Class: Supabase::Auth::MFAApi

Inherits:

Object

• Object
• Supabase::Auth::MFAApi

Defined in:

lib/supabase/auth/client.rb

Overview

MFA (Multi-Factor Authentication) API. Access via Client#mfa.

Instance Method Summary

• #challenge(params) ⇒ Types::AuthMFAChallengeResponse

  Create an MFA challenge for a factor.

• #challenge_and_verify(params) ⇒ Types::AuthMFAVerifyResponse

  Challenge and verify in one step.

• #enroll(params) ⇒ Types::AuthMFAEnrollResponse

  Enroll a new MFA factor.

• #get_authenticator_assurance_level ⇒ Types::AuthMFAGetAuthenticatorAssuranceLevelResponse

  Get the authenticator assurance level from the current session JWT.

• #initialize(client) ⇒ MFAApi constructor

  A new instance of MFAApi.

• #list_factors ⇒ Types::AuthMFAListFactorsResponse

  List all MFA factors for the current user.

• #unenroll(params) ⇒ Types::AuthMFAUnenrollResponse

  Unenroll an MFA factor.

• #verify(params) ⇒ Types::AuthMFAVerifyResponse

  Verify an MFA challenge.

Constructor Details

#initialize(client) ⇒ MFAApi

Returns a new instance of MFAApi.

Parameters:

• client (Client) —

  parent client instance

# File 'lib/supabase/auth/client.rb', line 1073

def initialize(client)
  @client = client
end

Instance Method Details

#challenge(params) ⇒ Types::AuthMFAChallengeResponse

Create an MFA challenge for a factor.

Parameters:

• params (Hash) —

  (:factor_id)

Returns:

• (Types::AuthMFAChallengeResponse)

Raises:

• (Errors::AuthSessionMissing)

# File 'lib/supabase/auth/client.rb', line 1108

def challenge(params)
  factor_id = params[:factor_id] || params["factor_id"]
  channel = params[:channel] || params["channel"]

  session = @client.get_session
  raise Errors::AuthSessionMissing unless session

  data = @client._request("POST", "factors/#{factor_id}/challenge",
                          jwt: session.access_token, body: { channel: channel })
  Types::AuthMFAChallengeResponse.from_hash(data)
end

#challenge_and_verify(params) ⇒ Types::AuthMFAVerifyResponse

Challenge and verify in one step.

Parameters:

• params (Hash) —

  (:factor_id, :code, :channel)

Returns:

• (Types::AuthMFAVerifyResponse)

# File 'lib/supabase/auth/client.rb', line 1149

def challenge_and_verify(params)
  challenge_response = challenge(
    factor_id: params[:factor_id] || params["factor_id"],
    channel: params[:channel] || params["channel"]
  )
  verify(
    factor_id: params[:factor_id] || params["factor_id"],
    challenge_id: challenge_response.id,
    code: params[:code] || params["code"]
  )
end

#enroll(params) ⇒ Types::AuthMFAEnrollResponse

Enroll a new MFA factor.

Parameters:

• params (Hash) —

  (:factor_type, optional :friendly_name, :issuer)

Returns:

• (Types::AuthMFAEnrollResponse)

Raises:

• (Errors::AuthSessionMissing)

# File 'lib/supabase/auth/client.rb', line 1080

def enroll(params)
  factor_type = params[:factor_type] || params["factor_type"]
  friendly_name = params[:friendly_name] || params["friendly_name"]

  session = @client.get_session
  raise Errors::AuthSessionMissing unless session

  body = { factor_type: factor_type, friendly_name: friendly_name }

  if factor_type == "phone"
    body[:phone] = params[:phone] || params["phone"]
  else
    body[:issuer] = params[:issuer] || params["issuer"]
  end

  data = @client._request("POST", "factors", jwt: session.access_token, body: body)
  response = Types::AuthMFAEnrollResponse.from_hash(data)

  if factor_type == "totp" && response.totp&.qr_code
    response.totp.qr_code = "data:image/svg+xml;utf-8,#{response.totp.qr_code}"
  end

  response
end

#get_authenticator_assurance_level ⇒ Types::AuthMFAGetAuthenticatorAssuranceLevelResponse

Get the authenticator assurance level from the current session JWT.

Returns:

• (Types::AuthMFAGetAuthenticatorAssuranceLevelResponse)

# File 'lib/supabase/auth/client.rb', line 1193

def get_authenticator_assurance_level
  session = @client.get_session

  unless session
    return Types::AuthMFAGetAuthenticatorAssuranceLevelResponse.new(
      current_level: nil,
      next_level: nil,
      current_authentication_methods: []
    )
  end

  decoded = Helpers.decode_jwt(session.access_token)
  payload = decoded[:payload]

  aal = payload["aal"]
  amr = payload["amr"] || []

  verified_factors = (session.user&.factors || []).select { |f| f.status == "verified" }
  next_level = verified_factors.any? ? "aal2" : aal

  Types::AuthMFAGetAuthenticatorAssuranceLevelResponse.new(
    current_level: aal,
    next_level: next_level,
    current_authentication_methods: amr
  )
end

#list_factors ⇒ Types::AuthMFAListFactorsResponse

List all MFA factors for the current user.

Returns:

• (Types::AuthMFAListFactorsResponse) —

  with :all, :totp, :phone arrays

# File 'lib/supabase/auth/client.rb', line 1177

def list_factors
  user_response = @client.get_user
  factors = user_response&.user&.factors || []

  totp = factors.select { |f| f.factor_type == "totp" && f.status == "verified" }
  phone = factors.select { |f| f.factor_type == "phone" && f.status == "verified" }

  Types::AuthMFAListFactorsResponse.new(
    all: factors,
    totp: totp,
    phone: phone
  )
end

#unenroll(params) ⇒ Types::AuthMFAUnenrollResponse

Unenroll an MFA factor.

Parameters:

• params (Hash) —

  (:factor_id)

Returns:

• (Types::AuthMFAUnenrollResponse)

Raises:

• (Errors::AuthSessionMissing)

# File 'lib/supabase/auth/client.rb', line 1164

def unenroll(params)
  factor_id = params[:factor_id] || params["factor_id"]

  session = @client.get_session
  raise Errors::AuthSessionMissing unless session

  data = @client._request("DELETE", "factors/#{factor_id}",
                          jwt: session.access_token)
  Types::AuthMFAUnenrollResponse.from_hash(data)
end

#verify(params) ⇒ Types::AuthMFAVerifyResponse

Verify an MFA challenge.

Parameters:

• params (Hash) —

  (:factor_id, :challenge_id, :code)

Returns:

• (Types::AuthMFAVerifyResponse)

Raises:

• (Errors::AuthSessionMissing)

# File 'lib/supabase/auth/client.rb', line 1123

def verify(params)
  factor_id = params[:factor_id] || params["factor_id"]
  challenge_id = params[:challenge_id] || params["challenge_id"]
  code = params[:code] || params["code"]

  session = @client.get_session
  raise Errors::AuthSessionMissing unless session

  body = { factor_id: factor_id, challenge_id: challenge_id, code: code }
  data = @client._request("POST", "factors/#{factor_id}/verify",
                          jwt: session.access_token, body: body)
  response = Types::AuthMFAVerifyResponse.from_hash(data)

  # Save the new session from the verify response
  new_session = Types::Session.from_hash(data)
  if new_session&.access_token
    @client.send(:_save_session, new_session)
    @client.send(:_notify_all_subscribers, "MFA_CHALLENGE_VERIFIED", new_session)
  end

  response
end