Skip to content

feat: add phone to sms webhook payload #2160

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 23, 2025
Merged

feat: add phone to sms webhook payload #2160

merged 1 commit into from
Sep 23, 2025

Conversation

mDuval1
Copy link
Contributor

@mDuval1 mDuval1 commented Sep 9, 2025
edited
Loading

What kind of change does this PR introduce?

This PR adds the phone number to the SendSMS webhook, when a phone factor is challenged or a phone confirmation is required.

What is the current behavior?

Currently, the SMS webhook only sends the user_id and the otp_code. However, we have no way of knowing which factor (device) was used in case the send SMS webhook is used for MFA (as opposed to phone confirmation, which uses the user's phone number), and there is more than one device enrolled for a single user.

What is the new behavior?

The webhook payload contains phone, which is either the user's phone number for phone confirmation or the factor phone number for MFA with a phone factor.

Additional context

Add any other context or screenshots.

@mDuval1 mDuval1 requested a review from a team as a code owner September 9, 2025 13:32
@mDuval1 mDuval1 force-pushed the add-phone-number-in-sms-webhook branch from 4b8055b to 1332aa9 Compare September 12, 2025 09:42
hf
hf approved these changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@hf hf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How did it go missing for so long...

Anyway mind updating these docs here? https://github.com/supabase/supabase/blob/master/apps/docs/content/guides/auth/auth-hooks/send-sms-hook.mdx

@hf hf force-pushed the add-phone-number-in-sms-webhook branch from 1332aa9 to 5e491ea Compare September 23, 2025 09:26
@coveralls
Copy link

Pull Request Test Coverage Report for Build 17941568512

Details

  • 5 of 6 (83.33%) changed or added relevant lines in 2 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage increased (+0.007%) to 67.891%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/mfa.go 3 4 75.0%
Totals Coverage Status
Change from base Build 17928583314: 0.007%
Covered Lines: 12959
Relevant Lines: 19088
💛 - Coveralls

@hf hf merged commit d475ac1 into supabase:master Sep 23, 2025
3 of 4 checks passed
@github-actions github-actions bot mentioned this pull request Sep 23, 2025
Merged
cemalkilic pushed a commit that referenced this pull request Sep 23, 2025
@github-actions
chore(master): release 2.180.0 (#2151)
3511eb4 
🤖 I have created a release *beep* *boop*
---


##
[2.180.0](v2.179.0...v2.180.0)
(2025-09-23)


### Features

* add OAuth client type
([#2152](#2152))
([b118f1f](b118f1f))
* add phone to sms webhook payload
([#2160](#2160))
([d475ac1](d475ac1))
* background template reloading p1 - baseline decomposition
([#2148](#2148))
([746c937](746c937))
* config reloading with fsnotify, poller fallback, and signals
([#2161](#2161))
([c77d512](c77d512))
* enhance issuer URL validation in OAuth server metadata
([#2164](#2164))
([a9424d2](a9424d2))
* implement OAuth2 authorization endpoint
([#2107](#2107))
([5318552](5318552))
* **oauth2:** add `/oauth/token` endpoint
([#2159](#2159))
([a89a0b0](a89a0b0))
* **oauth2:** add admin endpoint to regenerate OAuth client secrets
([#2170](#2170))
([0bd1c28](0bd1c28))
* **oauth2:** return redirect_uri on GET authorization
([#2175](#2175))
([b0a0c3e](b0a0c3e))
* **oauth2:** use `id` field as the public client_id
([#2154](#2154))
([86b7de4](86b7de4))
* **openapi:** add OAuth 2.1 server endpoints and clarify OAuth modes
([#2165](#2165))
([1f804a2](1f804a2))
* password changed email notification
([#2176](#2176))
([fe0fd04](fe0fd04))
* support `transfer_sub` in apple id tokens
([#2162](#2162))
([8a71006](8a71006))


### Bug Fixes

* ensure request context exists in API db operations
([#2171](#2171))
([060a992](060a992))
* **makefile:** remove invalid @ symbol from shell commands
([#2168](#2168))
([e6afe45](e6afe45))
* **oauth2:** switch to Origin header for request validation
([#2174](#2174))
([42bc9ab](42bc9ab))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
issuedat pushed a commit that referenced this pull request Sep 30, 2025
@mDuval1 @issuedat
feat: add phone to sms webhook payload (#2160)
4952c21 
## What kind of change does this PR introduce?

This PR adds the phone number to the SendSMS webhook, when a phone
factor is challenged or a phone confirmation is required.

## What is the current behavior?

Currently, the SMS webhook only sends the `user_id` and the `otp_code`.
However, we have no way of knowing which factor (device) was used in
case the send SMS webhook is used for MFA (as opposed to phone
confirmation, which uses the user's phone number), and there is more
than one device enrolled for a single user.

## What is the new behavior?

The webhook payload contains `phone`, which is either the user's phone
number for phone confirmation or the factor phone number for MFA with a
phone factor.

## Additional context

Add any other context or screenshots.
issuedat pushed a commit that referenced this pull request Sep 30, 2025
@github-actions @issuedat
chore(master): release 2.180.0 (#2151)
8d191ff 
🤖 I have created a release *beep* *boop*
---


##
[2.180.0](v2.179.0...v2.180.0)
(2025-09-23)


### Features

* add OAuth client type
([#2152](#2152))
([b118f1f](b118f1f))
* add phone to sms webhook payload
([#2160](#2160))
([d475ac1](d475ac1))
* background template reloading p1 - baseline decomposition
([#2148](#2148))
([746c937](746c937))
* config reloading with fsnotify, poller fallback, and signals
([#2161](#2161))
([c77d512](c77d512))
* enhance issuer URL validation in OAuth server metadata
([#2164](#2164))
([a9424d2](a9424d2))
* implement OAuth2 authorization endpoint
([#2107](#2107))
([5318552](5318552))
* **oauth2:** add `/oauth/token` endpoint
([#2159](#2159))
([a89a0b0](a89a0b0))
* **oauth2:** add admin endpoint to regenerate OAuth client secrets
([#2170](#2170))
([0bd1c28](0bd1c28))
* **oauth2:** return redirect_uri on GET authorization
([#2175](#2175))
([b0a0c3e](b0a0c3e))
* **oauth2:** use `id` field as the public client_id
([#2154](#2154))
([86b7de4](86b7de4))
* **openapi:** add OAuth 2.1 server endpoints and clarify OAuth modes
([#2165](#2165))
([1f804a2](1f804a2))
* password changed email notification
([#2176](#2176))
([fe0fd04](fe0fd04))
* support `transfer_sub` in apple id tokens
([#2162](#2162))
([8a71006](8a71006))


### Bug Fixes

* ensure request context exists in API db operations
([#2171](#2171))
([060a992](060a992))
* **makefile:** remove invalid @ symbol from shell commands
([#2168](#2168))
([e6afe45](e6afe45))
* **oauth2:** switch to Origin header for request validation
([#2174](#2174))
([42bc9ab](42bc9ab))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hf hf hf approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mDuval1 @coveralls @hf