User Access Restrictions

User Access Restrictions in Descope provide advanced control over who can access your application. These restrictions help you manage sign-ups and prevent specific identifiers, like email addresses, from accessing your application.

Examples of Restrictions

Descope offers several restriction options to secure and control your application environment effectively:

  1. Allow or Block (Custom): Permits or prevent only specified identifiers to sign up for your application. Ideal for internal tools or applications restricted to a particular user group.
  2. Block Email Subaddresses: Blocks email addresses containing characters like +, =, or #, preventing users from using modified versions of allowed emails to sign up.
  3. Block Disposable Emails: Check out the Disposable Email article here.

Setting Up Restrictions

Allow or Block (Custom)

A powerful mechanism of user restriction in Descope Flows is using Conditions to check whether a particular parameter matches certain requirements, often using regex.

To customize whether certain users are blocked or allowed, a Descope Flow can be created that takes an input such as an email and then checks if it matches certain requirements. For instance, we can include a condition to check whether an email address ends with @descope.comby checking if the value in the input (form.email) matches this regex: ^[^@]+@descope\.com$.
Email is Descope condition
This could be placed in the flow anywhere after the email or other identifier has been inputted.
Email is Descope condition

Block Email Subaddresses

This feature blocks any sign-up attempts using email addresses with subaddressing, commonly used to create multiple accounts from a single email address.

  • To block email subaddresses:
    • Add a condition in the flow to check if the inputted email matches this regex: ^[^@]+[\+=#][^@]*@[^@]+$
      • This checks for the presence of +, =, or # in the email address.
        • ^[^@]+: Ensures the string starts with one or more characters that are not an @.
        • [\+=#]: Matches any of the characters +, =, or #.
        • [^@]*: Allows any number of characters that are not an @ following the +, =, or #.
        • @: Matches the @ symbol.
        • [^@]+$: Matches one or more characters that are not an @ until the end of the string, ensuring there's at least one character in the domain part.
      • This regex will match emails like acme+tag@acme.com, user=name@acme.com, and person#info@acme.com, which all contain a subaddress. It will not match simple emails like acme@acme.com which lack the special characters indicating a subaddress.
Email subaddress condition
  • The condition could fit in a flow just after the email address of a user is inputted.
Email subaddress flow