feat: add Modica Group SMS provider support

superstructor · superstructor · commit f40f5796062b · 2025-09-15T11:55:26.000+12:00
- Add ModicaSMS provider implementing controller.SMSer interface
- Support provider selection via AUTH_SMS_PROVIDER environment variable
- Maintain backward compatibility with existing Twilio configuration
- Add extensive test coverage including mock server and validation tests
diff --git a/.env.example b/.env.example
@@ -17,3 +17,13 @@ AUTH_SMTP_SENDER=hasura-auth@example.com
 AUTH_SMTP_USER=user
 AUTH_LOG_LEVEL=debug
 AUTH_CLIENT_URL='http://127.0.0.1:3000'
+# SMS configuration
+# AUTH_SMS_PASSWORDLESS_ENABLED=false
+# AUTH_SMS_PROVIDER=twilio
+# Twilio SMS settings
+# AUTH_SMS_TWILIO_ACCOUNT_SID=
+# AUTH_SMS_TWILIO_AUTH_TOKEN=
+# AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID=
+# Modica Group SMS settings
+# AUTH_SMS_MODICA_USERNAME=
+# AUTH_SMS_MODICA_PASSWORD=
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -85,7 +85,32 @@ Hasura Auth supports email [passwordless authentication](https://en.wikipedia.or
 
 Set `AUTH_EMAIL_PASSWORDLESS_ENABLED` to `true` to enable passwordless authentication.
 
-<!-- TODO ## Passwordless with SMS -->
+### Passwordless with SMS
+
+Hasura Auth supports SMS [passwordless authentication](https://en.wikipedia.org/wiki/Passwordless_authentication). It requires an SMS provider to be configured properly.
+
+Set `AUTH_SMS_PASSWORDLESS_ENABLED` to `true` to enable SMS passwordless authentication.
+
+#### SMS Provider Configuration
+
+Configure the SMS provider using the `AUTH_SMS_PROVIDER` environment variable:
+
+```bash
+AUTH_SMS_PROVIDER=twilio  # or modica
+```
+
+**Twilio Configuration:**
+```bash
+AUTH_SMS_TWILIO_ACCOUNT_SID=your_account_sid
+AUTH_SMS_TWILIO_AUTH_TOKEN=your_auth_token
+AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID=your_messaging_service_id
+```
+
+**Modica Group Configuration:**
+```bash
+AUTH_SMS_MODICA_USERNAME=your_username
+AUTH_SMS_MODICA_PASSWORD=your_password
+```
 
 ### FIDO2 Webauthn
 
diff --git a/go/cmd/config.go b/go/cmd/config.go
@@ -112,9 +112,12 @@ func getConfig(cmd *cli.Command) (controller.Config, error) { //nolint:funlen
 		WebauhtnAttestationTimeout:  cmd.Duration(flagWebauthnAttestationTimeout),
 		OTPEmailEnabled:             cmd.Bool(flagOTPEmailEnabled),
 		SMSPasswordlessEnabled:      cmd.Bool(flagSMSPasswordlessEnabled),
+		SMSProvider:                 cmd.String(flagSMSProvider),
 		SMSTwilioAccountSid:         cmd.String(flagSMSTwilioAccountSid),
 		SMSTwilioAuthToken:          cmd.String(flagSMSTwilioAuthToken),
 		SMSTwilioMessagingServiceID: cmd.String(flagSMSTwilioMessagingServiceID),
+		SMSModicaUsername:           cmd.String(flagSMSModicaUsername),
+		SMSModicaPassword:           cmd.String(flagSMSModicaPassword),
 		MfaEnabled:                  cmd.Bool(flagMfaEnabled),
 		ServerPrefix:                cmd.String(flagAPIPrefix),
 	}, nil
diff --git a/go/cmd/email.go b/go/cmd/email.go
@@ -116,7 +116,9 @@ func getSMS( //nolint:ireturn
 		provider = "twilio" // Default to Twilio for backward compatibility
 	}
 
-	switch strings.ToLower(cmd.String(flagSMSProvider)) {
+	switch provider {
+	case "modica":
+		return getModicaSMS(cmd, templates, db, logger)
 	case "twilio":
 		return getTwilioSMS(cmd, templates, db)
 	case "dev":
@@ -154,3 +156,33 @@ func getTwilioSMS( //nolint:ireturn
 		db,
 	), nil
 }
+
+func getModicaSMS( //nolint:ireturn
+	cmd *cli.Command,
+	templates *notifications.Templates,
+	db *sql.Queries,
+	logger *slog.Logger,
+) (controller.SMSer, error) {
+	username := cmd.String(flagSMSModicaUsername)
+	password := cmd.String(flagSMSModicaPassword)
+
+	if username == "" || password == "" {
+		return nil, errors.New("SMS is enabled but Modica credentials are missing") //nolint:err113
+	}
+
+	if templates == nil {
+		var err error
+
+		templates, err = getTemplates(cmd, logger)
+		if err != nil {
+			return nil, fmt.Errorf("problem creating templates: %w", err)
+		}
+	}
+
+	return sms.NewModicaSMS(
+		templates,
+		username,
+		password,
+		db,
+	), nil
+}
diff --git a/go/cmd/serve.go b/go/cmd/serve.go
@@ -99,6 +99,8 @@ const (
 	flagSMSTwilioAccountSid              = "sms-twilio-account-sid"
 	flagSMSTwilioAuthToken               = "sms-twilio-auth-token" //nolint:gosec
 	flagSMSTwilioMessagingServiceID      = "sms-twilio-messaging-service-id"
+	flagSMSModicaUsername                = "sms-modica-username"
+	flagSMSModicaPassword                = "sms-modica-password" //nolint:gosec
 	flagAnonymousUsersEnabled            = "enable-anonymous-users"
 	flagMfaEnabled                       = "mfa-enabled"
 	flagMfaTotpIssuer                    = "mfa-totp-issuer"
@@ -691,6 +693,18 @@ func CommandServe() *cli.Command { //nolint:funlen,maintidx
 				Category: "sms",
 				Sources:  cli.EnvVars("AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID"),
 			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagSMSModicaUsername,
+				Usage:    "Modica username for SMS",
+				Category: "sms",
+				Sources:  cli.EnvVars("AUTH_SMS_MODICA_USERNAME"),
+			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagSMSModicaPassword,
+				Usage:    "Modica password for SMS",
+				Category: "sms",
+				Sources:  cli.EnvVars("AUTH_SMS_MODICA_PASSWORD"),
+			},
 			&cli.BoolFlag{ //nolint: exhaustruct
 				Name:     flagAnonymousUsersEnabled,
 				Usage:    "Enable anonymous users",
diff --git a/go/controller/config.go b/go/controller/config.go
@@ -64,9 +64,12 @@ type Config struct {
 	WebauhtnAttestationTimeout  time.Duration `json:"AUTH_WEBAUTHN_ATTESTATION_TIMEOUT"`
 	OTPEmailEnabled             bool          `json:"AUTH_OTP_EMAIL_ENABLED"`
 	SMSPasswordlessEnabled      bool          `json:"AUTH_SMS_PASSWORDLESS_ENABLED"`
+	SMSProvider                 string        `json:"AUTH_SMS_PROVIDER"`
 	SMSTwilioAccountSid         string        `json:"AUTH_SMS_TWILIO_ACCOUNT_SID"`
 	SMSTwilioAuthToken          string        `json:"AUTH_SMS_TWILIO_AUTH_TOKEN"`
 	SMSTwilioMessagingServiceID string        `json:"AUTH_SMS_TWILIO_MESSAGING_SERVICE_ID"`
+	SMSModicaUsername           string        `json:"AUTH_SMS_MODICA_USERNAME"`
+	SMSModicaPassword           string        `json:"AUTH_SMS_MODICA_PASSWORD"`
 	ServerPrefix                string        `json:"AUTH_SERVER_PREFIX"`
 }
 
diff --git a/go/controller/validator_test.go b/go/controller/validator_test.go
@@ -55,9 +55,12 @@ func getConfig() *controller.Config {
 		MfaEnabled:                  true,
 		ServerPrefix:                "",
 		SMSPasswordlessEnabled:      true,
+		SMSProvider:                 "twilio",
 		SMSTwilioAccountSid:         "smsAccountSid",
 		SMSTwilioAuthToken:          "smsAuthToken",
 		SMSTwilioMessagingServiceID: "smsMessagingServiceID",
+		SMSModicaUsername:           "modicaUsername",
+		SMSModicaPassword:           "modicaPassword",
 	}
 }
 
diff --git a/go/notifications/sms/modica_sms.go b/go/notifications/sms/modica_sms.go
@@ -0,0 +1,123 @@
+package sms
+
+import (
+	"bytes"
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/nhost/hasura-auth/go/notifications"
+)
+
+const (
+	modicaAPIURL         = "https://api.modicagroup.com/rest/sms/v2/messages"
+	clientTimeoutSeconds = 30
+	maxIdleConns         = 10
+	idleTimeoutSeconds   = 30
+	tlsTimeoutSeconds    = 10
+)
+
+var (
+	ErrInvalidPhoneFormat = errors.New(
+		"phone number must be in international format (e.g., +64211234567)",
+	)
+	ErrEmptyMessage = errors.New("message content cannot be empty")
+	ErrSMSAPIError  = errors.New("SMS API error")
+)
+
+type ModicaSMS struct {
+	client   *http.Client
+	username string
+	password string
+}
+
+type modicaSMSRequest struct {
+	Destination string `json:"destination"`
+	Content     string `json:"content"`
+}
+
+func NewModicaSMS(
+	templates *notifications.Templates,
+	username string, password string,
+	db DB,
+) *SMS {
+	client := &http.Client{ //nolint:exhaustruct
+		Timeout: clientTimeoutSeconds * time.Second,
+		Transport: &http.Transport{ //nolint:exhaustruct
+			MaxIdleConns:        maxIdleConns,
+			IdleConnTimeout:     idleTimeoutSeconds * time.Second,
+			DisableCompression:  false,
+			TLSHandshakeTimeout: tlsTimeoutSeconds * time.Second,
+		},
+	}
+
+	return NewSMS(
+		&ModicaSMS{
+			client:   client,
+			username: username,
+			password: password,
+		},
+		templates,
+		db,
+	)
+}
+
+func (s *ModicaSMS) SendSMS(to string, body string) error {
+	// Validate inputs according to Modica API requirements
+	if !strings.HasPrefix(to, "+") {
+		return ErrInvalidPhoneFormat
+	}
+
+	if len(body) == 0 {
+		return ErrEmptyMessage
+	}
+
+	reqBody := modicaSMSRequest{
+		Destination: to,
+		Content:     body,
+	}
+
+	jsonData, err := json.Marshal(reqBody)
+	if err != nil {
+		return fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	req, err := http.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost,
+		modicaAPIURL,
+		bytes.NewBuffer(jsonData),
+	)
+	if err != nil {
+		return fmt.Errorf("failed to create request: %w", err)
+	}
+
+	// Set headers
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Authorization", "Basic "+s.basicAuth())
+
+	resp, err := s.client.Do(req)
+	if err != nil {
+		return fmt.Errorf("failed to send request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusAccepted {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+
+		return fmt.Errorf("%w: HTTP %d: %s", ErrSMSAPIError, resp.StatusCode, string(bodyBytes))
+	}
+
+	return nil
+}
+
+func (s *ModicaSMS) basicAuth() string {
+	auth := s.username + ":" + s.password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}
diff --git a/go/notifications/sms/modica_sms_test.go b/go/notifications/sms/modica_sms_test.go

Original file line number	Diff line number	Diff line change
`@@ -55,9 +55,12 @@ func getConfig() *controller.Config {`
`55`	`55`	`MfaEnabled: true,`
`56`	`56`	`ServerPrefix: "",`
`57`	`57`	`SMSPasswordlessEnabled: true,`
	`58`	`+ SMSProvider: "twilio",`
`58`	`59`	`SMSTwilioAccountSid: "smsAccountSid",`
`59`	`60`	`SMSTwilioAuthToken: "smsAuthToken",`
`60`	`61`	`SMSTwilioMessagingServiceID: "smsMessagingServiceID",`
	`62`	`+ SMSModicaUsername: "modicaUsername",`
	`63`	`+ SMSModicaPassword: "modicaPassword",`
`61`	`64`	`}`
`62`	`65`	`}`
`63`	`66`