feat: MFA (Phone) (#1668)

## What kind of change does this PR introduce? We introduce MFA (Phone) to allow developers to enroll a Phone-based MFA factor. We maintain the existing pattern of enroll, challenge, verify. The frontend bindings are [listed here](https://github.com/supabase/auth-js/pull/932/files) but as a summary `enroll` - `enroll({factorType: 'phone', phoneNumber:'<e164-phone-number>', friendlyName:'<optional-name>'})` `challenge` - `challenge({channel: '<whatsapp>'})`. If no channel is specified it defaults to `sms`. ### How it works This is and additive change - there should be no impact on the existing flow unless one specifies `{'factor_type': 'phone'}` in the request body. ### Key Details - OTP Expiry is currently tied to challenge expiry. The OTP will last as long as the challenge. We can expose an option to decouple this in the future since it is and additive change. - It is independent of the phone provider. You can use MFA (Phone) even if Phone Provider is disabled. - There is however, links to the phone provider. MFA (Phone) will derive configuration from Phone Provider (e.g. if Phone provider is configured to use Twilio, MFA (Phone) will use Twilio. If you wish to use a separate phone provider please use the Send SMS Hook. - OTP's are stored encrypted in the database. #### Configuration - We have `ENROLL_ENABLED` and `VERIFY_ENABLED` toggles or both TOTP and Phone Factors. #### Integration with Hooks - When used with the MFA Verification Hook the input payload to the hook will contain a factor type indicator: ``` hooks.MFAVerificationAttemptInput { .... FactorType: 'sms' .... } ``` When used with the Send SMS Hook there's an indicator for the SMSType specifying that it is an MFA Hook. Use as needed. ``` hooks.SendSMSInput{ User: user, SMS: hooks.SMS{ ... SMSType: "mfa", }, } ``` #### Security Concerns - Vulnerability to Brute Force Attack / Distributed attack - Leakage of OTP Code anywhere
supabase · Jul 29, 2024 · ae091aa · ae091aa
1 parent 46491b8
commit ae091aa
Show file tree

Hide file tree

Showing 12 changed files with 691 additions and 78 deletions.
diff --git a/internal/api/errorcodes.go b/internal/api/errorcodes.go
@@ -78,4 +78,8 @@ const (
 	ErrorCodeHookPayloadOverSizeLimit          ErrorCode = "hook_payload_over_size_limit"
 	ErrorCodeHookPayloadUnknownSize            ErrorCode = "hook_payload_unknown_size"
 	ErrorCodeRequestTimeout                    ErrorCode = "request_timeout"
+	ErrorCodeMFAPhoneEnrollDisabled            ErrorCode = "mfa_phone_enroll_not_enabled"
+	ErrorCodeMFAPhoneVerifyDisabled            ErrorCode = "mfa_phone_verify_not_enabled"
+	ErrorCodeMFATOTPEnrollDisabled             ErrorCode = "mfa_totp_enroll_not_enabled"
+	ErrorCodeMFATOTPVerifyDisabled             ErrorCode = "mfa_totp_verify_not_enabled"
 )
diff --git a/internal/api/helpers.go b/internal/api/helpers.go
@@ -82,6 +82,7 @@ type RequestParams interface {
 		VerifyFactorParams |
 		VerifyParams |
 		adminUserUpdateFactorParams |
+		ChallengeFactorParams |
 		struct {
 			Email string `json:"email"`
 			Phone string `json:"phone"`