: 'https://api.sendgrid.com/v3/mail/send',
    headers: {
      'Authorization': 'Bearer ' + sendgridApiKey
    },
    json: {
      personalizations: [{
        to: [{
          email: user.email
        }]
      }],
      from: {
        email: 'admin@example.com'
      },
      subject: 'Your password was changed',
      content: [{
        type: 'text/plain',
        value: 'The password for your ' + context.connection.name + ' account ' + user.email + ' was recently changed.'
      }]
    }
  }, function (err, resp, body) {
    if (err || resp.statusCode !== 202) {
      return cb(err || new Error(body.errors[0].message));
    }

    cb();
  });
};

Was this helpful?

/

Learn more