Auth0 Actions

Auth0 Actions are customizable, serverless JavaScript functions that execute at specific points in the Auth0 authentication and user management lifecycle. This service runs three non-deprecated actions, all integrated into the post-login and pre-user-registration flows to enforce MFA policy, capture metadata, and enhance security.

Legacy Auth0 rules (in auth0/rules/) are deprecated and not documented here.

MFA Action

File: auth0/actions/mfa_action.js

Trigger: post-login (v3)

Purpose: Conditionally enforce multi-factor authentication (MFA) based on user metadata and request context.

Logic

The action executes on every successful login (both password and refresh token flows) and determines whether to challenge the user for MFA.

Bypass conditions (no MFA enforced):

  • Tenant is the test Auth0 tenant AND the request is a refresh token flow — skips MFA entirely (unless the user’s email domain is forcemfa.floatme.io, which forces MFA even in this case)

  • Tenant is the test Auth0 tenant AND the user email domain matches the integration test domain — skips MFA for integration test accounts

  • User is a first-time login (login count ≤ 1) — skips MFA during signup flows

MFA enforcement (after bypasses):

  • If the user’s app_metadata.auth_require_mfa is true OR request.body.challengeRequired is set, the action invokes api.multifactor.enable("any")

  • This prompts the user for any enrolled MFA authenticator (OOB, TOTP, etc.)

Integration Test Behavior

A special email domain in the test tenant forces MFA enrollment even for integration tests (see mfa_action.js source for the exact domain). This allows test flows to validate MFA enrollment and challenge/submit endpoints in a non-production tenant.

Enable MFA Action

File: auth0/actions/enable_mfa.js

Trigger: pre-user-registration (v2)

Purpose: Set MFA requirement metadata when a new user is created.

Behavior

This action runs in the pre-user-registration pipeline — before the Auth0 user object is created. It sets two app metadata flags on the incoming registration request so they are applied when the user is created:

  • auth_require_mfa = true — marks the user as MFA-required

  • uses_new_mfa_action = true — flag for tracking migration from legacy MFA flows

These metadata values are then checked by the MFA Action on every login to determine whether to enforce a challenge.

Add IP to Metadata Action

File: auth0/actions/add_ip_to_metadata.js

Trigger: post-login (v3)

Purpose: Capture the client IP address on every login for fraud detection and analytics.

Metadata Capture

On each login, the action writes the requesting IP (event.request.ip) to the user’s user_metadata.last_ip field. This metadata is persisted in Auth0 and can be queried by other services.

Consumption

  • Auth worker (cloudflare/workers/auth/) may read the last IP from user info endpoints or session context for Castle fraud scoring (fingerprinting, velocity checks, location anomaly detection)

  • Internal services may pull user metadata via Auth0 management API to cross-reference logins and detect compromised accounts

Deployment

All three actions are deployed and managed via Terraform in deploy/auth0_actions.tf.

Terraform Resources

Each action is declared as an auth0_action resource:

  • auth0_action.mfa_action — reads auth0/actions/mfa_action.js, deployed to post-login flow v3

  • auth0_action.ip_metadata_action — reads auth0/actions/add_ip_to_metadata.js, deployed to post-login flow v3

  • auth0_action.set_mfa_action — reads auth0/actions/enable_mfa.js, deployed to pre-user-registration flow v2

Each resource specifies: * runtime = "node18" — the Node.js runtime version * deploy = true — action is automatically deployed when Terraform applies * supported_triggers — the Auth0 flow and version the action binds to

Post-Login Flow Ordering

The auth0_trigger_actions.login_flow resource chains the two post-login actions in sequence:

  1. add_ip_to_metadata (IP capture) runs first

  2. mfa_action (MFA enforcement) runs second

This ensures the IP is recorded before any MFA challenge occurs.

Applying Changes

Changes to action code are deployed via:

cd deploy/
terraform plan
terraform apply

Terraform detects changes to the action files and automatically redeploys them to the Auth0 tenant. The deploy = true flag ensures actions are live immediately after apply.

Deprecated Rules

Auth0 rules in auth0/rules/ are deprecated and not actively used. These rules will not be documented or maintained. New authentication policies should be implemented as actions per the above.