Passwordless authentication

[Eolykab]

Hi There,

How do I implement passwordless authentication? Like sending OTP to phone number and verifying the code after.

[dplewis]

A PR was opened for this but wasn’t finished.

#5306

Would you like to take it over and create a new PR.?

[memishood]

You can make using cloud code basically,

Call this cloud function after got the phone nomber from user

Parse.Cloud.define('SendSMS', (req, res) => {
	let code = Math.floor(1000 + Math.random() * 9000);
	let getMessage = code + ' This is your verification code';
	let phone = req.params.phone;
	let accountSid = 'XXX';
	let authToken = 'XXX';
	var client = require('twilio')(accountSid, authToken);
	client.messages.create({
		body: getMessage,
		from: '+yourTwilioPhoneNumber',
		to: phone
	}).then( result => {
		res.success(code);
	}).catch( error => {
		res.error(error);
	})
});

Firstly get the sms code in your client from cloud function and check this code if right call this function

Parse.Cloud.define('Auth', (req,res) => {
	var pass = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
	var phone = req.params.phone;
	var query = new Parse.Query(Parse.User);
	query.equalTo('username', phone);
	query.first({useMasterKey: true}).then( user => {
		user.set('password', pass);
		user.save(null, {useMasterKey: true}).then( () => {
			Parse.User.logIn(phone, pass).then( token => {
				res.success(token.getSessionToken());
			});
		}).catch( error => {
			res.error(error);
		});
          // user couldn't find lets sign up!
	}).catch( () => {
		let user = new Parse.User();
		user.set('username', phone);
		user.set('password', pass);
		user.save(null, {useMasterKey: true}).then ( token => {
			res.success(token.getSessionToken());
		}).catch ( e => {
			res.error(e);
		});
	});
});

Maybe its not safe but if you don't have any choice you can use..

[ChinaeduPascal]

You can make using cloud code basically,

Call this cloud function after got the phone nomber from user

Parse.Cloud.define('SendSMS', (req, res) => {
	let code = Math.floor(1000 + Math.random() * 9000);
	let getMessage = code + ' This is your verification code';
	let phone = req.params.phone;
	let accountSid = 'XXX';
	let authToken = 'XXX';
	var client = require('twilio')(accountSid, authToken);
	client.messages.create({
		body: getMessage,
		from: '+yourTwilioPhoneNumber',
		to: phone
	}).then( result => {
		res.success(code);
	}).catch( error => {
		res.error(error);
	})
});

Firstly get the sms code in your client from cloud function and check this code if right call this function

Parse.Cloud.define('Auth', (req,res) => {
	var pass = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
	var phone = req.params.phone;
	var query = new Parse.Query(Parse.User);
	query.equalTo('username', phone);
	query.first({useMasterKey: true}).then( user => {
		user.set('password', pass);
		user.save(null, {useMasterKey: true}).then( () => {
			Parse.User.logIn(phone, pass).then( token => {
				res.success(token.getSessionToken());
			});
		}).catch( error => {
			res.error(error);
		});
          // user couldn't find lets sign up!
	}).catch( () => {
		let user = new Parse.User();
		user.set('username', phone);
		user.set('password', pass);
		user.save(null, {useMasterKey: true}).then ( token => {
			res.success(token.getSessionToken());
		}).catch ( e => {
			res.error(e);
		});
	});
});

Maybe its not safe but if you don't have any choice you can use..

Why this is insecure when you verify the phone number previously ?

[noaker]

@ChinaeduPascal This is not safe because hackers can directly bypass your phone (and therefore, the entire OTP verification loop) and call the cloud functions straight. If you have many users, likely you are using a generic password that applies to all the users in your platform. Therefore, if someone knows that password, they can access all the user accounts. If it passwords are unique, hackers can directly spam your server to test those passwords