User Access Restrictions

User Access Restrictions in Descope provide advanced control over who can access your application. These restrictions help you manage sign-ups and prevent specific identifiers, like email addresses, from accessing your application.

Examples of Restrictions

Descope offers several restriction options to secure and control your application environment effectively:

1. Allow or Block (Custom): Permits or prevent only specified identifiers to sign up for your application. Ideal for internal tools or applications restricted to a particular user group.
2. Block Email Subaddresses: Blocks email addresses containing characters like +, =, or #, preventing users from using modified versions of allowed emails to sign up.
3. Block Disposable Emails: Check out the Disposable Email article here.

Setting Up Restrictions

Allow or Block (Custom)

A powerful mechanism of user restriction in Descope Flows is using Conditions to check whether a particular parameter matches certain requirements, often using regex.

To customize whether certain users are blocked or allowed, a Descope Flow can be created that takes an input such as an email and then checks if it matches certain requirements. For instance, we can include a condition to check whether an email address ends with @descope.comby checking if the value in the input (form.email) matches this regex: ^[^@]+@descope\.com$.

This could be placed in the flow anywhere after the email or other identifier has been inputted.

Block Email Subaddresses

This feature blocks any sign-up attempts using email addresses with subaddressing, commonly used to create multiple accounts from a single email address.

• To block email subaddresses:
  • Add a condition in the flow to check if the inputted email matches this regex: ^[^@]+[\+=#][^@]*@[^@]+$
    • This checks for the presence of +, =, or # in the email address.
      • ^[^@]+: Ensures the string starts with one or more characters that are not an @.
      • [\+=#]: Matches any of the characters +, =, or #.
      • [^@]*: Allows any number of characters that are not an @ following the +, =, or #.
      • @: Matches the @ symbol.
      • [^@]+$: Matches one or more characters that are not an @ until the end of the string, ensuring there's at least one character in the domain part.
    • This regex will match emails like acme+tag@acme.com, user=name@acme.com, and person#info@acme.com, which all contain a subaddress. It will not match simple emails like acme@acme.com which lack the special characters indicating a subaddress.

• The condition could fit in a flow just after the email address of a user is inputted.