8316299588

Committed 17 Mar 2024 02:55PM UTC coverage: 64.923% (-0.3%) from 65.241%

Build Type

github

Committed by

Commit Message

fix: remove unneeded if check

Pull Request Pull Request #1474: feat: add custom sms hook

Run Details

87 of 197 new or added lines in 13 files covered. (44.16%)

72 existing lines in 3 files now uncovered.

8005 of 12330 relevant lines covered (64.92%)

59.5 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

68.26

/internal/api/otp.go

package api

import (
        "bytes"
        "encoding/json"
        "io"
        "net/http"

        "github.com/sethvargo/go-password/password"
        "github.com/supabase/auth/internal/api/sms_provider"
        "github.com/supabase/auth/internal/models"
        "github.com/supabase/auth/internal/storage"
)

// OtpParams contains the request body params for the otp endpoint
type OtpParams struct {
        Email               string                 `json:"email"`
        Phone               string                 `json:"phone"`
        CreateUser          bool                   `json:"create_user"`
        Data                map[string]interface{} `json:"data"`
        Channel             string                 `json:"channel"`
        CodeChallengeMethod string                 `json:"code_challenge_method"`
        CodeChallenge       string                 `json:"code_challenge"`
}

// SmsParams contains the request body params for sms otp
type SmsParams struct {
        Phone               string                 `json:"phone"`
        Channel             string                 `json:"channel"`
        Data                map[string]interface{} `json:"data"`
        CodeChallengeMethod string                 `json:"code_challenge_method"`
        CodeChallenge       string                 `json:"code_challenge"`
}

func (p *OtpParams) Validate() error {
        if p.Email != "" && p.Phone != "" {
                return badRequestError(ErrorCodeValidationFailed, "Only an email address or phone number should be provided")
        }
        if p.Email != "" && p.Channel != "" {
                return badRequestError(ErrorCodeValidationFailed, "Channel should only be specified with Phone OTP")
        }
        if err := validatePKCEParams(p.CodeChallengeMethod, p.CodeChallenge); err != nil {
                return err
        }
        return nil
}

func (p *SmsParams) Validate(smsProvider string) error {
        if p.Phone != "" && !sms_provider.IsValidMessageChannel(p.Channel, smsProvider) {
                return badRequestError(ErrorCodeValidationFailed, InvalidChannelError)
        }

        var err error
        p.Phone, err = validatePhone(p.Phone)
        if err != nil {
                return err
        }

        return nil
}

// Otp returns the MagicLink or SmsOtp handler based on the request body params
func (a *API) Otp(w http.ResponseWriter, r *http.Request) error {
        params := &OtpParams{
                CreateUser: true,
        }
        if params.Data == nil {
                params.Data = make(map[string]interface{})
        }

        if err := retrieveRequestParams(r, params); err != nil {
                return err
        }

        if err := params.Validate(); err != nil {
                return err
        }
        if params.Data == nil {
                params.Data = make(map[string]interface{})
        }

        if ok, err := a.shouldCreateUser(r, params); !ok {
                return unprocessableEntityError(ErrorCodeOTPDisabled, "Signups not allowed for otp")
        } else if err != nil {
                return err
        }

        if params.Email != "" {
                return a.MagicLink(w, r)
        } else if params.Phone != "" {
                return a.SmsOtp(w, r)
        }

        return badRequestError(ErrorCodeValidationFailed, "One of email or phone must be set")
}

type SmsOtpResponse struct {
        MessageID string `json:"message_id,omitempty"`
}

// SmsOtp sends the user an otp via sms
func (a *API) SmsOtp(w http.ResponseWriter, r *http.Request) error {
        ctx := r.Context()
        db := a.db.WithContext(ctx)
        config := a.config

        if !config.External.Phone.Enabled {
                return badRequestError(ErrorCodePhoneProviderDisabled, "Unsupported phone provider")
        }
        var err error

        params := &SmsParams{}
        if err := retrieveRequestParams(r, params); err != nil {
                return err
        }

        // For backwards compatibility, we default to SMS if params Channel is not specified
        if params.Phone != "" && params.Channel == "" {
                params.Channel = sms_provider.SMSProvider
        }

        if err := params.Validate(config.Sms.Provider); err != nil {
                return err
        }

        var isNewUser bool
        aud := a.requestAud(ctx, r)
        user, err := models.FindUserByPhoneAndAudience(db, params.Phone, aud)
        if err != nil {
                if models.IsNotFoundError(err) {
                        isNewUser = true
                } else {
                        return internalServerError("Database error finding user").WithInternalError(err)
                }
        }
        if user != nil {
                isNewUser = !user.IsPhoneConfirmed()
        }
        if isNewUser {
                // User either doesn't exist or hasn't completed the signup process.
                // Sign them up with temporary password.
                password, err := password.Generate(64, 10, 1, false, true)
                if err != nil {
                        return internalServerError("error creating user").WithInternalError(err)
                }

                signUpParams := &SignupParams{
                        Phone:    params.Phone,
                        Password: password,
                        Data:     params.Data,
                        Channel:  params.Channel,
                }
                newBodyContent, err := json.Marshal(signUpParams)
                if err != nil {
                        // SignupParams must be marshallable
                        panic(err)
                }
                r.Body = io.NopCloser(bytes.NewReader(newBodyContent))

                fakeResponse := &responseStub{}

                if config.Sms.Autoconfirm {
                        // signups are autoconfirmed, send otp after signup
                        if err := a.Signup(fakeResponse, r); err != nil {
                                return err
                        }

                        signUpParams := &SignupParams{
                                Phone:   params.Phone,
                                Channel: params.Channel,
                        }
                        newBodyContent, err := json.Marshal(signUpParams)
                        if err != nil {
                                // SignupParams must be marshallable
                                panic(err)
                        }
                        r.Body = io.NopCloser(bytes.NewReader(newBodyContent))
                        return a.SmsOtp(w, r)
                }

                if err := a.Signup(fakeResponse, r); err != nil {
                        return err
                }
                return sendJSON(w, http.StatusOK, make(map[string]string))
        }

        messageID := ""
        err = db.Transaction(func(tx *storage.Connection) error {
                if err := models.NewAuditLogEntry(r, tx, user, models.UserRecoveryRequestedAction, "", map[string]interface{}{
                        "channel": params.Channel,
                }); err != nil {
                        return err
                }
                smsProvider, terr := sms_provider.GetSmsProvider(*config)
                if terr != nil {
                        return internalServerError("Unable to get SMS provider").WithInternalError(err)
                }
                mID, serr := a.sendPhoneConfirmation(r, tx, user, params.Phone, phoneConfirmationOtp, smsProvider, params.Channel)
                if serr != nil {
                        return badRequestError(ErrorCodeSMSSendFailed, "Error sending sms OTP: %v", serr).WithInternalError(serr)
                }
                messageID = mID
                return nil
        })

        if err != nil {
                return err
        }

        return sendJSON(w, http.StatusOK, SmsOtpResponse{
                MessageID: messageID,
        })
}

func (a *API) shouldCreateUser(r *http.Request, params *OtpParams) (bool, error) {
        ctx := r.Context()
        db := a.db.WithContext(ctx)

        if !params.CreateUser {
                ctx := r.Context()
                aud := a.requestAud(ctx, r)
                var err error
                if params.Email != "" {
                        params.Email, err = validateEmail(params.Email)
                        if err != nil {
                                return false, err
                        }
                        _, err = models.FindUserByEmailAndAudience(db, params.Email, aud)
                } else if params.Phone != "" {
                        params.Phone, err = validatePhone(params.Phone)
                        if err != nil {
                                return false, err
                        }
                        _, err = models.FindUserByPhoneAndAudience(db, params.Phone, aud)
                }

                if err != nil && models.IsNotFoundError(err) {
                        return false, nil
                }
        }
        return true, nil
}

1	package api
2
3	import (
4	"bytes"
5	"encoding/json"
6	"io"
7	"net/http"
8
9	"github.com/sethvargo/go-password/password"
10	"github.com/supabase/auth/internal/api/sms_provider"
11	"github.com/supabase/auth/internal/models"
12	"github.com/supabase/auth/internal/storage"
13	)
14
15	// OtpParams contains the request body params for the otp endpoint
16	type OtpParams struct {
17	Email string `json:"email"`
18	Phone string `json:"phone"`
19	CreateUser bool `json:"create_user"`
20	Data map[string]interface{} `json:"data"`
21	Channel string `json:"channel"`
22	CodeChallengeMethod string `json:"code_challenge_method"`
23	CodeChallenge string `json:"code_challenge"`
24	}
25
26	// SmsParams contains the request body params for sms otp
27	type SmsParams struct {
28	Phone string `json:"phone"`
29	Channel string `json:"channel"`
30	Data map[string]interface{} `json:"data"`
31	CodeChallengeMethod string `json:"code_challenge_method"`
32	CodeChallenge string `json:"code_challenge"`
33	}
34
35	func (p *OtpParams) Validate() error {	15✔
36	if p.Email != "" && p.Phone != "" {	16✔
37	return badRequestError(ErrorCodeValidationFailed, "Only an email address or phone number should be provided")	1✔
38	}	1✔
39	if p.Email != "" && p.Channel != "" {	14✔
40	return badRequestError(ErrorCodeValidationFailed, "Channel should only be specified with Phone OTP")	×
41	}	×
42	if err := validatePKCEParams(p.CodeChallengeMethod, p.CodeChallenge); err != nil {	16✔
43	return err	2✔
44	}	2✔
45	return nil	12✔
46	}
47
48	func (p *SmsParams) Validate(smsProvider string) error {	6✔
49	if p.Phone != "" && !sms_provider.IsValidMessageChannel(p.Channel, smsProvider) {	7✔
50	return badRequestError(ErrorCodeValidationFailed, InvalidChannelError)	1✔
51	}	1✔
52
53	var err error	5✔
54	p.Phone, err = validatePhone(p.Phone)	5✔
55	if err != nil {	5✔
56	return err	×
57	}	×
58
59	return nil	5✔
60	}
61
62	// Otp returns the MagicLink or SmsOtp handler based on the request body params
63	func (a API) Otp(w http.ResponseWriter, r http.Request) error {	15✔
64	params := &OtpParams{	15✔
65	CreateUser: true,	15✔
66	}	15✔
67	if params.Data == nil {	30✔
68	params.Data = make(map[string]interface{})	15✔
69	}	15✔
70
71	if err := retrieveRequestParams(r, params); err != nil {	15✔
72	return err	×
73	}	×
74
75	if err := params.Validate(); err != nil {	18✔
76	return err	3✔
77	}	3✔
78	if params.Data == nil {	16✔
79	params.Data = make(map[string]interface{})	4✔
80	}	4✔
81
82	if ok, err := a.shouldCreateUser(r, params); !ok {	13✔
83	return unprocessableEntityError(ErrorCodeOTPDisabled, "Signups not allowed for otp")	1✔
84	} else if err != nil {	12✔
85	return err	×
86	}	×
87
88	if params.Email != "" {	16✔
89	return a.MagicLink(w, r)	5✔
90	} else if params.Phone != "" {	17✔
91	return a.SmsOtp(w, r)	6✔
92	}	6✔
93
94	return badRequestError(ErrorCodeValidationFailed, "One of email or phone must be set")	×
95	}
96
97	type SmsOtpResponse struct {
98	MessageID string `json:"message_id,omitempty"`
99	}
100
101	// SmsOtp sends the user an otp via sms
102	func (a API) SmsOtp(w http.ResponseWriter, r http.Request) error {	6✔
103	ctx := r.Context()	6✔
104	db := a.db.WithContext(ctx)	6✔
105	config := a.config	6✔
106		6✔
107	if !config.External.Phone.Enabled {	6✔
108	return badRequestError(ErrorCodePhoneProviderDisabled, "Unsupported phone provider")	×
109	}	×
110	var err error	6✔
111		6✔
112	params := &SmsParams{}	6✔
113	if err := retrieveRequestParams(r, params); err != nil {	6✔
114	return err	×
115	}	×
116
117	// For backwards compatibility, we default to SMS if params Channel is not specified
118	if params.Phone != "" && params.Channel == "" {	11✔
119	params.Channel = sms_provider.SMSProvider	5✔
120	}	5✔
121
122	if err := params.Validate(config.Sms.Provider); err != nil {	7✔
123	return err	1✔
124	}	1✔
125
126	var isNewUser bool	5✔
127	aud := a.requestAud(ctx, r)	5✔
128	user, err := models.FindUserByPhoneAndAudience(db, params.Phone, aud)	5✔
129	if err != nil {	6✔
130	if models.IsNotFoundError(err) {	2✔
131	isNewUser = true	1✔
132	} else {	1✔
133	return internalServerError("Database error finding user").WithInternalError(err)	×
134	}	×
135	}
136	if user != nil {	9✔
137	isNewUser = !user.IsPhoneConfirmed()	4✔
138	}	4✔
139	if isNewUser {	6✔
140	// User either doesn't exist or hasn't completed the signup process.	1✔
141	// Sign them up with temporary password.	1✔
142	password, err := password.Generate(64, 10, 1, false, true)	1✔
143	if err != nil {	1✔
144	return internalServerError("error creating user").WithInternalError(err)	×
145	}	×
146
147	signUpParams := &SignupParams{	1✔
148	Phone: params.Phone,	1✔
149	Password: password,	1✔
150	Data: params.Data,	1✔
151	Channel: params.Channel,	1✔
152	}	1✔
153	newBodyContent, err := json.Marshal(signUpParams)	1✔
154	if err != nil {	1✔
155	// SignupParams must be marshallable	×
156	panic(err)	×
157	}
158	r.Body = io.NopCloser(bytes.NewReader(newBodyContent))	1✔
159		1✔
160	fakeResponse := &responseStub{}	1✔
161		1✔
162	if config.Sms.Autoconfirm {	1✔
163	// signups are autoconfirmed, send otp after signup	×
164	if err := a.Signup(fakeResponse, r); err != nil {	×
165	return err	×
166	}	×
167
168	signUpParams := &SignupParams{	×
169	Phone: params.Phone,	×
170	Channel: params.Channel,	×
171	}	×
172	newBodyContent, err := json.Marshal(signUpParams)	×
173	if err != nil {	×
174	// SignupParams must be marshallable	×
175	panic(err)	×
176	}
177	r.Body = io.NopCloser(bytes.NewReader(newBodyContent))	×
178	return a.SmsOtp(w, r)	×
179	}
180
181	if err := a.Signup(fakeResponse, r); err != nil {	2✔
182	return err	1✔
183	}	1✔
184	return sendJSON(w, http.StatusOK, make(map[string]string))	×
185	}
186
187	messageID := ""	4✔
188	err = db.Transaction(func(tx *storage.Connection) error {	8✔
189	if err := models.NewAuditLogEntry(r, tx, user, models.UserRecoveryRequestedAction, "", map[string]interface{}{	4✔
190	"channel": params.Channel,	4✔
191	}); err != nil {	4✔
192	return err	×
193	}	×
194	smsProvider, terr := sms_provider.GetSmsProvider(*config)	4✔
195	if terr != nil {	8✔
196	return internalServerError("Unable to get SMS provider").WithInternalError(err)	4✔
197	}	4✔
NEW 198	mID, serr := a.sendPhoneConfirmation(r, tx, user, params.Phone, phoneConfirmationOtp, smsProvider, params.Channel)	×
199	if serr != nil {	×
200	return badRequestError(ErrorCodeSMSSendFailed, "Error sending sms OTP: %v", serr).WithInternalError(serr)	×
201	}	×
202	messageID = mID	×
203	return nil	×
204	})
205
206	if err != nil {	8✔
207	return err	4✔
208	}	4✔
209
210	return sendJSON(w, http.StatusOK, SmsOtpResponse{	×
211	MessageID: messageID,	×
212	})	×
213	}
214
215	func (a API) shouldCreateUser(r http.Request, params *OtpParams) (bool, error) {	12✔
216	ctx := r.Context()	12✔
217	db := a.db.WithContext(ctx)	12✔
218		12✔
219	if !params.CreateUser {	13✔
220	ctx := r.Context()	1✔
221	aud := a.requestAud(ctx, r)	1✔
222	var err error	1✔
223	if params.Email != "" {	2✔
224	params.Email, err = validateEmail(params.Email)	1✔
225	if err != nil {	1✔
226	return false, err	×
227	}	×
228	_, err = models.FindUserByEmailAndAudience(db, params.Email, aud)	1✔
229	} else if params.Phone != "" {	×
230	params.Phone, err = validatePhone(params.Phone)	×
231	if err != nil {	×
232	return false, err	×
233	}	×
234	_, err = models.FindUserByPhoneAndAudience(db, params.Phone, aud)	×
235	}
236
237	if err != nil && models.IsNotFoundError(err) {	2✔
238	return false, nil	1✔
239	}	1✔
240	}
241	return true, nil	11✔
242	}

supabase / gotrue / 8316299588

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous