feat: mfa challenge and verify and refresh session

supabase-community · Oct 29, 2022 · b714206 · b714206
1 parent 4c2b443
commit b714206
Show file tree

Hide file tree

Showing 5 changed files with 120 additions and 2 deletions.
diff --git a/gotrue/_async/gotrue_client.py b/gotrue/_async/gotrue_client.py
@@ -34,6 +34,7 @@
     AuthMFAVerifyResponse,
     AuthResponse,
     DecodedJWTDict,
+    MFAChallengeAndVerifyParams,
     MFAChallengeParams,
     MFAEnrollParams,
     MFAUnenrollParams,
@@ -91,6 +92,7 @@ def __init__(
         )
         self.mfa = AsyncGoTrueMFAAPI()
         self.mfa.challenge = self._challenge
+        self.mfa.challenge_and_verify = self._challenge_and_verify
         self.mfa.enroll = self._enroll
         self.mfa.get_authenticator_assurance_level = (
             self._get_authenticator_assurance_level
@@ -137,7 +139,7 @@ async def sign_up(
         password = credentials.get("password")
         options = credentials.get("options", {})
         redirect_to = options.get("redirect_to")
-        data = options.get("data")
+        data = options.get("data") or {}
         captcha_token = options.get("captcha_token")
         if email:
             response = await self._request(
@@ -189,6 +191,7 @@ async def sign_in_with_password(
         phone = credentials.get("phone")
         password = credentials.get("password")
         options = credentials.get("options", {})
+        data = options.get("data") or {}
         captcha_token = options.get("captcha_token")
         if email:
             response = await self._request(
@@ -197,6 +200,7 @@ async def sign_in_with_password(
                 body={
                     "email": email,
                     "password": password,
+                    "data": data,
                     "gotrue_meta_security": {
                         "captcha_token": captcha_token,
                     },
@@ -213,6 +217,7 @@ async def sign_in_with_password(
                 body={
                     "phone": phone,
                     "password": password,
+                    "data": data,
                     "gotrue_meta_security": {
                         "captcha_token": captcha_token,
                     },
@@ -436,6 +441,25 @@ async def set_session(self, access_token: str, refresh_token: str) -> AuthRespon
         self._notify_all_subscribers("TOKEN_REFRESHED", session)
         return AuthResponse(session=session, user=response.user)
 
+    async def refresh_session(
+        self, refresh_token: Union[str, None] = None
+    ) -> AuthResponse:
+        """
+        Returns a new session, regardless of expiry status.
+
+        Takes in an optional current session. If not passed in, then refreshSession()
+        will attempt to retrieve it from getSession(). If the current session's
+        refresh token is invalid, an error will be thrown.
+        """
+        if not refresh_token:
+            session = await self.get_session()
+            if session:
+                refresh_token = session.refresh_token
+        if not refresh_token:
+            raise AuthSessionMissingError()
+        session = await self._call_refresh_token(refresh_token)
+        return AuthResponse(session=session, user=session.user)
+
     async def sign_out(self) -> None:
         """
         Inside a browser context, `sign_out` will remove the logged in user from the
@@ -523,6 +547,23 @@ async def _challenge(self, params: MFAChallengeParams) -> AuthMFAChallengeRespon
             xform=AuthMFAChallengeResponse.parse_obj,
         )
 
+    async def _challenge_and_verify(
+        self,
+        params: MFAChallengeAndVerifyParams,
+    ) -> AuthMFAVerifyResponse:
+        response = await self._challenge(
+            {
+                "factor_id": params.get("factor_id"),
+            }
+        )
+        return await self._verify(
+            {
+                "factor_id": params.get("factor_id"),
+                "challenge_id": response.id,
+                "code": params.get("code"),
+            }
+        )
+
     async def _verify(self, params: MFAVerifyParams) -> AuthMFAVerifyResponse:
         session = await self.get_session()
         if not session:

diff --git a/gotrue/_async/gotrue_mfa_api.py b/gotrue/_async/gotrue_mfa_api.py
@@ -5,6 +5,7 @@
     AuthMFAListFactorsResponse,
     AuthMFAUnenrollResponse,
     AuthMFAVerifyResponse,
+    MFAChallengeAndVerifyParams,
     MFAChallengeParams,
     MFAEnrollParams,
     MFAUnenrollParams,
@@ -38,6 +39,17 @@ async def challenge(self, params: MFAChallengeParams) -> AuthMFAChallengeRespons
         """
         raise NotImplementedError()
 
+    async def challenge_and_verify(
+        self,
+        params: MFAChallengeAndVerifyParams,
+    ) -> AuthMFAVerifyResponse:
+        """
+        Helper method which creates a challenge and immediately uses the given code
+        to verify against it thereafter. The verification code is provided by the
+        user by entering a code seen in their authenticator app.
+        """
+        raise NotImplementedError()
+
     async def verify(self, params: MFAVerifyParams) -> AuthMFAVerifyResponse:
         """
         Verifies a verification code against a challenge. The verification code is

diff --git a/gotrue/_sync/gotrue_client.py b/gotrue/_sync/gotrue_client.py
@@ -34,6 +34,7 @@
     AuthMFAVerifyResponse,
     AuthResponse,
     DecodedJWTDict,
+    MFAChallengeAndVerifyParams,
     MFAChallengeParams,
     MFAEnrollParams,
     MFAUnenrollParams,
@@ -91,6 +92,7 @@ def __init__(
         )
         self.mfa = SyncGoTrueMFAAPI()
         self.mfa.challenge = self._challenge
+        self.mfa.challenge_and_verify = self._challenge_and_verify
         self.mfa.enroll = self._enroll
         self.mfa.get_authenticator_assurance_level = (
             self._get_authenticator_assurance_level
@@ -137,7 +139,7 @@ def sign_up(
         password = credentials.get("password")
         options = credentials.get("options", {})
         redirect_to = options.get("redirect_to")
-        data = options.get("data")
+        data = options.get("data") or {}
         captcha_token = options.get("captcha_token")
         if email:
             response = self._request(
@@ -189,6 +191,7 @@ def sign_in_with_password(
         phone = credentials.get("phone")
         password = credentials.get("password")
         options = credentials.get("options", {})
+        data = options.get("data") or {}
         captcha_token = options.get("captcha_token")
         if email:
             response = self._request(
@@ -197,6 +200,7 @@ def sign_in_with_password(
                 body={
                     "email": email,
                     "password": password,
+                    "data": data,
                     "gotrue_meta_security": {
                         "captcha_token": captcha_token,
                     },
@@ -213,6 +217,7 @@ def sign_in_with_password(
                 body={
                     "phone": phone,
                     "password": password,
+                    "data": data,
                     "gotrue_meta_security": {
                         "captcha_token": captcha_token,
                     },
@@ -436,6 +441,25 @@ def set_session(self, access_token: str, refresh_token: str) -> AuthResponse:
         self._notify_all_subscribers("TOKEN_REFRESHED", session)
         return AuthResponse(session=session, user=response.user)
 
+    def refresh_session(
+        self, refresh_token: Union[str, None] = None
+    ) -> AuthResponse:
+        """
+        Returns a new session, regardless of expiry status.
+
+        Takes in an optional current session. If not passed in, then refreshSession()
+        will attempt to retrieve it from getSession(). If the current session's
+        refresh token is invalid, an error will be thrown.
+        """
+        if not refresh_token:
+            session = self.get_session()
+            if session:
+                refresh_token = session.refresh_token
+        if not refresh_token:
+            raise AuthSessionMissingError()
+        session = self._call_refresh_token(refresh_token)
+        return AuthResponse(session=session, user=session.user)
+
     def sign_out(self) -> None:
         """
         Inside a browser context, `sign_out` will remove the logged in user from the
@@ -523,6 +547,23 @@ def _challenge(self, params: MFAChallengeParams) -> AuthMFAChallengeResponse:
             xform=AuthMFAChallengeResponse.parse_obj,
         )
 
+    def _challenge_and_verify(
+        self,
+        params: MFAChallengeAndVerifyParams,
+    ) -> AuthMFAVerifyResponse:
+        response = self._challenge(
+            {
+                "factor_id": params.get("factor_id"),
+            }
+        )
+        return self._verify(
+            {
+                "factor_id": params.get("factor_id"),
+                "challenge_id": response.id,
+                "code": params.get("code"),
+            }
+        )
+
     def _verify(self, params: MFAVerifyParams) -> AuthMFAVerifyResponse:
         session = self.get_session()
         if not session:

diff --git a/gotrue/_sync/gotrue_mfa_api.py b/gotrue/_sync/gotrue_mfa_api.py
@@ -5,6 +5,7 @@
     AuthMFAListFactorsResponse,
     AuthMFAUnenrollResponse,
     AuthMFAVerifyResponse,
+    MFAChallengeAndVerifyParams,
     MFAChallengeParams,
     MFAEnrollParams,
     MFAUnenrollParams,
@@ -38,6 +39,17 @@ def challenge(self, params: MFAChallengeParams) -> AuthMFAChallengeResponse:
         """
         raise NotImplementedError()
 
+    def challenge_and_verify(
+        self,
+        params: MFAChallengeAndVerifyParams,
+    ) -> AuthMFAVerifyResponse:
+        """
+        Helper method which creates a challenge and immediately uses the given code
+        to verify against it thereafter. The verification code is provided by the
+        user by entering a code seen in their authenticator app.
+        """
+        raise NotImplementedError()
+
     def verify(self, params: MFAVerifyParams) -> AuthMFAVerifyResponse:
         """
         Verifies a verification code against a challenge. The verification code is

diff --git a/gotrue/types.py b/gotrue/types.py
@@ -240,6 +240,7 @@ class SignUpWithPhoneAndPasswordCredentials(TypedDict):
 
 
 class SignInWithPasswordCredentialsOptions(TypedDict):
+    data: NotRequired[Any]
     captcha_token: NotRequired[str]
 
 
@@ -421,6 +422,17 @@ class MFAChallengeParams(TypedDict):
     """
 
 
+class MFAChallengeAndVerifyParams(TypedDict):
+    factor_id: str
+    """
+    ID of the factor being verified.
+    """
+    code: str
+    """
+    Verification code provided by the user.
+    """
+
+
 class AuthMFAVerifyResponse(BaseModel):
     access_token: str
     """