包阅导读总结
1.
关键词:Supabase Auth、第三方认证、多因素认证、Auth Hooks、迁移
2.
总结:Supabase Auth 有 3 项新宣布,包括对第三方认证提供商(Auth0、Cognito、Firebase)的支持、基于电话的多因素认证(SMS 和 WhatsApp)、新的 SMS 和电子邮件 Auth Hooks。还介绍了相关特性和代码示例。
3.
主要内容:
– Supabase Auth 新特性
– 支持第三方认证提供商,如 Auth0、AWS Cognito、Firebase Auth,迁移可无干扰进行,在 Supabase CLI 中均支持,客户端使用示例给出。
– 扩展多因素认证支持 SMS 和 WhatsApp,提醒注意 SMS 认证的安全隐患。
– 新增 Auth Hooks,包括可定制的“Send Email” Auth Hook 和新的“Send SMS” Auth Hook,不再局限于内置提供商,可通过指定 HTTP 端点实现自定义。
– 介绍了相关代码示例和获取更多详情的文档链接。
思维导图:
文章地址:https://supabase.com/blog/third-party-auth-mfa-phone-send-hooks
文章来源:supabase.com
作者:Supabase Blog
发布时间:2024/8/14 0:00
语言:英文
总字数:623字
预计阅读时间:3分钟
评分:91分
标签:Supabase Auth,第三方认证,多因素认证,认证钩子,安全性
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
Today we have 3 new announcements for Supabase Auth:
- Support for third-party Auth providers
- Phone-based Multi-factor Authentication (SMS and Whatsapp)
- New Auth Hooks for SMS and email
Let’s dive into each new feature.
The headline feature today is third-party Authentication.
Supabase is a modular platform. We’ve been designing it so that you can choose which products you use with Postgres. You can use our own products (like Supabase Auth) or external products (like Auth0), and in theory the experience should be just-as-delightful.
Until today, using third-party auth products required developers to translate JWTs into a format compatible with Supabase Auth. This is difficult and unmaintainable.
So we fixed it. Today we’re adding first-class support for the following third-party authentication products:
- Auth0
- AWS Cognito (standalone or via AWS Amplify)
- Firebase Auth
Firebase Auth is currently under a private-alpha release stage, as we’re still improving the security developer experience when using it. Register your interest and someone from the team will reach out.
Migrating auth providers can be costly and technically challenging, especially for applications with large user bases. You can use Supabase’s native auth offering alongside your third-party authentication provider to achieve a disruption-free migration.
All of the third-party providers are supported in the Supabase CLI, so you can evaluate, test, and develop your integration for free.
The Supabase client supports third-party auth like this:
_10
import { createClient } from '@supabase/supabase-js'
_10
const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY, {
_10
accessToken: async () => {
_10
const accessToken = await auth0.getTokenSilently()
We’ve extended MFA to support SMS and WhatsApp.
We have a strong conviction that all applications should have access to an open and secure authentication provider. Secure-by-default should not be a luxury: developers should have affordable access to security best-practices.
Almost two years ago we launched MFA with TOTP (app authenticator) free of charge. Since then, we’ve heard a common complaint from developers: app authenticators can be hard to adopt for non-techies. Phone-based MFA is for those developers who want to provide a more accessible MFA experience for their users.
No security product is infallible! MFA with SMS can come with some hidden security drawbacks – please evaluate your application’s risk tolerance for SIM-swapping attacks.
The code looks like this:
_14
// Send an SMS or WhatsApp message to the user
_14
const { data: { challengeId } } = await supabase.auth.mfa.challenge({
_14
// To verify the code received by the user
_14
await supabase.auth.mfa.verify({
_14
// The user's `aal` claim in the JWT
_14
// will be upgraded to aal2
We’ve added a few new Auth Hooks, which supports HTTP endpoints as a webhook now.
Email Hooks
We’ve heard the (rather loud) feedback that the built-in email templates (based on the Go templating language) can be limiting. There’s been a lot of development in email rendering libraries like Resend’s React Email. To help make this available for developers, we’ve added a “Send Email” Auth Hook, which you can use to customize your emails and how they are sent.
SMS Hooks
Supabase Auth has built-in support for popular SMS sending providers like Twilio, Messagebird, Textlocal and Vonage, but we realize this choice can be limiting.
Today we’re launching a new “Send SMS” Auth Hook. You no longer need to use the built-in provider – you can implement your own by specifying a HTTP endpoint that receives a POST request when a message needs to be sent.
Check out the docs for more details on how to get started:
