🚀 Feature: Actions or Scripting Engine (Pre-Registration / Pre-Auth Hooks) #592

Open
opened 2026-02-04 20:36:37 +03:00 by OVERLORD · 1 comment
Owner

Originally created by @simonliu99 on GitHub (Jan 6, 2026).

Feature description

The current feature set is simple and robust, but having the ability to add more granular logic into registration or authentication would be a great option to have. This would be similar to Auth0 Actions or Zitadel Actions that would allow admins to define small snippets of JavaScript code that execute at specific triggers.

  1. Pre-User-Registration (Allow/Deny signup, validate input)
  2. Post-User-Registration (Notify external systems)
  3. Pre-Authentication (Check specific conditions before issuing tokens)

Pitch

This feature would allow for logic to implement checks like whitelisted domains, password/username policies, or trigger webhooks when a new user registers (e.g., to notify Slack/Discord). Currently, these features would require individual PRs and new UI toggles for every single variation.

Pre-registration example: whitelist a domain (#1152)

function onExecutePreUserRegistration(event, api) {
  const allowed = ["mycompany.com", "internal.org"];
  const domain = event.user.email.split("@")[1];

  if (!allowed.includes(domain)) {
    return api.deny("Registration restricted to internal domains.");
  }
}

Post-registration example: Discord webhook notification

function onExecutePostUserRegistration(event, api) {
  const webhookUrl = "https://discord.com/api/webhooks/xxx/yyy";
  
  const payload = {
    content: `**New User Alert**\nUser: ${event.user.email}\nTime: ${new Date().toISOString()}`
  };

  http.post(webhookUrl, {
    headers: { "Content-Type": "application/json" },
    body: JSON.stringify(payload)
  });
}

Pre-authentication example: parental controls

function onExecutePreAuth(event, api) {
  const hour = new Date().getHours();
  const isNightTime = hour >= 22 || hour < 7;
  
  if (event.user.groups.includes("kids") && isNightTime) {
    return api.access.deny("Go to sleep! Access is disabled until 7 AM.");
  }
}

Pre-authentication example: custom auth errors

function onExecutePreAuth(event, api) {
  if (event.user.app_metadata.status === "suspended") {
    return api.access.deny("Your account has been suspended. Contact the admin.");
  }
}
Originally created by @simonliu99 on GitHub (Jan 6, 2026). ### Feature description The current feature set is simple and robust, but having the ability to add more granular logic into registration or authentication would be a great option to have. This would be similar to Auth0 Actions or Zitadel Actions that would allow admins to define small snippets of JavaScript code that execute at specific triggers. 1. Pre-User-Registration (Allow/Deny signup, validate input) 2. Post-User-Registration (Notify external systems) 3. Pre-Authentication (Check specific conditions before issuing tokens) ### Pitch This feature would allow for logic to implement checks like whitelisted domains, password/username policies, or trigger webhooks when a new user registers (e.g., to notify Slack/Discord). Currently, these features would require individual PRs and new UI toggles for every single variation. Pre-registration example: whitelist a domain (#1152) ```JavaScript function onExecutePreUserRegistration(event, api) { const allowed = ["mycompany.com", "internal.org"]; const domain = event.user.email.split("@")[1]; if (!allowed.includes(domain)) { return api.deny("Registration restricted to internal domains."); } } ``` Post-registration example: Discord webhook notification ```JavaScript function onExecutePostUserRegistration(event, api) { const webhookUrl = "https://discord.com/api/webhooks/xxx/yyy"; const payload = { content: `**New User Alert**\nUser: ${event.user.email}\nTime: ${new Date().toISOString()}` }; http.post(webhookUrl, { headers: { "Content-Type": "application/json" }, body: JSON.stringify(payload) }); } ``` Pre-authentication example: parental controls ```JavaScript function onExecutePreAuth(event, api) { const hour = new Date().getHours(); const isNightTime = hour >= 22 || hour < 7; if (event.user.groups.includes("kids") && isNightTime) { return api.access.deny("Go to sleep! Access is disabled until 7 AM."); } } ``` Pre-authentication example: custom auth errors ```JavaScript function onExecutePreAuth(event, api) { if (event.user.app_metadata.status === "suspended") { return api.access.deny("Your account has been suspended. Contact the admin."); } } ```
OVERLORD added the needs more upvotes label 2026-02-04 20:36:37 +03:00
Author
Owner

@ScrumpyJack commented on GitHub (Jan 29, 2026):

There have been a few requests that this falls under so there is some interest

https://github.com/pocket-id/pocket-id/issues/1282
https://github.com/pocket-id/pocket-id/issues/1152

These would be a killer features IMHO

Another example of post registration hook in particular:

In a private setting (like internal org or self-hosted family/friends groupware) when a user registers, they pick a new email address and a post registration webhook could trigger a workflow, such a creating the new mailbox, setup up storage and evrything needed for said groupware to function without an admin having to set it all up for the new user manually.

@ScrumpyJack commented on GitHub (Jan 29, 2026): There have been a few requests that this falls under so there is some interest https://github.com/pocket-id/pocket-id/issues/1282 https://github.com/pocket-id/pocket-id/issues/1152 These would be a killer features IMHO Another example of post registration hook in particular: In a private setting (like internal org or self-hosted family/friends groupware) when a user registers, they pick a new email address and a post registration webhook could trigger a workflow, such a creating the new mailbox, setup up storage and evrything needed for said groupware to function without an admin having to set it all up for the new user manually.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/pocket-id#592