feat: add MFA Phone (#578)

Author: juancarlospaco

supabase_auth/_async/gotrue_client.py

@@ -737,14 +737,25 @@ async def _enroll(self, params: MFAEnrollParams) -> AuthMFAEnrollResponse:
         session = await self.get_session()
         if not session:
             raise AuthSessionMissingError()
+
+        body = {
+            "friendly_name": params["friendly_name"],
+            "factor_type": params["factor_type"],
+        }
+
+        if params["factor_type"] == "phone":
+            body["phone"] = params["phone"]
+        else:
+            body["issuer"] = params["issuer"]
+
         response = await self._request(
             "POST",
             "factors",
-            body=params,
+            body=body,
             jwt=session.access_token,
             xform=partial(model_validate, AuthMFAEnrollResponse),
         )
-        if response.totp.qr_code:
+        if params["factor_type"] == "totp" and response.totp.qr_code:
             response.totp.qr_code = f"data:image/svg+xml;utf-8,{response.totp.qr_code}"
         return response
 
@@ -755,6 +766,7 @@ async def _challenge(self, params: MFAChallengeParams) -> AuthMFAChallengeRespon
         return await self._request(
             "POST",
             f"factors/{params.get('factor_id')}/challenge",
+            body={"channel": params["channel"]},
             jwt=session.access_token,
             xform=partial(model_validate, AuthMFAChallengeResponse),
         )
@@ -807,7 +819,8 @@ async def _list_factors(self) -> AuthMFAListFactorsResponse:
         response = await self.get_user()
         all = response.user.factors or []
         totp = [f for f in all if f.factor_type == "totp" and f.status == "verified"]
-        return AuthMFAListFactorsResponse(all=all, totp=totp)
+        phone = [f for f in all if f.factor_type == "phone" and f.status == "verified"]
+        return AuthMFAListFactorsResponse(all=all, totp=totp, phone=phone)
 
     async def _get_authenticator_assurance_level(
         self,

supabase_auth/_sync/gotrue_client.py

@@ -729,14 +729,25 @@ def _enroll(self, params: MFAEnrollParams) -> AuthMFAEnrollResponse:
         session = self.get_session()
         if not session:
             raise AuthSessionMissingError()
+
+        body = {
+            "friendly_name": params["friendly_name"],
+            "factor_type": params["factor_type"],
+        }
+
+        if params["factor_type"] == "phone":
+            body["phone"] = params["phone"]
+        else:
+            body["issuer"] = params["issuer"]
+
         response = self._request(
             "POST",
             "factors",
-            body=params,
+            body=body,
             jwt=session.access_token,
             xform=partial(model_validate, AuthMFAEnrollResponse),
         )
-        if response.totp.qr_code:
+        if params["factor_type"] == "totp" and response.totp.qr_code:
             response.totp.qr_code = f"data:image/svg+xml;utf-8,{response.totp.qr_code}"
         return response
 
@@ -747,6 +758,7 @@ def _challenge(self, params: MFAChallengeParams) -> AuthMFAChallengeResponse:
         return self._request(
             "POST",
             f"factors/{params.get('factor_id')}/challenge",
+            body={"channel": params["channel"]},
             jwt=session.access_token,
             xform=partial(model_validate, AuthMFAChallengeResponse),
         )
@@ -799,7 +811,8 @@ def _list_factors(self) -> AuthMFAListFactorsResponse:
         response = self.get_user()
         all = response.user.factors or []
         totp = [f for f in all if f.factor_type == "totp" and f.status == "verified"]
-        return AuthMFAListFactorsResponse(all=all, totp=totp)
+        phone = [f for f in all if f.factor_type == "phone" and f.status == "verified"]
+        return AuthMFAListFactorsResponse(all=all, totp=totp, phone=phone)
 
     def _get_authenticator_assurance_level(
         self,

supabase_auth/types.py

@@ -4,7 +4,7 @@
 from time import time
 from typing import Any, Callable, Dict, List, Union
 
-from pydantic import BaseModel
+from pydantic import BaseModel, ConfigDict
 
 try:
     # > 2
@@ -180,7 +180,7 @@ class Factor(BaseModel):
     """
     Friendly name of the factor, useful to disambiguate between multiple factors.
     """
-    factor_type: Union[Literal["totp"], str]
+    factor_type: Union[Literal["totp", "phone"], str]
     """
     Type of factor. Only `totp` supported with this version but may change in
     future versions.
@@ -492,9 +492,10 @@ class GenerateEmailChangeLinkParams(TypedDict):
 
 
 class MFAEnrollParams(TypedDict):
-    factor_type: Literal["totp"]
+    factor_type: Literal["totp", "phone"]
     issuer: NotRequired[str]
     friendly_name: NotRequired[str]
+    phone: str
 
 
 class MFAUnenrollParams(TypedDict):
@@ -539,6 +540,7 @@ class MFAChallengeParams(TypedDict):
     """
     ID of the factor to be challenged.
     """
+    channel: NotRequired[Literal["sms", "whatsapp"]]
 
 
 class MFAChallengeAndVerifyParams(TypedDict):
@@ -600,14 +602,23 @@ class AuthMFAEnrollResponse(BaseModel):
     """
     ID of the factor that was just enrolled (in an unverified state).
     """
-    type: Literal["totp"]
+    type: Literal["totp", "phone"]
     """
     Type of MFA factor. Only `totp` supported for now.
     """
     totp: AuthMFAEnrollResponseTotp
     """
     TOTP enrollment information.
     """
+    model_config = ConfigDict(arbitrary_types_allowed=True)
+    friendly_name: str
+    """
+    Friendly name of the factor, useful for distinguishing between factors
+    """
+    phone: str
+    """
+    Phone number of the MFA factor in E.164 format. Used to send messages
+    """
 
 
 class AuthMFAUnenrollResponse(BaseModel):
@@ -626,6 +637,10 @@ class AuthMFAChallengeResponse(BaseModel):
     """
     Timestamp in UNIX seconds when this challenge will no longer be usable.
     """
+    factor_type: Literal["totp", "phone"]
+    """
+    Factor Type which generated the challenge
+    """
 
 
 class AuthMFAListFactorsResponse(BaseModel):
@@ -637,6 +652,10 @@ class AuthMFAListFactorsResponse(BaseModel):
     """
     Only verified TOTP factors. (A subset of `all`.)
     """
+    phone: List[Factor]
+    """
+    Only verified Phone factors. (A subset of `all`.)
+    """
 
 
 AuthenticatorAssuranceLevels = Literal["aal1", "aal2"]