Merge pull request #368 from authorizerdev/fix-sms-verification-for-a…

…lldb

Move sms verificaiton to otp models

.env.test

@@ -7,5 +7,9 @@ SMTP_PORT=2525
 SMTP_USERNAME=test
 SMTP_PASSWORD=test
 SENDER_EMAIL="info@authorizer.dev"
+TWILIO_API_KEY=test
+TWILIO_API_SECRET=test
+TWILIO_ACCOUNT_SID=ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+TWILIO_SENDER=909921212112
 SENDER_NAME="Authorizer"
 AWS_REGION=ap-south-1

server/constants/auth_methods.go

@@ -7,6 +7,8 @@ const (
 	AuthRecipeMethodMobileBasicAuth = "mobile_basic_auth"
 	// AuthRecipeMethodMagicLinkLogin is the magic_link_login auth method
 	AuthRecipeMethodMagicLinkLogin = "magic_link_login"
+	// AuthRecipeMethodMobileOTP is the mobile_otp auth method
+	AuthRecipeMethodMobileOTP = "mobile_otp"
 	// AuthRecipeMethodGoogle is the google auth method
 	AuthRecipeMethodGoogle = "google"
 	// AuthRecipeMethodGithub is the github auth method

server/constants/env.go

@@ -66,6 +66,8 @@ const (
 	EnvKeySenderName = "SENDER_NAME"
 	// EnvKeyIsEmailServiceEnabled key for env variable IS_EMAIL_SERVICE_ENABLED
 	EnvKeyIsEmailServiceEnabled = "IS_EMAIL_SERVICE_ENABLED"
+	// EnvKeyIsSMSServiceEnabled key for env variable IS_SMS_SERVICE_ENABLED
+	EnvKeyIsSMSServiceEnabled = "IS_SMS_SERVICE_ENABLED"
 	// EnvKeyAppCookieSecure key for env variable APP_COOKIE_SECURE
 	EnvKeyAppCookieSecure = "APP_COOKIE_SECURE"
 	// EnvKeyAdminCookieSecure key for env variable ADMIN_COOKIE_SECURE
@@ -158,6 +160,9 @@ const (
 	// EnvKeyDisableMultiFactorAuthentication is key for env variable DISABLE_MULTI_FACTOR_AUTHENTICATION
 	// this variable is used to completely disable multi factor authentication. It will have no effect on profile preference
 	EnvKeyDisableMultiFactorAuthentication = "DISABLE_MULTI_FACTOR_AUTHENTICATION"
+	// EnvKeyDisablePhoneVerification is key for env variable DISABLE_PHONE_VERIFICATION
+	// this variable is used to disable phone verification
+	EnvKeyDisablePhoneVerification = "DISABLE_PHONE_VERIFICATION"
 
 	// Slice variables
 	// EnvKeyRoles key for env variable ROLES
@@ -177,17 +182,13 @@ const (
 	// This env is used for setting default response mode in authorize handler
 	EnvKeyDefaultAuthorizeResponseMode = "DEFAULT_AUTHORIZE_RESPONSE_MODE"
 
-	// Phone verification setting
-	EnvKeyDisablePhoneVerification = "DISABLE_PHONE_VERIFICATION"
-
 	// Twilio env variables
-
 	// EnvKeyTwilioAPIKey key for env variable TWILIO_API_KEY
 	EnvKeyTwilioAPIKey = "TWILIO_API_KEY"
 	// EnvKeyTwilioAPISecret key for env variable TWILIO_API_SECRET
 	EnvKeyTwilioAPISecret = "TWILIO_API_SECRET"
 	// EnvKeyTwilioAccountSID key for env variable TWILIO_ACCOUNT_SID
 	EnvKeyTwilioAccountSID = "TWILIO_ACCOUNT_SID"
-	// EnvKeyTwilioSenderFrom key for env variable TWILIO_SENDER_FROM
-	EnvKeyTwilioSenderFrom = "TWILIO_SENDER_FROM"
+	// EnvKeyTwilioSender key for env variable TWILIO_SENDER
+	EnvKeyTwilioSender = "TWILIO_SENDER"
 )

server/db/models/otp.go

@@ -1,14 +1,22 @@
 package models
 
+const (
+	// FieldName email is the field name for email
+	FieldNameEmail = "email"
+	// FieldNamePhoneNumber is the field name for phone number
+	FieldNamePhoneNumber = "phone_number"
+)
+
 // OTP model for database
 type OTP struct {
-	Key       string `json:"_key,omitempty" bson:"_key,omitempty" cql:"_key,omitempty" dynamo:"key,omitempty"` // for arangodb
-	ID        string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id" cql:"id" dynamo:"id,hash"`
-	Email     string `gorm:"unique" json:"email" bson:"email" cql:"email" dynamo:"email" index:"email,hash"`
-	Otp       string `json:"otp" bson:"otp" cql:"otp" dynamo:"otp"`
-	ExpiresAt int64  `json:"expires_at" bson:"expires_at" cql:"expires_at" dynamo:"expires_at"`
-	CreatedAt int64  `json:"created_at" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-	UpdatedAt int64  `json:"updated_at" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
+	Key         string `json:"_key,omitempty" bson:"_key,omitempty" cql:"_key,omitempty" dynamo:"key,omitempty"` // for arangodb
+	ID          string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id" cql:"id" dynamo:"id,hash"`
+	Email       string `gorm:"unique" json:"email" bson:"email" cql:"email" dynamo:"email" index:"email,hash"`
+	PhoneNumber string `gorm:"index:unique_index_phone_number,unique" json:"phone_number" bson:"phone_number" cql:"phone_number" dynamo:"phone_number"`
+	Otp         string `json:"otp" bson:"otp" cql:"otp" dynamo:"otp"`
+	ExpiresAt   int64  `json:"expires_at" bson:"expires_at" cql:"expires_at" dynamo:"expires_at"`
+	CreatedAt   int64  `json:"created_at" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+	UpdatedAt   int64  `json:"updated_at" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
 }
 
 type Paging struct {

server/db/providers/arangodb/otp.go

@@ -2,6 +2,7 @@ package arangodb
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
@@ -12,17 +13,31 @@ import (
 
 // UpsertOTP to add or update otp
 func (p *provider) UpsertOTP(ctx context.Context, otpParam *models.OTP) (*models.OTP, error) {
-	otp, _ := p.GetOTPByEmail(ctx, otpParam.Email)
+	// check if email or phone number is present
+	if otpParam.Email == "" && otpParam.PhoneNumber == "" {
+		return nil, errors.New("email or phone_number is required")
+	}
+	uniqueField := models.FieldNameEmail
+	if otpParam.Email == "" && otpParam.PhoneNumber != "" {
+		uniqueField = models.FieldNamePhoneNumber
+	}
+	var otp *models.OTP
+	if uniqueField == models.FieldNameEmail {
+		otp, _ = p.GetOTPByEmail(ctx, otpParam.Email)
+	} else {
+		otp, _ = p.GetOTPByPhoneNumber(ctx, otpParam.PhoneNumber)
+	}
 	shouldCreate := false
 	if otp == nil {
 		id := uuid.NewString()
 		otp = &models.OTP{
-			ID:        id,
-			Key:       id,
-			Otp:       otpParam.Otp,
-			Email:     otpParam.Email,
-			ExpiresAt: otpParam.ExpiresAt,
-			CreatedAt: time.Now().Unix(),
+			ID:          id,
+			Key:         id,
+			Otp:         otpParam.Otp,
+			Email:       otpParam.Email,
+			PhoneNumber: otpParam.PhoneNumber,
+			ExpiresAt:   otpParam.ExpiresAt,
+			CreatedAt:   time.Now().Unix(),
 		}
 		shouldCreate = true
 	} else {
@@ -67,7 +82,35 @@ func (p *provider) GetOTPByEmail(ctx context.Context, emailAddress string) (*mod
 	for {
 		if !cursor.HasMore() {
 			if otp.Key == "" {
-				return nil, fmt.Errorf("email template not found")
+				return nil, fmt.Errorf("otp with given email not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &otp)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &otp, nil
+}
+
+// GetOTPByPhoneNumber to get otp for a given phone number
+func (p *provider) GetOTPByPhoneNumber(ctx context.Context, phoneNumber string) (*models.OTP, error) {
+	var otp models.OTP
+	query := fmt.Sprintf("FOR d in %s FILTER d.phone_number == @phone_number RETURN d", models.Collections.OTP)
+	bindVars := map[string]interface{}{
+		"phone_number": phoneNumber,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return nil, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if otp.Key == "" {
+				return nil, fmt.Errorf("otp with given phone_number not found")
 			}
 			break
 		}

server/db/providers/arangodb/provider.go

@@ -225,16 +225,14 @@ func NewProvider() (*provider, error) {
 			return nil, err
 		}
 	}
-
 	otpCollection, err := arangodb.Collection(ctx, models.Collections.OTP)
 	if err != nil {
 		return nil, err
 	}
-	otpCollection.EnsureHashIndex(ctx, []string{"email"}, &arangoDriver.EnsureHashIndexOptions{
+	otpCollection.EnsureHashIndex(ctx, []string{models.FieldNameEmail, models.FieldNamePhoneNumber}, &arangoDriver.EnsureHashIndexOptions{
 		Unique: true,
 		Sparse: true,
 	})
-
 	return &provider{
 		db: arangodb,
 	}, err

server/db/providers/cassandradb/otp.go

@@ -2,6 +2,7 @@ package cassandradb
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"time"
 
@@ -12,17 +13,31 @@ import (
 
 // UpsertOTP to add or update otp
 func (p *provider) UpsertOTP(ctx context.Context, otpParam *models.OTP) (*models.OTP, error) {
-	otp, _ := p.GetOTPByEmail(ctx, otpParam.Email)
+	// check if email or phone number is present
+	if otpParam.Email == "" && otpParam.PhoneNumber == "" {
+		return nil, errors.New("email or phone_number is required")
+	}
+	uniqueField := models.FieldNameEmail
+	if otpParam.Email == "" && otpParam.PhoneNumber != "" {
+		uniqueField = models.FieldNamePhoneNumber
+	}
+	var otp *models.OTP
+	if uniqueField == models.FieldNameEmail {
+		otp, _ = p.GetOTPByEmail(ctx, otpParam.Email)
+	} else {
+		otp, _ = p.GetOTPByPhoneNumber(ctx, otpParam.PhoneNumber)
+	}
 	shouldCreate := false
 	if otp == nil {
 		shouldCreate = true
 		otp = &models.OTP{
-			ID:        uuid.NewString(),
-			Otp:       otpParam.Otp,
-			Email:     otpParam.Email,
-			ExpiresAt: otpParam.ExpiresAt,
-			CreatedAt: time.Now().Unix(),
-			UpdatedAt: time.Now().Unix(),
+			ID:          uuid.NewString(),
+			Otp:         otpParam.Otp,
+			Email:       otpParam.Email,
+			PhoneNumber: otpParam.PhoneNumber,
+			ExpiresAt:   otpParam.ExpiresAt,
+			CreatedAt:   time.Now().Unix(),
+			UpdatedAt:   time.Now().Unix(),
 		}
 	} else {
 		otp.Otp = otpParam.Otp
@@ -32,7 +47,7 @@ func (p *provider) UpsertOTP(ctx context.Context, otpParam *models.OTP) (*models
 	otp.UpdatedAt = time.Now().Unix()
 	query := ""
 	if shouldCreate {
-		query = fmt.Sprintf(`INSERT INTO %s (id, email, otp, expires_at, created_at, updated_at) VALUES ('%s', '%s', '%s', %d, %d, %d)`, KeySpace+"."+models.Collections.OTP, otp.ID, otp.Email, otp.Otp, otp.ExpiresAt, otp.CreatedAt, otp.UpdatedAt)
+		query = fmt.Sprintf(`INSERT INTO %s (id, email, phone_number, otp, expires_at, created_at, updated_at) VALUES ('%s', '%s', '%s', '%s', %d, %d, %d)`, KeySpace+"."+models.Collections.OTP, otp.ID, otp.Email, otp.PhoneNumber, otp.Otp, otp.ExpiresAt, otp.CreatedAt, otp.UpdatedAt)
 	} else {
 		query = fmt.Sprintf(`UPDATE %s SET otp = '%s', expires_at = %d, updated_at = %d WHERE id = '%s'`, KeySpace+"."+models.Collections.OTP, otp.Otp, otp.ExpiresAt, otp.UpdatedAt, otp.ID)
 	}
@@ -48,8 +63,19 @@ func (p *provider) UpsertOTP(ctx context.Context, otpParam *models.OTP) (*models
 // GetOTPByEmail to get otp for a given email address
 func (p *provider) GetOTPByEmail(ctx context.Context, emailAddress string) (*models.OTP, error) {
 	var otp models.OTP
-	query := fmt.Sprintf(`SELECT id, email, otp, expires_at, created_at, updated_at FROM %s WHERE email = '%s' LIMIT 1 ALLOW FILTERING`, KeySpace+"."+models.Collections.OTP, emailAddress)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&otp.ID, &otp.Email, &otp.Otp, &otp.ExpiresAt, &otp.CreatedAt, &otp.UpdatedAt)
+	query := fmt.Sprintf(`SELECT id, email, phone_number, otp, expires_at, created_at, updated_at FROM %s WHERE email = '%s' LIMIT 1 ALLOW FILTERING`, KeySpace+"."+models.Collections.OTP, emailAddress)
+	err := p.db.Query(query).Consistency(gocql.One).Scan(&otp.ID, &otp.Email, &otp.PhoneNumber, &otp.Otp, &otp.ExpiresAt, &otp.CreatedAt, &otp.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &otp, nil
+}
+
+// GetOTPByPhoneNumber to get otp for a given phone number
+func (p *provider) GetOTPByPhoneNumber(ctx context.Context, phoneNumber string) (*models.OTP, error) {
+	var otp models.OTP
+	query := fmt.Sprintf(`SELECT id, email, phone_number, otp, expires_at, created_at, updated_at FROM %s WHERE phone_number = '%s' LIMIT 1 ALLOW FILTERING`, KeySpace+"."+models.Collections.OTP, phoneNumber)
+	err := p.db.Query(query).Consistency(gocql.One).Scan(&otp.ID, &otp.Email, &otp.PhoneNumber, &otp.Otp, &otp.ExpiresAt, &otp.CreatedAt, &otp.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}

server/db/providers/cassandradb/provider.go

@@ -254,7 +254,19 @@ func NewProvider() (*provider, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	// Add phone_number column to otp table
+	otpAlterQuery := fmt.Sprintf(`ALTER TABLE %s.%s ADD (phone_number text);`, KeySpace, models.Collections.OTP)
+	err = session.Query(otpAlterQuery).Exec()
+	if err != nil {
+		log.Debug("Failed to alter table as column exists: ", err)
+		// continue
+	}
+	// Add phone number index
+	otpIndexQueryPhoneNumber := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_otp_phone_number ON %s.%s (phone_number)", KeySpace, models.Collections.OTP)
+	err = session.Query(otpIndexQueryPhoneNumber).Exec()
+	if err != nil {
+		return nil, err
+	}
 	return &provider{
 		db: session,
 	}, err