Send `appHash` to Twilio Verify for mobile SMS OTP auto-fill-in

[Kypsis]

Bug report

• [x] I confirm this is a bug with Supabase, not with my own application.
• [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

There is no way to send the optional parameter appHash (https://www.twilio.com/docs/verify/api/verification) when using Twilio Verify with supabase_flutter. This would get appended to the OTP SMS so Android could read the OTP code from SMS automatically.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Expected behavior

A way to send appHash with signInWithOtp() method -> OTP SMS contains the appended appHash.

Screenshots

If applicable, add screenshots to help explain your problem.

System information

Additional context

[Kypsis]

Is there any tentative timeline for this feature to become a reality yet?

[J0]

Hey @Kypsis,

Thanks for bumping this. No tentative timeline at the moment as we're looking into custom a more general approach towards SMS providers. If it's a hard blocker for you I can raise it for discussion this week though.

Quick question: how is the appHash used after it is received in the response and is it dynamically generated?

I don't have a strong familiarity with the appHash but am wondering if it be possible to manually append the appHash to the message template for now if it is statically generated.

Let me know!

[Kypsis]

App hash (signature) can be precomputed or fetched on runtime:https://developers.google.com/identity/sms-retriever/verify#computing_your_apps_hash_string. Then it would get get appended to the SMS via the appHash optional parameter when doing POST request to https://verify.twilio.com/v2/Services/{ServiceSid}/Verifications. On an Android device the SMS Retriever API would read the OTP from SMS automatically via the appHash identifier in the SMS response and would then allow for the OTP auto-fill functionality to work. Which leads to very nice frictionless UX for the user.

From my POV having an option to manually append the appHash would be totally fine as well (seeing as that's what I had to do anyway when using the regular Twilio SMS API, just statically append it to the SMS message on the dashboard).

[Kypsis]

Any progress on this issue?

[J0]

Hey @Kypsis,

Thanks for waiting, we are working on a solution for this via auth hooks and it'll probably land close to our next launch week in December. Do check back then and lmk if there are any immediate concerns.

[hf]

Until we have this, feel free to open a PR and the team will prioritize reviews.

[J0]

Hey @Kypsis,

Sorry it took so long to get back. I'm not sure if this is still relevant to you but here's the outline of how we'd potentially do it with an edge function

We're planning to release this soon - let me know if there's any points around that we've missed around using the apphash though