search

appwrite / sdk-for-php

[READ-ONLY] Official Appwrite PHP SDK 🐘
https://appwrite.io
BSD 3-Clause "New" or "Revised" License
141 stars 23 forks source link

📚 Documentation: Phone verification race condition #25

Open geek-at opened 11 months ago

geek-at commented 11 months ago

💭 Description

I installed appwrite to be able to authenticate users faster using SMS and Twilio as a backend.

I'm having a hard time doing server side verification because I want the user to enter their phone number in JS (frontend) and verify it using PHP but this seems to be impossible because the documentation for the Phone verification requires already a JWT which can only be issued when authentication is already finished.

In JS I have to call createPhoneSession and then run updatePhoneSession to verify the code and only when this was successful I can issue a JWT using account.createJWT()

In PHP this code fails


$client = new Client();

$client
    ->setEndpoint('https://myurl/v1')
    ->setProject('652d4af1633afc99def')
    ->setKey('528958d6e5f[..]e318fc67') // Your secret API key
    ->setSelfSigned()
;

$userid="652d5b5a9a699deabcce"; //would get this from an AJAX request from the frontend
$secret="243503"; //phone verification token

$account = new Account($client);
$result = $account->updatePhoneVerification($userid, $secret);
var_dump($result);

It fails with the error: (role: applications) missing scope (public) which means that using a API secret you can't confirm the users phone token. It needs setJWT instead of setKey but again the JWT can only be issued after authentication.

So why do these endpoints even exist in PHP when you can't use it for authentication in the backend? How is this meant to be used? Anonymous logins and afterwards backend checks?

👀 Have you spent some time to check if this issue has been raised before?

🏢 Have you read the Code of Conduct?