feat: add Modica Group SMS provider support

Author: superstructor

.env.example

@@ -17,3 +17,13 @@ [email protected]
 AUTH_SMTP_USER=user
 AUTH_LOG_LEVEL=debug
 AUTH_CLIENT_URL='http://127.0.0.1:3000'
+# SMS configuration
+# AUTH_SMS_PASSWORDLESS_ENABLED=false
+# AUTH_SMS_PROVIDER=twilio
+# Twilio SMS settings
+# AUTH_SMS_TWILIO_ACCOUNT_SID=
+# AUTH_SMS_TWILIO_AUTH_TOKEN=
+# AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID=
+# Modica Group SMS settings
+# AUTH_SMS_MODICA_USERNAME=
+# AUTH_SMS_MODICA_PASSWORD=

docs/configuration.md

@@ -85,7 +85,32 @@ Hasura Auth supports email [passwordless authentication](https://en.wikipedia.or
 
 Set `AUTH_EMAIL_PASSWORDLESS_ENABLED` to `true` to enable passwordless authentication.
 
-<!-- TODO ## Passwordless with SMS -->
+### Passwordless with SMS
+
+Hasura Auth supports SMS [passwordless authentication](https://en.wikipedia.org/wiki/Passwordless_authentication). It requires an SMS provider to be configured properly.
+
+Set `AUTH_SMS_PASSWORDLESS_ENABLED` to `true` to enable SMS passwordless authentication.
+
+#### SMS Provider Configuration
+
+Configure the SMS provider using the `AUTH_SMS_PROVIDER` environment variable:
+
+```bash
+AUTH_SMS_PROVIDER=twilio  # or modica
+```
+
+**Twilio Configuration:**
+```bash
+AUTH_SMS_TWILIO_ACCOUNT_SID=your_account_sid
+AUTH_SMS_TWILIO_AUTH_TOKEN=your_auth_token
+AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID=your_messaging_service_id
+```
+
+**Modica Group Configuration:**
+```bash
+AUTH_SMS_MODICA_USERNAME=your_username
+AUTH_SMS_MODICA_PASSWORD=your_password
+```
 
 ### FIDO2 Webauthn
 

docs/environment-variables.md

@@ -40,11 +40,13 @@
 | AUTH_OTP_EMAIL_ENABLED                                | Enables passwordless authentication by email using OTP. The SMTP server must then be configured.                                                                                                                                        | `false`                      |
 | AUTH_SMS_PASSWORDLESS_ENABLED                         | Enables passwordless authentication by SMS. An SMS provider must then be configured.                                                                                                                                                    | `false`                      |
 | AUTH_SHOW_LOG_QUERY_PARAMS                            | Shows all query parameters in the logs. Make sure you know what you do because this setting can potentially reveal secure information.                                                                                                  | `false`                      |
-| AUTH_SMS_PROVIDER                                     | SMS provider name. Only `twilio` is possible as an option for now.                                                                                                                                                                      |                              |
+| AUTH_SMS_PROVIDER                                     | SMS provider name. Options: `twilio`, `modica`                                                                                                                                                                                           |                              |
 | AUTH_SMS_TEST_PHONE_NUMBERS                           | Comma separated list of test phone numbers which can be used without any provider set. **The verification code can be found in the logs upon sign in**.                                                                                 |                              |
 | AUTH_SMS_TWILIO_ACCOUNT_SID                           |                                                                                                                                                                                                                                         |                              |
 | AUTH_SMS_TWILIO_AUTH_TOKEN                            |                                                                                                                                                                                                                                         |                              |
 | AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID                  |                                                                                                                                                                                                                                         |                              |
+| AUTH_SMS_MODICA_USERNAME                              | Modica Group API username for SMS                                                                                                                                                                                      |                              |
+| AUTH_SMS_MODICA_PASSWORD                              | Modica Group API password for SMS                                                                                                                                                                                      |                              |
 | AUTH_EMAIL_SIGNIN_EMAIL_VERIFIED_REQUIRED             | When enabled, any email-based authentication requires emails to be verified by a link sent to this email.                                                                                                                               | `true`                       |
 | AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS             | Comma-separated list of allowed redirect URLs that can be passed on as an option. Any sub-path will be considered valid. Supports wildcards and other [micromatch patterns](https://github.com/micromatch/micromatch#matching-features) |                              |
 | AUTH_MFA_ENABLED                                      | Enables users to use Multi Factor Authentication.                                                                                                                                                                                       | `false`                      |

go/cmd/config.go

@@ -112,9 +112,12 @@ func getConfig(cCtx *cli.Context) (controller.Config, error) { //nolint:funlen
 		WebauhtnAttestationTimeout:  cCtx.Duration(flagWebauthnAttestationTimeout),
 		OTPEmailEnabled:             cCtx.Bool(flagOTPEmailEnabled),
 		SMSPasswordlessEnabled:      cCtx.Bool(flagSMSPasswordlessEnabled),
+		SMSProvider:                 cCtx.String(flagSMSProvider),
 		SMSTwilioAccountSid:         cCtx.String(flagSMSTwilioAccountSid),
 		SMSTwilioAuthToken:          cCtx.String(flagSMSTwilioAuthToken),
 		SMSTwilioMessagingServiceID: cCtx.String(flagSMSTwilioMessagingServiceID),
+		SMSModicaUsername:           cCtx.String(flagSMSModicaUsername),
+		SMSModicaPassword:           cCtx.String(flagSMSModicaPassword),
 		MfaEnabled:                  cCtx.Bool(flagMfaEnabled),
 		ServerPrefix:                cCtx.String(flagAPIPrefix),
 	}, nil

go/cmd/email.go

@@ -111,6 +111,26 @@ func getSMS( //nolint:ireturn
 		return nil, nil //nolint:nilnil // SMS disabled, return nil client
 	}
 
+	provider := strings.ToLower(cCtx.String(flagSMSProvider))
+	if provider == "" {
+		provider = "twilio" // Default to Twilio for backward compatibility
+	}
+
+	switch provider {
+	case "modica":
+		return getModicaSMS(cCtx, templates, db, logger)
+	case "twilio":
+		return getTwilioSMS(cCtx, templates, db)
+	default:
+		return nil, fmt.Errorf("unsupported SMS provider: %s", provider) //nolint:err113
+	}
+}
+
+func getTwilioSMS( //nolint:ireturn
+	cCtx *cli.Context,
+	templates *notifications.Templates,
+	db *sql.Queries,
+) (controller.SMSer, error) {
 	accountSid := cCtx.String(flagSMSTwilioAccountSid)
 	authToken := cCtx.String(flagSMSTwilioAuthToken)
 	messagingServiceID := cCtx.String(flagSMSTwilioMessagingServiceID)
@@ -126,6 +146,30 @@ func getSMS( //nolint:ireturn
 		), nil
 	}
 
+	return sms.NewTwilioSMS(
+		templates,
+		controller.GenerateOTP,
+		controller.HashOTP,
+		accountSid,
+		authToken,
+		messagingServiceID,
+		db,
+	), nil
+}
+
+func getModicaSMS( //nolint:ireturn
+	cCtx *cli.Context,
+	templates *notifications.Templates,
+	db *sql.Queries,
+	logger *slog.Logger,
+) (controller.SMSer, error) {
+	username := cCtx.String(flagSMSModicaUsername)
+	password := cCtx.String(flagSMSModicaPassword)
+
+	if username == "" || password == "" {
+		return nil, errors.New("SMS is enabled but Modica credentials are missing") //nolint:err113
+	}
+
 	if templates == nil {
 		var err error
 
@@ -135,13 +179,12 @@ func getSMS( //nolint:ireturn
 		}
 	}
 
-	return sms.NewTwilioSMS(
+	return sms.NewModicaSMS(
 		templates,
 		controller.GenerateOTP,
 		controller.HashOTP,
-		accountSid,
-		authToken,
-		messagingServiceID,
+		username,
+		password,
 		db,
 	), nil
 }

go/cmd/serve.go

@@ -95,9 +95,12 @@ const (
 	flagGoogleAudience                   = "google-audience"
 	flagOTPEmailEnabled                  = "otp-email-enabled"
 	flagSMSPasswordlessEnabled           = "sms-passwordless-enabled"
+	flagSMSProvider                      = "sms-provider"
 	flagSMSTwilioAccountSid              = "sms-twilio-account-sid"
 	flagSMSTwilioAuthToken               = "sms-twilio-auth-token" //nolint:gosec
 	flagSMSTwilioMessagingServiceID      = "sms-twilio-messaging-service-id"
+	flagSMSModicaUsername                = "sms-modica-username"
+	flagSMSModicaPassword                = "sms-modica-password" //nolint:gosec
 	flagAnonymousUsersEnabled            = "enable-anonymous-users"
 	flagMfaEnabled                       = "mfa-enabled"
 	flagMfaTotpIssuer                    = "mfa-totp-issuer"
@@ -684,6 +687,25 @@ func CommandServe() *cli.Command { //nolint:funlen,maintidx
 				Category: "sms",
 				EnvVars:  []string{"AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID"},
 			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagSMSProvider,
+				Usage:    "SMS provider (twilio or modica)",
+				Category: "sms",
+				EnvVars:  []string{"AUTH_SMS_PROVIDER"},
+				Value:    "twilio",
+			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagSMSModicaUsername,
+				Usage:    "Modica username for SMS",
+				Category: "sms",
+				EnvVars:  []string{"AUTH_SMS_MODICA_USERNAME"},
+			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagSMSModicaPassword,
+				Usage:    "Modica password for SMS",
+				Category: "sms",
+				EnvVars:  []string{"AUTH_SMS_MODICA_PASSWORD"},
+			},
 			&cli.BoolFlag{ //nolint: exhaustruct
 				Name:     flagAnonymousUsersEnabled,
 				Usage:    "Enable anonymous users",

go/controller/config.go

@@ -64,9 +64,12 @@ type Config struct {
 	WebauhtnAttestationTimeout  time.Duration `json:"AUTH_WEBAUTHN_ATTESTATION_TIMEOUT"`
 	OTPEmailEnabled             bool          `json:"AUTH_OTP_EMAIL_ENABLED"`
 	SMSPasswordlessEnabled      bool          `json:"AUTH_SMS_PASSWORDLESS_ENABLED"`
+	SMSProvider                 string        `json:"AUTH_SMS_PROVIDER"`
 	SMSTwilioAccountSid         string        `json:"AUTH_SMS_TWILIO_ACCOUNT_SID"`
 	SMSTwilioAuthToken          string        `json:"AUTH_SMS_TWILIO_AUTH_TOKEN"`
 	SMSTwilioMessagingServiceID string        `json:"AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID"`
+	SMSModicaUsername           string        `json:"AUTH_SMS_MODICA_USERNAME"`
+	SMSModicaPassword           string        `json:"AUTH_SMS_MODICA_PASSWORD"`
 	ServerPrefix                string        `json:"AUTH_SERVER_PREFIX"`
 }
 

go/controller/validator_test.go

@@ -58,6 +58,9 @@ func getConfig() *controller.Config {
 		SMSTwilioAccountSid:         "smsAccountSid",
 		SMSTwilioAuthToken:          "smsAuthToken",
 		SMSTwilioMessagingServiceID: "smsMessagingServiceID",
+		SMSProvider:                 "twilio",
+		SMSModicaUsername:           "modicaUsername",
+		SMSModicaPassword:           "modicaPassword",
 	}
 }
 

go/notifications/sms/modica_sms.go

@@ -0,0 +1,127 @@
+package sms
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/nhost/hasura-auth/go/notifications"
+)
+
+const (
+	modicaAPIURL         = "https://api.modicagroup.com/rest/sms/v2/messages"
+	clientTimeoutSeconds = 30
+	maxIdleConns         = 10
+	idleTimeoutSeconds   = 30
+	tlsTimeoutSeconds    = 10
+)
+
+var (
+	ErrInvalidPhoneFormat = errors.New(
+		"phone number must be in international format (e.g., +64211234567)",
+	)
+	ErrEmptyMessage = errors.New("message content cannot be empty")
+	ErrSMSAPIError  = errors.New("SMS API error")
+)
+
+type ModicaSMS struct {
+	client   *http.Client
+	username string
+	password string
+}
+
+type modicaSMSRequest struct {
+	Destination string `json:"destination"`
+	Content     string `json:"content"`
+}
+
+func NewModicaSMS(
+	templates *notifications.Templates,
+	otpGenerator func() (string, string, error),
+	otpHasher func(string) (string, error),
+	username string, password string,
+	db DB,
+) *SMS {
+	client := &http.Client{ //nolint:exhaustruct
+		Timeout: clientTimeoutSeconds * time.Second,
+		Transport: &http.Transport{ //nolint:exhaustruct
+			MaxIdleConns:        maxIdleConns,
+			IdleConnTimeout:     idleTimeoutSeconds * time.Second,
+			DisableCompression:  false,
+			TLSHandshakeTimeout: tlsTimeoutSeconds * time.Second,
+		},
+	}
+
+	return NewSMS(
+		&ModicaSMS{
+			client:   client,
+			username: username,
+			password: password,
+		},
+		otpGenerator,
+		otpHasher,
+		templates,
+		db,
+	)
+}
+
+func (s *ModicaSMS) SendSMS(to string, body string) error {
+	// Validate inputs according to Modica API requirements
+	if !strings.HasPrefix(to, "+") {
+		return ErrInvalidPhoneFormat
+	}
+
+	if len(body) == 0 {
+		return ErrEmptyMessage
+	}
+
+	reqBody := modicaSMSRequest{
+		Destination: to,
+		Content:     body,
+	}
+
+	jsonData, err := json.Marshal(reqBody)
+	if err != nil {
+		return fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost,
+		modicaAPIURL,
+		bytes.NewBuffer(jsonData),
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	// Set headers
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Basic "+s.basicAuth())
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusAccepted {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+
+		return fmt.Errorf("%w: HTTP %d: %s", ErrSMSAPIError, resp.StatusCode, string(bodyBytes))
+	}
+
+	return nil
+}
+
+func (s *ModicaSMS) basicAuth() string {
+	auth := s.username + ":" + s.password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}