Phone update does not require an otp locally

[florian-lefebvre]

Bug report

• [x] I confirm this is a bug with Supabase, not with my own application.
• [x] I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

To update a user's phone, the following needs to be done:

// 1. user must be logged in
// 2. update phone number
await supabase.auth.updateUser({
    phone: "new phone"
})
// 3. user inputs otp they received
await supabase.auth.verifyOtp({
    phone: "new phone",
    token: "...",
    type: "phone_change"
})

However locally, calling updateUser updates the auth.users row directly. I tested on a test hosted supabase instance and it worked as intended fyi.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

1. Have Supabase configured locally using the CLI and running

2. Create a user using phone provider

3. Login then call

   await supabase.auth.updateUser({
       phone: "new phone"
   })

4. Check the auth.users table and see phone is updated directly

Expected behavior

Locally, auth.users row columns should be updated with phone change stuff and an otp should be sent.

System information

• OS: Win 11
• Version of supabase-js: 2.43.5
• Version of Node.js: 20.11.1

[encima]

Thanks for opening! Which phone provider are you using and how have you configured it?

[florian-lefebvre]

Thanks for the quick answer! I'm using the twilio provider and locally I'm doing the following to avoid having the twilio creds + send to prod users by mistake:

[auth.sms.test_otp]
61491572549 = "123456"
# Inexistent user in the seed file, used to test registration and phone update
61491576398 = "123456"

# NOTICE THE EMPTY STRINGS
[auth.sms.twilio]
enabled = true
account_sid = " "
message_service_sid = " "
auth_token = " "

Note that this works perfectly for any other otp related operation

[choim4389]

same issue here

[Mohamdrebhi13]

Ghada rebhi2@gmail.com

[Mohamdrebhi13]

Hosni Rabhi @gmail.com