supabase / auth / 10151130647
69%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 127
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 58.243% (+0.05%) from 58.193%
10151130647

push

github

web-flow 
feat: MFA (Phone) (#1668)

## What kind of change does this PR introduce?

We introduce MFA (Phone) to allow developers to enroll a Phone-based MFA
factor. We maintain the existing pattern of enroll, challenge, verify.

The frontend bindings are [listed
here](https://github.com/supabase/auth-js/pull/932/files) but as a
summary

`enroll` - `enroll({factorType: 'phone',
phoneNumber:'<e164-phone-number>', friendlyName:'<optional-name>'})`
`challenge` - `challenge({channel: '<whatsapp>'})`. If no channel is
specified it defaults to `sms`.

### How it works

This is and additive change - there should be no impact on the existing
flow unless one specifies `{'factor_type': 'phone'}` in the request
body.

### Key Details
- OTP Expiry is currently tied to challenge expiry. The OTP will last as
long as the challenge. We can expose an option to decouple this in the
future since it is and additive change.
- It is independent of the phone provider. You can use MFA (Phone) even
if Phone Provider is disabled.
- There is however, links to the phone provider. MFA (Phone) will derive
configuration from Phone Provider (e.g. if Phone provider is configured
to use Twilio, MFA (Phone) will use Twilio. If you wish to use a
separate phone provider please use the Send SMS Hook.
- OTP's are stored encrypted in the database.

#### Configuration
- We have `ENROLL_ENABLED` and `VERIFY_ENABLED` toggles or both TOTP and
Phone Factors.

#### Integration with Hooks


- When used with the MFA Verification Hook the input payload to the hook
will contain a factor type indicator:

```
 hooks.MFAVerificationAttemptInput {
    ....
   	FactorType: 'sms'
    ....
}
```

When used with the Send SMS Hook there's an indicator for the SMSType
specifying that it is an MFA Hook. Use as needed.

```
hooks.SendSMSInput{
	User: user,
	SMS: hooks.SMS{
        ...
		SMSType: "mfa",
	},
}
```

#### Security Concerns

- Vulnerability to Br... (continued)

222 of 368 new or added lines in 7 files covered. (60.33%)

9168 of 15741 relevant lines covered (58.24%)

54.73 hits per line

New Missed Lines in Diff

Lines Coverage File
5
84.38
 -7.29% internal/models/challenge.go
9
71.81
 -0.9% internal/conf/configuration.go
9
80.0
 0.25% internal/models/factor.go
123
62.72
 -7.35% internal/api/mfa.go
Jobs
ID Job ID Ran Files Coverage
1 10151130647.1 127
58.24
 GitHub Action Run
Source Files on build 10151130647