Add deny for pre register event

[markusahlstrand]

Summary by CodeRabbit

Release Notes

• New Features

  • Added deny capability to pre-registration hooks, enabling developers to explicitly reject user registrations with customizable error codes and optional reason messages for better control over user onboarding.

• Tests

  • Introduced comprehensive test coverage for the new registration denial feature, validating denial behavior with different error codes and proper error message formatting.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
authero-docs	Ready	Preview, Comment	Apr 1, 2026 0:47am
authhero-react-admin	Ready	Preview, Comment	Apr 1, 2026 0:47am

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6bd3fb91-ed79-496c-8b32-08f0c002993f

📥 Commits

Reviewing files that changed from the base of the PR and between fa38c62 and 5a51e9f.

📒 Files selected for processing (4)

• .changeset/slow-nails-exist.md
• packages/authhero/src/hooks/index.ts
• packages/authhero/src/types/Hooks.ts
• packages/authhero/test/hooks/on-pre-user-registration.spec.ts

---

📝 Walkthrough

Walkthrough

The authhero package now supports denying user registrations within pre-registration hooks. A new access.deny(code, reason?) function is added to the hook API that immediately terminates the registration process with an HTTP 400 error. Error handling around pre-registration execution is updated to preserve structured HTTP exceptions.

Changes

Cohort / File(s)	Summary
Changeset .changeset/slow-nails-exist.md	Declares minor version bump for authhero with note about adding deny capability to pre-registration event.
Hook Type Definitions packages/authhero/src/types/Hooks.ts	Extends OnExecutePreUserRegistrationAPI with new access object containing deny(code, reason?) method to allow denying registrations.
Hook Implementation packages/authhero/src/hooks/index.ts	Implements the access.deny() function in the hook context that throws a JSONHTTPException(400) with formatted denial message; updates error handling to rethrow HTTPException instances unchanged.
Hook Tests packages/authhero/test/hooks/on-pre-user-registration.spec.ts	Adds three test cases covering: deny with code and reason, deny with code only, and generic error behavior during hook execution.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Server as Hook Handler
    participant Access as Access Control

    rect rgba(100, 150, 200, 0.5)
    Note over Client,Access: Scenario 1: access.deny() Called
    Client->>Server: POST /users (registration request)
    Server->>Access: onExecutePreUserRegistration hook
    Access->>Access: access.deny('code', 'reason')
    Access-->>Server: throw JSONHTTPException(400)
    Server-->>Client: HTTP 400 + error message
    end

    rect rgba(100, 200, 100, 0.5)
    Note over Client,Access: Scenario 2: Hook Succeeds
    Client->>Server: POST /users (registration request)
    Server->>Access: onExecutePreUserRegistration hook
    Access->>Access: mutations proceed normally
    Access-->>Server: completion
    Server-->>Client: HTTP 201 + user created
    end

    rect rgba(200, 150, 100, 0.5)
    Note over Client,Access: Scenario 3: Generic Error Thrown
    Client->>Server: POST /users (registration request)
    Server->>Access: onExecutePreUserRegistration hook
    Access->>Access: throw Error()
    Access-->>Server: error caught, user creation succeeds
    Server-->>Client: HTTP 201 + user created
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Update hooks for account linking #560: Adds user.setLinkedTo() method to the same OnExecutePreUserRegistrationAPI, extending account-linking capabilities alongside the new deny functionality.
• Expose all the hooks in init #452: Previously introduced access.deny() deny-style control pattern for other hooks, establishing the pattern now extended to pre-registration hooks.
• add user-registration hooks #54: Introduced the foundational pre-user-registration hook feature that this PR builds upon with enhanced control-flow mechanisms.

Poem

🐰 A rabbit hops through registration's gate,
With access.deny() to seal one's fate,
No more shall unwanted users pass through,
The pre-registration hook's made anew! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Add deny for pre register event' accurately describes the main change: adding a deny mechanism for the pre-user registration hook API.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pre-register-deny

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}