supabase / auth / 10151130647 / 1
69%
master: 69%

DEFAULT BRANCH: master
Ran
Files 127
Run time 3s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 58.243% (+0.05%) from 58.193%
10151130647.1

push

github

web-flow 
feat: MFA (Phone) (#1668)

## What kind of change does this PR introduce?

We introduce MFA (Phone) to allow developers to enroll a Phone-based MFA
factor. We maintain the existing pattern of enroll, challenge, verify.

The frontend bindings are [listed
here](https://github.com/supabase/auth-js/pull/932/files) but as a
summary

`enroll` - `enroll({factorType: 'phone',
phoneNumber:'<e164-phone-number>', friendlyName:'<optional-name>'})`
`challenge` - `challenge({channel: '<whatsapp>'})`. If no channel is
specified it defaults to `sms`.

### How it works

This is and additive change - there should be no impact on the existing
flow unless one specifies `{'factor_type': 'phone'}` in the request
body.

### Key Details
- OTP Expiry is currently tied to challenge expiry. The OTP will last as
long as the challenge. We can expose an option to decouple this in the
future since it is and additive change.
- It is independent of the phone provider. You can use MFA (Phone) even
if Phone Provider is disabled.
- There is however, links to the phone provider. MFA (Phone) will derive
configuration from Phone Provider (e.g. if Phone provider is configured
to use Twilio, MFA (Phone) will use Twilio. If you wish to use a
separate phone provider please use the Send SMS Hook.
- OTP's are stored encrypted in the database.

#### Configuration
- We have `ENROLL_ENABLED` and `VERIFY_ENABLED` toggles or both TOTP and
Phone Factors.

#### Integration with Hooks


- When used with the MFA Verification Hook the input payload to the hook
will contain a factor type indicator:

```
 hooks.MFAVerificationAttemptInput {
    ....
   	FactorType: 'sms'
    ....
}
```

When used with the Send SMS Hook there's an indicator for the SMSType
specifying that it is an MFA Hook. Use as needed.

```
hooks.SendSMSInput{
	User: user,
	SMS: hooks.SMS{
        ...
		SMSType: "mfa",
	},
}
```

#### Security Concerns

- Vulnerability to Br... (continued)

9168 of 15741 relevant lines covered (58.24%)

54.73 hits per line

Source Files on job 10151130647.1