Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add test OTP support for mobile app reviews #1166

Merged
merged 1 commit into from
Aug 1, 2023

Conversation

hf
Copy link
Contributor

@hf hf commented Jul 4, 2023

When developers build mobile apps that use phone login, they need to provide pre-determined phone numbers and OTPs that will work so that automated and manual app reviewers (that work at Apple's AppStore or Google's Play Store) can test and confirm compliance with the phone system.

Those reviewers / systems cannot be expected to provide their own phone number.

Developers can thus set up the following environment variable:

GOTRUE_EXTERNAL_SMS_TEST_OTP="<phone-1>=<otp-1>, <phone-2>=<otp-2>..."
GOTRUE_EXTERNAL_SMS_TEST_OTP_VALID_UNTIL="<ISO date time>"

SMS messages are not sent to those test phone numbers. Furthermore after the validity period has expired, they will automatically not be used. This enhances the security so that people don't forget test OTPs accidentally.

Incidentally this makes it possible to use phone number logins when developing locally.

@azlekov
Copy link

azlekov commented Jul 25, 2023

I will be very happy to see this soon available. Any progress on it?

@hf
Copy link
Contributor Author

hf commented Jul 25, 2023

I will be very happy to see this soon available. Any progress on it?

Got held up with some other work, but am going to continue working on it.

@hf hf force-pushed the hf/add-test-phone-numbers branch from e772a40 to f89dd79 Compare July 25, 2023 13:23
@hf hf marked this pull request as ready for review July 25, 2023 13:25
@hf hf requested a review from a team as a code owner July 25, 2023 13:25
@hf hf force-pushed the hf/add-test-phone-numbers branch 4 times, most recently from 752323f to ecf0306 Compare July 26, 2023 07:57
@hf hf force-pushed the hf/add-test-phone-numbers branch from ecf0306 to f7ec62c Compare July 26, 2023 08:10
@kdewald
Copy link

kdewald commented Aug 1, 2023

This is an awesome feature! I'm glad it's almost ready to go!
How long will it take for the changes to be available once the code has been merged?

@J0
Copy link
Contributor

J0 commented Aug 1, 2023

@kdewald - glad you like the feature - generally a version update happens within two weeks or less

@J0 J0 merged commit 2fb0cf5 into master Aug 1, 2023
@J0 J0 deleted the hf/add-test-phone-numbers branch August 1, 2023 18:04
@github-actions
Copy link
Contributor

github-actions bot commented Aug 1, 2023

🎉 This PR is included in version 2.88.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@azlekov
Copy link

azlekov commented Aug 4, 2023

How can we use it, do we wait the supabase-cli to be updated or we can overwrite versions?

@J0
Copy link
Contributor

J0 commented Aug 4, 2023

@azlekov the CLI is usually updated around the same time as Supabase Auth. We'd advise against overwriting the version unless absolutely necessary as you may get different behaviour from what you will get from your hosted Supabase instance.

@kdewald
Copy link

kdewald commented Aug 8, 2023

Just a follow-up question on this topic. Is there an expected timeline for this feature to be available in https://github.com/supabase/supabase? It doesn't have to be very precise, but I would like to plan accordingly if possible.

Thanks!

@hf
Copy link
Contributor Author

hf commented Aug 25, 2023

PR for Supabase Dashboard: supabase/supabase#16811

@kdewald
Copy link

kdewald commented Sep 9, 2023

@hf It seems that there's a bug that's happening to multiple users around this feature: supabase/supabase#16811 (comment)

uxodb pushed a commit to uxodb/auth that referenced this pull request Nov 13, 2024
When developers build mobile apps that use phone login, they need to
provide pre-determined phone numbers and OTPs that will work so that
automated and manual app reviewers (that work at Apple's AppStore or
Google's Play Store) can test and confirm compliance with the phone
system.

Those reviewers / systems cannot be expected to provide their own phone
number.

Developers can thus set up the following environment variable:

```
GOTRUE_EXTERNAL_SMS_TEST_OTP="<phone-1>=<otp-1>, <phone-2>=<otp-2>..."
GOTRUE_EXTERNAL_SMS_TEST_OTP_VALID_UNTIL="<ISO date time>"
```

SMS messages are not sent to those test phone numbers. Furthermore after
the validity period has expired, they will automatically not be used.
This enhances the security so that people don't forget test OTPs
accidentally.

Incidentally this makes it possible to use phone number logins when
developing locally.
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 13, 2024
When developers build mobile apps that use phone login, they need to
provide pre-determined phone numbers and OTPs that will work so that
automated and manual app reviewers (that work at Apple's AppStore or
Google's Play Store) can test and confirm compliance with the phone
system.

Those reviewers / systems cannot be expected to provide their own phone
number.

Developers can thus set up the following environment variable:

```
GOTRUE_EXTERNAL_SMS_TEST_OTP="<phone-1>=<otp-1>, <phone-2>=<otp-2>..."
GOTRUE_EXTERNAL_SMS_TEST_OTP_VALID_UNTIL="<ISO date time>"
```

SMS messages are not sent to those test phone numbers. Furthermore after
the validity period has expired, they will automatically not be used.
This enhances the security so that people don't forget test OTPs
accidentally.

Incidentally this makes it possible to use phone number logins when
developing locally.
LashaJini pushed a commit to LashaJini/auth that referenced this pull request Nov 15, 2024
When developers build mobile apps that use phone login, they need to
provide pre-determined phone numbers and OTPs that will work so that
automated and manual app reviewers (that work at Apple's AppStore or
Google's Play Store) can test and confirm compliance with the phone
system.

Those reviewers / systems cannot be expected to provide their own phone
number.

Developers can thus set up the following environment variable:

```
GOTRUE_EXTERNAL_SMS_TEST_OTP="<phone-1>=<otp-1>, <phone-2>=<otp-2>..."
GOTRUE_EXTERNAL_SMS_TEST_OTP_VALID_UNTIL="<ISO date time>"
```

SMS messages are not sent to those test phone numbers. Furthermore after
the validity period has expired, they will automatically not be used.
This enhances the security so that people don't forget test OTPs
accidentally.

Incidentally this makes it possible to use phone number logins when
developing locally.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants