debug: no force in push to staging

Feat/totp for signup

.env.test

@@ -12,4 +12,4 @@ TWILIO_API_SECRET=test
 TWILIO_ACCOUNT_SID=ACXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 TWILIO_SENDER=909921212112
 SENDER_NAME="Authorizer"
-AWS_REGION=ap-south-1
+AWS_REGION=ap-south-1

.gitea/workflows/main.yml

@@ -0,0 +1,35 @@
+name: 'deploy'
+on: [push]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cloning repo
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Get Repo Name
+        id: repo_name
+        run: echo "::set-output name=repo::$(echo ${GITHUB_REPOSITORY##*/})"
+
+      - name: Get Branch Name
+        id: branch_name
+        run: echo "::set-output name=branch::$(echo ${GITHUB_REF##*/})"
+
+      - name: Push to dokku for main branch
+        if: steps.branch_name.outputs.branch == 'mailgun' 
+        uses: dokku/github-action@master
+        with:
+          branch: 'main'
+          git_remote_url: 'ssh://dokku@v2.discours.io:22/authorizer'
+          ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }}
+
+      - name: Push to dokku for dev branch
+        if: steps.branch_name.outputs.branch == 'dev'
+        uses: dokku/github-action@master
+        with:
+          branch: 'main'
+          git_remote_url: 'ssh://dokku@staging.discours.io:22/authorizer'
+          ssh_private_key: ${{ secrets.SSH_PRIVATE_KEY }}

.gitignore

@@ -19,3 +19,4 @@ certs/
 *-shm
 *-wal
 .idea
+*.iml

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21.1-alpine as go-builder
+FROM golang:1.21.3-alpine3.18 as go-builder
 WORKDIR /authorizer
 COPY server server
 COPY Makefile .
@@ -11,7 +11,7 @@ RUN apk add build-base &&\
     make clean && make && \
     chmod 777 build/server
 
-FROM node:17-alpine3.12 as node-builder
+FROM node:20-alpine3.18 as node-builder
 WORKDIR /authorizer
 COPY app app
 COPY dashboard dashboard
@@ -20,7 +20,7 @@ RUN apk add build-base &&\
     make build-app && \
     make build-dashboard
 
-FROM alpine:latest
+FROM alpine:3.18
 RUN adduser -D -h /authorizer -u 1000 -k /dev/null authorizer
 WORKDIR /authorizer
 RUN mkdir app dashboard

Makefile

@@ -46,7 +46,7 @@ test-all-db:
 	docker run -d --name dynamodb-local-test  -p 8000:8000 amazon/dynamodb-local:latest
 	docker run -d --name couchbase-local-test  -p 8091-8097:8091-8097 -p 11210:11210 -p 11207:11207 -p 18091-18095:18091-18095 -p 18096:18096 -p 18097:18097 couchbase:latest
 	sh scripts/couchbase-test.sh
-	cd server && go clean --testcache && TEST_DBS="sqlite,mongodb,arangodb,scylladb,dynamodb" go test -p 1 -v ./test
+	cd server && go clean --testcache && TEST_DBS="sqlite,mongodb,arangodb,scylladb,dynamodb,couchbase" go test -p 1 -v ./test
 	docker rm -vf authorizer_scylla_db
 	docker rm -vf authorizer_mongodb_db
 	docker rm -vf authorizer_arangodb

README.md

@@ -69,6 +69,7 @@ Deploy production ready Authorizer instance using one click deployment options a
 |       Heroku       | <a href="https://heroku.com/deploy?template=https://github.com/authorizerdev/authorizer-heroku"><img src="https://www.herokucdn.com/deploy/button.svg" alt="Deploy to Heroku" style="height: 44px;"></a> | [docs](https://docs.authorizer.dev/deployment/heroku)  |
 |       Render       |                     [![Deploy to Render](https://render.com/images/deploy-to-render-button.svg)](https://render.com/deploy?repo=https://github.com/authorizerdev/authorizer-render)                      | [docs](https://docs.authorizer.dev/deployment/render)  |
 |       Koyeb       | <a target="_blank" href="https://app.koyeb.com/deploy?name=authorizer&type=docker&image=docker.io/lakhansamani/authorizer&env[PORT]=8000&env[DATABASE_TYPE]=postgres&env[DATABASE_URL]=CHANGE_ME&ports=8000;http;/"><img alt="Deploy to Koyeb" src="https://www.koyeb.com/static/images/deploy/button.svg" /></a> | [docs](https://docs.authorizer.dev/deployment/koyeb)  |
+|     RepoCloud     | <a href="https://repocloud.io/details/?app_id=174"><img src="https://d16t0pc4846x52.cloudfront.net/deploy.png" alt="Deploy on RepoCloud"></a> | [docs](https://repocloud.io/details/?app_id=174) |
 
 ### Deploy Authorizer Using Source Code
 

app/package.json

@@ -12,7 +12,7 @@
 	"author": "Lakhan Samani",
 	"license": "ISC",
 	"dependencies": {
-		"@authorizerdev/authorizer-react": "^1.1.13",
+		"@authorizerdev/authorizer-react": "^1.2.0",
 		"@types/react": "^17.0.15",
 		"@types/react-dom": "^17.0.9",
 		"esbuild": "^0.12.17",

app/src/App.tsx

@@ -27,13 +27,13 @@ export default function App() {
 	if (redirectURL) {
 		urlProps.redirectURL = redirectURL;
 	} else {
-		urlProps.redirectURL = window.location.origin + '/app';
+		urlProps.redirectURL = window.location.href;
 	}
 	const globalState: Record<string, string> = {
 		...window['__authorizer__'],
 		...urlProps,
 	};
-
+	console.log({ globalState });
 	return (
 		<div
 			style={{
@@ -54,7 +54,7 @@ export default function App() {
 				<img
 					src={`${globalState.organizationLogo}`}
 					alt="logo"
-					style={{ height: 60, width: 60, objectFit: 'cover' }}
+					style={{ height: 60, objectFit: 'cover' }}
 				/>
 				<h1>{globalState.organizationName}</h1>
 			</div>

app/src/Root.tsx

@@ -59,7 +59,9 @@ export default function Root({
 	useEffect(() => {
 		if (token) {
 			let redirectURL = config.redirectURL || '/app';
-			let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}`;
+			// let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}`;
+			// Note: If OIDC breaks in the future, use the above params
+			let params = `state=${globalState.state}`;
 
 			if (code !== '') {
 				params += `&code=${code}`;

app/src/pages/login.tsx

@@ -32,29 +32,35 @@ const FooterContent = styled.div`
 export default function Login({ urlProps }: { urlProps: Record<string, any> }) {
 	const { config } = useAuthorizer();
 	const [view, setView] = useState<VIEW_TYPES>(VIEW_TYPES.LOGIN);
+	const isBasicAuth = config.is_basic_authentication_enabled;
 	return (
 		<Fragment>
 			{view === VIEW_TYPES.LOGIN && (
 				<Fragment>
 					<h1 style={{ textAlign: 'center' }}>Login</h1>
-					<br />
 					<AuthorizerSocialLogin urlProps={urlProps} />
-					{config.is_basic_authentication_enabled &&
+					<br />
+					{(config.is_basic_authentication_enabled ||
+						config.is_mobile_basic_authentication_enabled) &&
 						!config.is_magic_link_login_enabled && (
 							<AuthorizerBasicAuthLogin urlProps={urlProps} />
 						)}
 					{config.is_magic_link_login_enabled && (
 						<AuthorizerMagicLinkLogin urlProps={urlProps} />
 					)}
-					<Footer>
-						<Link
-							to="#"
-							onClick={() => setView(VIEW_TYPES.FORGOT_PASSWORD)}
-							style={{ marginBottom: 10 }}
-						>
-							Forgot Password?
-						</Link>
-					</Footer>
+					{(config.is_basic_authentication_enabled ||
+						config.is_mobile_basic_authentication_enabled) &&
+						!config.is_magic_link_login_enabled && (
+							<Footer>
+								<Link
+									to="#"
+									onClick={() => setView(VIEW_TYPES.FORGOT_PASSWORD)}
+									style={{ marginBottom: 10 }}
+								>
+									Forgot Password?
+								</Link>
+							</Footer>
+						)}
 				</Fragment>
 			)}
 			{view === VIEW_TYPES.FORGOT_PASSWORD && (
@@ -65,6 +71,9 @@ export default function Login({ urlProps }: { urlProps: Record<string, any> }) {
 							...urlProps,
 							redirect_uri: `${window.location.origin}/app/reset-password`,
 						}}
+						onPasswordReset={() => {
+							setView(VIEW_TYPES.LOGIN);
+						}}
 					/>
 					<Footer>
 						<Link
@@ -81,7 +90,7 @@ export default function Login({ urlProps }: { urlProps: Record<string, any> }) {
 				!config.is_magic_link_login_enabled &&
 				config.is_sign_up_enabled && (
 					<FooterContent>
-						Don't have an account? <Link to="/app/signup"> Sign Up</Link>
+						Don't have an account? &nbsp; <Link to="/app/signup"> Sign Up</Link>
 					</FooterContent>
 				)}
 		</Fragment>

app/src/pages/signup.tsx

@@ -1,5 +1,5 @@
 import React, { Fragment } from 'react';
-import { AuthorizerSignup } from '@authorizerdev/authorizer-react';
+import { AuthorizerSignup, AuthorizerSocialLogin } from '@authorizerdev/authorizer-react';
 import styled from 'styled-components';
 import { Link } from 'react-router-dom';
 
@@ -19,6 +19,7 @@ export default function SignUp({
 		<Fragment>
 			<h1 style={{ textAlign: 'center' }}>Sign Up</h1>
 			<br />
+            <AuthorizerSocialLogin urlProps={urlProps} />
 			<AuthorizerSignup urlProps={urlProps} />
 			<FooterContent>
 				Already have an account? <Link to="/app"> Login</Link>

dashboard/src/components/EnvComponents/Features.tsx

@@ -24,6 +24,7 @@ const Features = ({ variables, setVariables }: any) => {
 						/>
 					</Flex>
 				</Flex>
+
 				<Flex>
 					<Flex w="100%" justifyContent="start" alignItems="center">
 						<Text fontSize="sm">Email Verification:</Text>
@@ -97,6 +98,7 @@ const Features = ({ variables, setVariables }: any) => {
 							also ignore the user MFA setting.
 						</Text>
 					</Flex>
+
 					<Flex justifyContent="start" mb={3}>
 						<InputField
 							variables={variables}
@@ -106,6 +108,41 @@ const Features = ({ variables, setVariables }: any) => {
 						/>
 					</Flex>
 				</Flex>
+				{!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION && (
+					<Flex alignItems="center">
+						<Flex w="100%" alignItems="baseline" flexDir="column">
+							<Text fontSize="sm">Time Based OTP (TOTP):</Text>
+							<Text fontSize="x-small">Note: to enable totp mfa</Text>
+						</Flex>
+
+						<Flex justifyContent="start" mb={3}>
+							<InputField
+								variables={variables}
+								setVariables={setVariables}
+								inputType={SwitchInputType.DISABLE_TOTP_LOGIN}
+								hasReversedValue
+							/>
+						</Flex>
+					</Flex>
+				)}
+				{!variables.DISABLE_MULTI_FACTOR_AUTHENTICATION && (
+					<Flex alignItems="center">
+						<Flex w="100%" alignItems="baseline" flexDir="column">
+							<Text fontSize="sm">EMAIL OTP:</Text>
+							<Text fontSize="x-small">Note: to enable email otp mfa</Text>
+						</Flex>
+
+						<Flex justifyContent="start" mb={3}>
+							<InputField
+								variables={variables}
+								setVariables={setVariables}
+								inputType={SwitchInputType.DISABLE_MAIL_OTP_LOGIN}
+								hasReversedValue
+							/>
+						</Flex>
+					</Flex>
+				)}
+
 				<Flex alignItems="center">
 					<Flex w="100%" alignItems="baseline" flexDir="column">
 						<Text fontSize="sm">

dashboard/src/components/EnvComponents/OAuthConfig.tsx

@@ -17,6 +17,7 @@ import {
 	FaApple,
 	FaTwitter,
 	FaMicrosoft,
+	FaTwitch, FaDiscord,
 } from 'react-icons/fa';
 import {
 	TextInputType,
@@ -308,6 +309,44 @@ const OAuthConfig = ({
 							/>
 						</Center>
 					</Flex>
+					<Flex direction={isNotSmallerScreen ? 'row' : 'column'}>
+						<Center
+							w={isNotSmallerScreen ? '55px' : '35px'}
+							h="35px"
+							marginRight="1.5%"
+							border="1px solid #3b5998"
+							borderRadius="5px"
+						>
+							<FaDiscord style={{ color: '#7289da' }} />
+						</Center>
+						<Center
+							w={isNotSmallerScreen ? '70%' : '100%'}
+							mt={isNotSmallerScreen ? '0' : '3'}
+							marginRight="1.5%"
+						>
+							<InputField
+								borderRadius={5}
+								variables={envVariables}
+								setVariables={setVariables}
+								inputType={TextInputType.DISCORD_CLIENT_ID}
+								placeholder="Discord Client ID"
+							/>
+						</Center>
+						<Center
+							w={isNotSmallerScreen ? '70%' : '100%'}
+							mt={isNotSmallerScreen ? '0' : '3'}
+						>
+							<InputField
+								borderRadius={5}
+								variables={envVariables}
+								setVariables={setVariables}
+								fieldVisibility={fieldVisibility}
+								setFieldVisibility={setFieldVisibility}
+								inputType={HiddenInputType.DISCORD_CLIENT_SECRET}
+								placeholder="Discord Client Secret"
+							/>
+						</Center>
+					</Flex>
 					<Flex direction={isNotSmallerScreen ? 'row' : 'column'}>
 						<Center
 							w={isNotSmallerScreen ? '55px' : '35px'}
@@ -397,6 +436,44 @@ const OAuthConfig = ({
 							/>
 						</Center>
 					</Flex>
+					<Flex direction={isNotSmallerScreen ? 'row' : 'column'}>
+						<Center
+							w={isNotSmallerScreen ? '55px' : '35px'}
+							h="35px"
+							marginRight="1.5%"
+							border="1px solid #3b5998"
+							borderRadius="5px"
+						>
+							<FaTwitch />
+						</Center>
+						<Center
+							w={isNotSmallerScreen ? '70%' : '100%'}
+							mt={isNotSmallerScreen ? '0' : '3'}
+							marginRight="1.5%"
+						>
+							<InputField
+								borderRadius={5}
+								variables={envVariables}
+								setVariables={setVariables}
+								inputType={TextInputType.TWITCH_CLIENT_ID}
+								placeholder="Twitch Client ID"
+							/>
+						</Center>
+						<Center
+							w={isNotSmallerScreen ? '70%' : '100%'}
+							mt={isNotSmallerScreen ? '0' : '3'}
+						>
+							<InputField
+								borderRadius={5}
+								variables={envVariables}
+								setVariables={setVariables}
+								fieldVisibility={fieldVisibility}
+								setFieldVisibility={setFieldVisibility}
+								inputType={HiddenInputType.TWITCH_CLIENT_SECRET}
+								placeholder="Twitch Client Secret"
+							/>
+						</Center>
+					</Flex>
 				</Stack>
 			</Box>
 		</div>

dashboard/src/constants.ts

@@ -9,9 +9,11 @@ export const TextInputType = {
 	FACEBOOK_CLIENT_ID: 'FACEBOOK_CLIENT_ID',
 	LINKEDIN_CLIENT_ID: 'LINKEDIN_CLIENT_ID',
 	APPLE_CLIENT_ID: 'APPLE_CLIENT_ID',
+	DISCORD_CLIENT_ID: 'DISCORD_CLIENT_ID',
 	TWITTER_CLIENT_ID: 'TWITTER_CLIENT_ID',
 	MICROSOFT_CLIENT_ID: 'MICROSOFT_CLIENT_ID',
 	MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID: 'MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID',
+	TWITCH_CLIENT_ID: 'TWITCH_CLIENT_ID',
 	JWT_ROLE_CLAIM: 'JWT_ROLE_CLAIM',
 	REDIS_URL: 'REDIS_URL',
 	SMTP_HOST: 'SMTP_HOST',
@@ -40,8 +42,10 @@ export const HiddenInputType = {
 	FACEBOOK_CLIENT_SECRET: 'FACEBOOK_CLIENT_SECRET',
 	LINKEDIN_CLIENT_SECRET: 'LINKEDIN_CLIENT_SECRET',
 	APPLE_CLIENT_SECRET: 'APPLE_CLIENT_SECRET',
+	DISCORD_CLIENT_SECRET: 'DISCORD_CLIENT_SECRET',
 	TWITTER_CLIENT_SECRET: 'TWITTER_CLIENT_SECRET',
 	MICROSOFT_CLIENT_SECRET: 'MICROSOFT_CLIENT_SECRET',
+	TWITCH_CLIENT_SECRET: 'TWITCH_CLIENT_SECRET',
 	JWT_SECRET: 'JWT_SECRET',
 	SMTP_PASSWORD: 'SMTP_PASSWORD',
 	ADMIN_SECRET: 'ADMIN_SECRET',
@@ -85,6 +89,8 @@ export const SwitchInputType = {
 	DISABLE_MULTI_FACTOR_AUTHENTICATION: 'DISABLE_MULTI_FACTOR_AUTHENTICATION',
 	ENFORCE_MULTI_FACTOR_AUTHENTICATION: 'ENFORCE_MULTI_FACTOR_AUTHENTICATION',
 	DISABLE_PLAYGROUND: 'DISABLE_PLAYGROUND',
+	DISABLE_TOTP_LOGIN: 'DISABLE_TOTP_LOGIN',
+	DISABLE_MAIL_OTP_LOGIN: 'DISABLE_MAIL_OTP_LOGIN',
 };
 
 export const DateInputType = {
@@ -125,11 +131,15 @@ export interface envVarTypes {
 	LINKEDIN_CLIENT_SECRET: string;
 	APPLE_CLIENT_ID: string;
 	APPLE_CLIENT_SECRET: string;
+	DISCORD_CLIENT_ID: string;
+	DISCORD_CLIENT_SECRET: string;
 	TWITTER_CLIENT_ID: string;
 	TWITTER_CLIENT_SECRET: string;
 	MICROSOFT_CLIENT_ID: string;
 	MICROSOFT_CLIENT_SECRET: string;
 	MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID: string;
+	TWITCH_CLIENT_ID: string;
+	TWITCH_CLIENT_SECRET: string;
 	ROLES: [string] | [];
 	DEFAULT_ROLES: [string] | [];
 	PROTECTED_ROLES: [string] | [];
@@ -169,6 +179,8 @@ export interface envVarTypes {
 	DEFAULT_AUTHORIZE_RESPONSE_TYPE: string;
 	DEFAULT_AUTHORIZE_RESPONSE_MODE: string;
 	DISABLE_PLAYGROUND: boolean;
+	DISABLE_TOTP_LOGIN: boolean;
+	DISABLE_MAIL_OTP_LOGIN: boolean;
 }
 
 export const envSubViews = {

dashboard/src/graphql/queries/index.ts

@@ -30,11 +30,15 @@ export const EnvVariablesQuery = `
       LINKEDIN_CLIENT_SECRET
       APPLE_CLIENT_ID
       APPLE_CLIENT_SECRET
+      DISCORD_CLIENT_ID
+      DISCORD_CLIENT_SECRET
       TWITTER_CLIENT_ID
       TWITTER_CLIENT_SECRET
       MICROSOFT_CLIENT_ID
       MICROSOFT_CLIENT_SECRET
       MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID
+      TWITCH_CLIENT_ID
+      TWITCH_CLIENT_SECRET
       DEFAULT_ROLES
       PROTECTED_ROLES
       ROLES
@@ -74,6 +78,8 @@ export const EnvVariablesQuery = `
       DEFAULT_AUTHORIZE_RESPONSE_TYPE
       DEFAULT_AUTHORIZE_RESPONSE_MODE
       DISABLE_PLAYGROUND
+      DISABLE_TOTP_LOGIN
+      DISABLE_MAIL_OTP_LOGIN
     }
   }
 `;

dashboard/src/pages/Environment.tsx

@@ -50,11 +50,15 @@ const Environment = () => {
 		LINKEDIN_CLIENT_SECRET: '',
 		APPLE_CLIENT_ID: '',
 		APPLE_CLIENT_SECRET: '',
+		DISCORD_CLIENT_ID: '',
+		DISCORD_CLIENT_SECRET: '',
 		TWITTER_CLIENT_ID: '',
 		TWITTER_CLIENT_SECRET: '',
 		MICROSOFT_CLIENT_ID: '',
 		MICROSOFT_CLIENT_SECRET: '',
 		MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID: '',
+		TWITCH_CLIENT_ID: '',
+		TWITCH_CLIENT_SECRET: '',
 		ROLES: [],
 		DEFAULT_ROLES: [],
 		PROTECTED_ROLES: [],
@@ -94,6 +98,8 @@ const Environment = () => {
 		DEFAULT_AUTHORIZE_RESPONSE_TYPE: '',
 		DEFAULT_AUTHORIZE_RESPONSE_MODE: '',
 		DISABLE_PLAYGROUND: false,
+		DISABLE_TOTP_LOGIN: false,
+		DISABLE_MAIL_OTP_LOGIN: true,
 	});
 
 	const [fieldVisibility, setFieldVisibility] = React.useState<
@@ -104,7 +110,9 @@ const Environment = () => {
 		FACEBOOK_CLIENT_SECRET: false,
 		LINKEDIN_CLIENT_SECRET: false,
 		APPLE_CLIENT_SECRET: false,
+		DISCORD_CLIENT_SECRET: false,
 		TWITTER_CLIENT_SECRET: false,
+		TWITCH_CLIENT_SECRET: false,
 		JWT_SECRET: false,
 		SMTP_PASSWORD: false,
 		ADMIN_SECRET: false,

go.mod

@@ -0,0 +1,20 @@
+module server
+
+go 1.21.5
+
+require (
+	github.com/99designs/gqlgen v0.17.43 // indirect
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sosodev/duration v1.1.0 // indirect
+	github.com/urfave/cli/v2 v2.25.5 // indirect
+	github.com/vektah/gqlparser/v2 v2.5.11 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

go.sum

@@ -0,0 +1,31 @@
+github.com/99designs/gqlgen v0.17.43 h1:I4SYg6ahjowErAQcHFVKy5EcWuwJ3+Xw9z2fLpuFCPo=
+github.com/99designs/gqlgen v0.17.43/go.mod h1:lO0Zjy8MkZgBdv4T1U91x09r0e0WFOdhVUutlQs1Rsc=
+github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
+github.com/agnivade/levenshtein v1.1.1/go.mod h1:veldBMzWxcCG2ZvUTKD2kJNRdCk5hVbJomOvKkmgYbo=
+github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
+github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
+github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sosodev/duration v1.1.0 h1:kQcaiGbJaIsRqgQy7VGlZrVw1giWO+lDoX3MCPnpVO4=
+github.com/sosodev/duration v1.1.0/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg=
+github.com/urfave/cli/v2 v2.25.5 h1:d0NIAyhh5shGscroL7ek/Ya9QYQE0KNabJgiUinIQkc=
+github.com/urfave/cli/v2 v2.25.5/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
+github.com/vektah/gqlparser/v2 v2.5.11 h1:JJxLtXIoN7+3x6MBdtIP59TP1RANnY7pXOaDnADQSf8=
+github.com/vektah/gqlparser/v2 v2.5.11/go.mod h1:1rCcfwB2ekJofmluGWXMSEnPMZgbxzwj6FaZ/4OT8Cc=
+github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
+github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
+golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
+golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM=
+golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

server/authenticators/providers/providers.go

@@ -0,0 +1,25 @@
+package providers
+
+import "context"
+
+// AuthenticatorConfig defines authenticator config
+type AuthenticatorConfig struct {
+	// ScannerImage is the base64 of QR code image
+	ScannerImage string
+	// Secrets is the secret key
+	Secret string
+	// RecoveryCode is the list of recovery codes
+	RecoveryCodes []string
+	// RecoveryCodeMap is the map of recovery codes
+	RecoveryCodeMap map[string]bool
+}
+
+// Provider defines authenticators provider
+type Provider interface {
+	// Generate totp: to generate totp, store secret into db and returns base64 of QR code image
+	Generate(ctx context.Context, id string) (*AuthenticatorConfig, error)
+	// Validate totp: user passcode with secret stored in our db
+	Validate(ctx context.Context, passcode string, userID string) (bool, error)
+	// ValidateRecoveryCode totp: allows user to validate using recovery code incase if they lost their device
+	ValidateRecoveryCode(ctx context.Context, recoveryCode, userID string) (bool, error)
+}

server/authenticators/providers/totp/provider.go

@@ -0,0 +1,23 @@
+package totp
+
+import (
+	"context"
+)
+
+type provider struct {
+	ctx context.Context
+}
+
+// TOTPConfig defines totp config
+type TOTPConfig struct {
+	ScannerImage string
+	Secret       string
+}
+
+// NewProvider returns a new totp provider
+func NewProvider() (*provider, error) {
+	ctx := context.Background()
+	return &provider{
+		ctx: ctx,
+	}, nil
+}

server/authenticators/providers/totp/totp.go

@@ -0,0 +1,151 @@
+package totp
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"image/png"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/pquerna/otp/totp"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/authorizerdev/authorizer/server/authenticators/providers"
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/crypto"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/db/models"
+	"github.com/authorizerdev/authorizer/server/refs"
+)
+
+// Generate generates a Time-Based One-Time Password (TOTP) for a user and returns the base64-encoded QR code for frontend display.
+func (p *provider) Generate(ctx context.Context, id string) (*providers.AuthenticatorConfig, error) {
+	var buf bytes.Buffer
+	//get user details
+	user, err := db.Provider.GetUserByID(ctx, id)
+	if err != nil {
+		return nil, err
+	}
+	// generate totp, Authenticators hash is valid for 30 seconds
+	key, err := totp.Generate(totp.GenerateOpts{
+		Issuer:      "authorizer",
+		AccountName: refs.StringValue(user.Email),
+	})
+	if err != nil {
+		return nil, err
+	}
+	//generating image for key and encoding to base64 for displaying in frontend
+	img, err := key.Image(200, 200)
+	if err != nil {
+		return nil, err
+	}
+	png.Encode(&buf, img)
+	encodedText := crypto.EncryptB64(buf.String())
+	secret := key.Secret()
+	recoveryCodes := []string{}
+	for i := 0; i < 10; i++ {
+		recoveryCodes = append(recoveryCodes, uuid.NewString())
+	}
+	// Converting recoveryCodes to string
+	recoverCodesMap := map[string]bool{}
+	for i := 0; i < len(recoveryCodes); i++ {
+		recoverCodesMap[recoveryCodes[i]] = false
+	}
+	// Converting recoveryCodesMap to string
+	jsonData, err := json.Marshal(recoverCodesMap)
+	if err != nil {
+		return nil, err
+	}
+	recoveryCodesString := string(jsonData)
+	totpModel := &models.Authenticator{
+		Secret:        secret,
+		RecoveryCodes: refs.NewStringRef(recoveryCodesString),
+		UserID:        user.ID,
+		Method:        constants.EnvKeyTOTPAuthenticator,
+	}
+	authenticator, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, user.ID, constants.EnvKeyTOTPAuthenticator)
+	if err != nil {
+		log.Debug("Failed to get authenticator details by user id, creating new record: ", err)
+		// continue
+	}
+	if authenticator == nil {
+		// if authenticator is nil then create new authenticator
+		_, err = db.Provider.AddAuthenticator(ctx, totpModel)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		authenticator.Secret = secret
+		authenticator.RecoveryCodes = refs.NewStringRef(recoveryCodesString)
+		// if authenticator is not nil then update authenticator
+		_, err = db.Provider.UpdateAuthenticator(ctx, authenticator)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &providers.AuthenticatorConfig{
+		ScannerImage:    encodedText,
+		Secret:          secret,
+		RecoveryCodes:   recoveryCodes,
+		RecoveryCodeMap: recoverCodesMap,
+	}, nil
+}
+
+// Validate validates a Time-Based One-Time Password (TOTP) against the stored TOTP secret for a user.
+func (p *provider) Validate(ctx context.Context, passcode string, userID string) (bool, error) {
+	// get totp details
+	totpModel, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, userID, constants.EnvKeyTOTPAuthenticator)
+	if err != nil {
+		return false, err
+	}
+	// validate totp
+	status := totp.Validate(passcode, totpModel.Secret)
+	// checks if user not signed in for totp and totp code is correct then VerifiedAt will be stored in db
+	if totpModel.VerifiedAt == nil && status {
+		timeNow := time.Now().Unix()
+		totpModel.VerifiedAt = &timeNow
+		_, err = db.Provider.UpdateAuthenticator(ctx, totpModel)
+		if err != nil {
+			return false, err
+		}
+	}
+	return status, nil
+}
+
+// ValidateRecoveryCode validates a Time-Based One-Time Password (TOTP) recovery code against the stored TOTP recovery code for a user.
+func (p *provider) ValidateRecoveryCode(ctx context.Context, recoveryCode, userID string) (bool, error) {
+	// get totp details
+	totpModel, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, userID, constants.EnvKeyTOTPAuthenticator)
+	if err != nil {
+		return false, err
+	}
+	// convert recoveryCodes to map
+	recoveryCodesMap := map[string]bool{}
+	err = json.Unmarshal([]byte(refs.StringValue(totpModel.RecoveryCodes)), &recoveryCodesMap)
+	if err != nil {
+		return false, err
+	}
+	// check if recovery code is valid
+	if val, ok := recoveryCodesMap[recoveryCode]; !ok {
+		return false, fmt.Errorf("invalid recovery code")
+	} else if val {
+		return false, fmt.Errorf("recovery code already used")
+	}
+	// update recovery code map
+	recoveryCodesMap[recoveryCode] = true
+	// convert recoveryCodesMap to string
+	jsonData, err := json.Marshal(recoveryCodesMap)
+	if err != nil {
+		return false, err
+	}
+	recoveryCodesString := string(jsonData)
+	totpModel.RecoveryCodes = refs.NewStringRef(recoveryCodesString)
+	// update recovery code map in db
+	_, err = db.Provider.UpdateAuthenticator(ctx, totpModel)
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}

server/authenticators/totp_store.go

@@ -0,0 +1,26 @@
+package authenticators
+
+import (
+	"github.com/authorizerdev/authorizer/server/authenticators/providers"
+	"github.com/authorizerdev/authorizer/server/authenticators/providers/totp"
+	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/memorystore"
+)
+
+// Provider is the global authenticators provider.
+var Provider providers.Provider
+
+// InitTOTPStore initializes the TOTP authenticator store if it's not disabled in the environment variables.
+// It sets the global Provider variable to a new TOTP provider.
+func InitTOTPStore() error {
+	var err error
+	isTOTPEnvServiceDisabled, _ := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableTOTPLogin)
+
+	if !isTOTPEnvServiceDisabled {
+		Provider, err = totp.NewProvider()
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}

server/constants/auth_methods.go

@@ -19,8 +19,12 @@ const (
 	AuthRecipeMethodLinkedIn = "linkedin"
 	// AuthRecipeMethodApple is the apple auth method
 	AuthRecipeMethodApple = "apple"
+	// AuthRecipeMethodDiscord is the discord auth method
+	AuthRecipeMethodDiscord = "discord"
 	// AuthRecipeMethodTwitter is the twitter auth method
 	AuthRecipeMethodTwitter = "twitter"
 	// AuthRecipeMethodMicrosoft is the microsoft auth method
 	AuthRecipeMethodMicrosoft = "microsoft"
+	// AuthRecipeMethodTwitch is the twitch auth method
+	AuthRecipeMethodTwitch = "twitch"
 )

server/constants/authenticator_method.go

@@ -0,0 +1,7 @@
+package constants
+
+// Authenticators Methods
+const (
+	// EnvKeyTOTPAuthenticator key for env variable TOTP
+	EnvKeyTOTPAuthenticator = "totp"
+)

server/constants/db_types.go

@@ -5,6 +5,8 @@ const (
 	DbTypePostgres = "postgres"
 	// DbTypeSqlite is the sqlite database type
 	DbTypeSqlite = "sqlite"
+	// DbTypeLibSQL is the libsql / Turso database type
+	DbTypeLibSQL = "libsql"
 	// DbTypeMysql is the mysql database type
 	DbTypeMysql = "mysql"
 	// DbTypeSqlserver is the sqlserver database type

server/constants/env.go

@@ -108,6 +108,10 @@ const (
 	EnvKeyAppleClientID = "APPLE_CLIENT_ID"
 	// EnvKeyAppleClientSecret key for env variable APPLE_CLIENT_SECRET
 	EnvKeyAppleClientSecret = "APPLE_CLIENT_SECRET"
+	// EnvKeyDiscordClientID key for env variable DISCORD_CLIENT_ID
+	EnvKeyDiscordClientID = "DISCORD_CLIENT_ID"
+	// EnvKeyDiscordClientSecret key for env variable DISCORD_CLIENT_SECRET
+	EnvKeyDiscordClientSecret = "DISCORD_CLIENT_SECRET"
 	// EnvKeyTwitterClientID key for env variable TWITTER_CLIENT_ID
 	EnvKeyTwitterClientID = "TWITTER_CLIENT_ID"
 	// EnvKeyTwitterClientSecret key for env variable TWITTER_CLIENT_SECRET
@@ -118,6 +122,10 @@ const (
 	EnvKeyMicrosoftActiveDirectoryTenantID = "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID"
 	// EnvKeyMicrosoftClientSecret key for env variable MICROSOFT_CLIENT_SECRET
 	EnvKeyMicrosoftClientSecret = "MICROSOFT_CLIENT_SECRET"
+	// EnvKeyTwitchClientID key for env variable TWITCH_CLIENT_ID
+	EnvKeyTwitchClientID = "TWITCH_CLIENT_ID"
+	// EnvKeyTwitchClientSecret key for env variable TWITCH_CLIENT_SECRET
+	EnvKeyTwitchClientSecret = "TWITCH_CLIENT_SECRET"
 	// EnvKeyOrganizationName key for env variable ORGANIZATION_NAME
 	EnvKeyOrganizationName = "ORGANIZATION_NAME"
 	// EnvKeyOrganizationLogo key for env variable ORGANIZATION_LOGO
@@ -160,6 +168,12 @@ const (
 	// EnvKeyDisableMultiFactorAuthentication is key for env variable DISABLE_MULTI_FACTOR_AUTHENTICATION
 	// this variable is used to completely disable multi factor authentication. It will have no effect on profile preference
 	EnvKeyDisableMultiFactorAuthentication = "DISABLE_MULTI_FACTOR_AUTHENTICATION"
+	// EnvKeyDisableTOTPLogin is key for env variable DISABLE_TOTP_LOGIN
+	// this variable is used to completely disable totp verification
+	EnvKeyDisableTOTPLogin = "DISABLE_TOTP_LOGIN"
+	// EnvKeyDisableMailOTPLogin is key for env variable DISABLE_MAIL_OTP_LOGIN
+	// this variable is used to completely disable totp verification
+	EnvKeyDisableMailOTPLogin = "DISABLE_MAIL_OTP_LOGIN"
 	// EnvKeyDisablePhoneVerification is key for env variable DISABLE_PHONE_VERIFICATION
 	// this variable is used to disable phone verification
 	EnvKeyDisablePhoneVerification = "DISABLE_PHONE_VERIFICATION"

server/constants/oauth2.go

@@ -16,4 +16,7 @@ const (
 	ResponseTypeToken = "token"
 	// For the Implicit grant of id_token, use response_type=id_token to include an identifier token.
 	ResponseTypeIDToken = "id_token"
+
+	// Constant indicating the "signup" screen hint for customizing authentication process and redirect to a signup page.
+	ScreenHintSignUp = "signup"
 )

server/constants/oauth_info_urls.go

@@ -17,6 +17,7 @@ const (
 
 	TwitterUserInfoURL = "https://api.twitter.com/2/users/me?user.fields=id,name,profile_image_url,username"
 
+	DiscordUserInfoURL = "https://discord.com/api/oauth2/@me"
 	// Get microsoft user info.
 	// Ref: https://learn.microsoft.com/en-us/azure/active-directory/develop/userinfo
 	MicrosoftUserInfoURL = "https://graph.microsoft.com/oidc/userinfo"

server/crypto/common.go

@@ -1,7 +1,9 @@
 package crypto
 
 import (
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"encoding/json"
 
 	"github.com/authorizerdev/authorizer/server/constants"
@@ -125,12 +127,27 @@ func EncryptEnvData(data map[string]interface{}) (string, error) {
 	return EncryptB64(string(encryptedConfig)), nil
 }
 
+// getSHA256 calculates the SHA-256 hash of a string
+func getSHA256(input string) string {
+	hash := sha256.New()
+	hash.Write([]byte(input))
+	return hex.EncodeToString(hash.Sum(nil))
+}
+
+// VerifyPassword compares a stored hashed password with a user-provided password
+func VerifyPassword(storedHashedPassword, userProvidedPassword string) error {
+	// CompareHashAndPassword returns nil on success
+	passwordSHA256 := getSHA256(userProvidedPassword)
+	err := bcrypt.CompareHashAndPassword([]byte(storedHashedPassword), []byte(passwordSHA256))
+	return err
+}
+
 // EncryptPassword is used for encrypting password
 func EncryptPassword(password string) (string, error) {
-	pw, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	passwordSHA256 := getSHA256(password)
+	pw, err := bcrypt.GenerateFromPassword([]byte(passwordSHA256), bcrypt.DefaultCost)
 	if err != nil {
 		return "", err
 	}
-
 	return string(pw), nil
 }

server/crypto/rsa.go

@@ -3,7 +3,9 @@ package crypto
 import (
 	"crypto/rand"
 	"crypto/rsa"
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 	"errors"
 )
@@ -116,3 +118,24 @@ func AsRSAStr(privateKey *rsa.PrivateKey, publickKey *rsa.PublicKey) (string, st
 
 	return privParsedPem, pubParsedPem, nil
 }
+
+func EncryptRSA(message string, key rsa.PublicKey) (string, error) {
+	label := []byte("OAEP Encrypted")
+	rng := rand.Reader
+	ciphertext, err := rsa.EncryptOAEP(sha256.New(), rng, &key, []byte(message), label)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(ciphertext), nil
+}
+
+func DecryptRSA(cipherText string, privateKey rsa.PrivateKey) (string, error) {
+	ct, _ := base64.StdEncoding.DecodeString(cipherText)
+	label := []byte("OAEP Encrypted")
+	rng := rand.Reader
+	plaintext, err := rsa.DecryptOAEP(sha256.New(), rng, &privateKey, ct, label)
+	if err != nil {
+		return "", err
+	}
+	return string(plaintext), nil
+}

server/db/db.go

@@ -37,7 +37,6 @@ func InitDB() error {
 			return err
 		}
 	}
-
 	if isArangoDB {
 		log.Info("Initializing ArangoDB Driver")
 		Provider, err = arangodb.NewProvider()

server/db/models/authenticators.go

@@ -0,0 +1,16 @@
+package models
+
+// Note: any change here should be reflected in providers/casandra/provider.go as it does not have model support in collection creation
+
+// Authenticators model for db
+type Authenticator struct {
+	Key           string  `json:"_key,omitempty" bson:"_key,omitempty" cql:"_key,omitempty" dynamo:"key,omitempty"` // for arangodb
+	ID            string  `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id" cql:"id" dynamo:"id,hash"`
+	UserID        string  `gorm:"type:char(36)" json:"user_id" bson:"user_id" cql:"user_id" dynamo:"user_id" index:"user_id,hash"`
+	Method        string  `json:"method" bson:"method" cql:"method" dynamo:"method"`
+	Secret        string  `json:"secret" bson:"secret" cql:"secret" dynamo:"secret"`
+	RecoveryCodes *string `json:"recovery_codes" bson:"recovery_codes" cql:"recovery_codes" dynamo:"recovery_codes"`
+	VerifiedAt    *int64  `json:"verified_at" bson:"verified_at" cql:"verified_at" dynamo:"verified_at"`
+	CreatedAt     int64   `json:"created_at" bson:"created_at" cql:"created_at" dynamo:"created_at"`
+	UpdatedAt     int64   `json:"updated_at" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
+}

server/db/models/model.go

@@ -1,6 +1,6 @@
 package models
 
-// Collections / Tables available for authorizer in the database
+// CollectionList / Tables available for authorizer in the database
 type CollectionList struct {
 	User                   string
 	VerificationRequest    string
@@ -11,6 +11,7 @@ type CollectionList struct {
 	EmailTemplate          string
 	OTP                    string
 	SMSVerificationRequest string
+	Authenticators         string
 }
 
 var (
@@ -27,5 +28,6 @@ var (
 		EmailTemplate:          Prefix + "email_templates",
 		OTP:                    Prefix + "otps",
 		SMSVerificationRequest: Prefix + "sms_verification_requests",
+		Authenticators:         Prefix + "authenticators",
 	}
 )

server/db/models/user.go

@@ -15,7 +15,7 @@ type User struct {
 	Key string `json:"_key,omitempty" bson:"_key,omitempty" cql:"_key,omitempty" dynamo:"key,omitempty"` // for arangodb
 	ID  string `gorm:"primaryKey;type:char(36)" json:"_id" bson:"_id" cql:"id" dynamo:"id,hash"`
 
-	Email                    string  `gorm:"unique" json:"email" bson:"email" cql:"email" dynamo:"email" index:"email,hash"`
+	Email                    *string `gorm:"unique" json:"email" bson:"email" cql:"email" dynamo:"email" index:"email,hash"`
 	EmailVerifiedAt          *int64  `json:"email_verified_at" bson:"email_verified_at" cql:"email_verified_at" dynamo:"email_verified_at"`
 	Password                 *string `json:"password" bson:"password" cql:"password" dynamo:"password"`
 	SignupMethods            string  `json:"signup_methods" bson:"signup_methods" cql:"signup_methods" dynamo:"signup_methods"`
@@ -54,7 +54,7 @@ func (user *User) AsAPIUser() *model.User {
 		FamilyName:               user.FamilyName,
 		MiddleName:               user.MiddleName,
 		Nickname:                 user.Nickname,
-		PreferredUsername:        refs.NewStringRef(user.Email),
+		PreferredUsername:        user.Email,
 		Gender:                   user.Gender,
 		Birthdate:                user.Birthdate,
 		PhoneNumber:              user.PhoneNumber,

server/db/providers/arangodb/authenticator.go

@@ -0,0 +1,78 @@
+package arangodb
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+
+	arangoDriver "github.com/arangodb/go-driver"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+func (p *provider) AddAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	exists, _ := p.GetAuthenticatorDetailsByUserId(ctx, authenticators.UserID, authenticators.Method)
+	if exists != nil {
+		return authenticators, nil
+	}
+	if authenticators.ID == "" {
+		authenticators.ID = uuid.New().String()
+	}
+
+	authenticators.Key = authenticators.ID
+	authenticators.CreatedAt = time.Now().Unix()
+	authenticators.UpdatedAt = time.Now().Unix()
+
+	authenticatorsCollection, _ := p.db.Collection(ctx, models.Collections.Authenticators)
+	meta, err := authenticatorsCollection.CreateDocument(arangoDriver.WithOverwrite(ctx), authenticators)
+	if err != nil {
+		return authenticators, err
+	}
+	authenticators.Key = meta.Key
+	authenticators.ID = meta.ID.String()
+
+	return authenticators, nil
+}
+
+func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	authenticators.UpdatedAt = time.Now().Unix()
+
+	collection, _ := p.db.Collection(ctx, models.Collections.Authenticators)
+	meta, err := collection.UpdateDocument(ctx, authenticators.Key, authenticators)
+	if err != nil {
+		return authenticators, err
+	}
+
+	authenticators.Key = meta.Key
+	authenticators.ID = meta.ID.String()
+	return authenticators, nil
+}
+
+func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error) {
+	var authenticators *models.Authenticator
+	query := fmt.Sprintf("FOR d in %s FILTER d.user_id == @user_id AND d.method == @method LIMIT 1 RETURN d", models.Collections.Authenticators)
+	bindVars := map[string]interface{}{
+		"user_id": userId,
+		"method":  authenticatorType,
+	}
+	cursor, err := p.db.Query(ctx, query, bindVars)
+	if err != nil {
+		return authenticators, err
+	}
+	defer cursor.Close()
+	for {
+		if !cursor.HasMore() {
+			if authenticators == nil {
+				return authenticators, fmt.Errorf("authenticator not found")
+			}
+			break
+		}
+		_, err := cursor.ReadDocument(ctx, &authenticators)
+		if err != nil {
+			return authenticators, err
+		}
+	}
+	return authenticators, nil
+}

server/db/providers/arangodb/provider.go

@@ -186,6 +186,7 @@ func NewProvider() (*provider, error) {
 	webhookLogCollection.EnsureHashIndex(ctx, []string{"webhook_id"}, &arangoDriver.EnsureHashIndexOptions{
 		Sparse: true,
 	})
+
 	emailTemplateCollectionExists, err := arangodb.CollectionExists(ctx, models.Collections.EmailTemplate)
 	if err != nil {
 		return nil, err
@@ -204,6 +205,7 @@ func NewProvider() (*provider, error) {
 		Unique: true,
 		Sparse: true,
 	})
+
 	otpCollectionExists, err := arangodb.CollectionExists(ctx, models.Collections.OTP)
 	if err != nil {
 		return nil, err
@@ -222,6 +224,26 @@ func NewProvider() (*provider, error) {
 		Unique: true,
 		Sparse: true,
 	})
+
+	//authenticators table define
+	authenticatorsCollectionExists, err := arangodb.CollectionExists(ctx, models.Collections.Authenticators)
+	if err != nil {
+		return nil, err
+	}
+	if !authenticatorsCollectionExists {
+		_, err = arangodb.CreateCollection(ctx, models.Collections.Authenticators, nil)
+		if err != nil {
+			return nil, err
+		}
+	}
+	authenticatorsCollection, err := arangodb.Collection(ctx, models.Collections.Authenticators)
+	if err != nil {
+		return nil, err
+	}
+	authenticatorsCollection.EnsureHashIndex(ctx, []string{"user_id"}, &arangoDriver.EnsureHashIndexOptions{
+		Sparse: true,
+	})
+
 	return &provider{
 		db: arangodb,
 	}, err

server/db/providers/cassandradb/authenticator.go

@@ -0,0 +1,133 @@
+package cassandradb
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/gocql/gocql"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+func (p *provider) AddAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	exists, _ := p.GetAuthenticatorDetailsByUserId(ctx, authenticators.UserID, authenticators.Method)
+	if exists != nil {
+		return authenticators, nil
+	}
+
+	if authenticators.ID == "" {
+		authenticators.ID = uuid.New().String()
+	}
+
+	authenticators.CreatedAt = time.Now().Unix()
+	authenticators.UpdatedAt = time.Now().Unix()
+
+	bytes, err := json.Marshal(authenticators)
+	if err != nil {
+		return authenticators, err
+	}
+
+	// use decoder instead of json.Unmarshall, because it converts int64 -> float64 after unmarshalling
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	authenticatorsMap := map[string]interface{}{}
+	err = decoder.Decode(&authenticatorsMap)
+	if err != nil {
+		return authenticators, err
+	}
+
+	fields := "("
+	values := "("
+	for key, value := range authenticatorsMap {
+		if value != nil {
+			if key == "_id" {
+				fields += "id,"
+			} else {
+				fields += key + ","
+			}
+
+			valueType := reflect.TypeOf(value)
+			if valueType.Name() == "string" {
+				values += fmt.Sprintf("'%s',", value.(string))
+			} else {
+				values += fmt.Sprintf("%v,", value)
+			}
+		}
+	}
+
+	fields = fields[:len(fields)-1] + ")"
+	values = values[:len(values)-1] + ")"
+
+	query := fmt.Sprintf("INSERT INTO %s %s VALUES %s IF NOT EXISTS", KeySpace+"."+models.Collections.Authenticators, fields, values)
+	err = p.db.Query(query).Exec()
+	if err != nil {
+		return authenticators, err
+	}
+
+	return authenticators, nil
+}
+
+func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	authenticators.UpdatedAt = time.Now().Unix()
+
+	bytes, err := json.Marshal(authenticators)
+	if err != nil {
+		return authenticators, err
+	}
+	// use decoder instead of json.Unmarshall, because it converts int64 -> float64 after unmarshalling
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	authenticatorsMap := map[string]interface{}{}
+	err = decoder.Decode(&authenticatorsMap)
+	if err != nil {
+		return authenticators, err
+	}
+
+	updateFields := ""
+	for key, value := range authenticatorsMap {
+		if key == "_id" {
+			continue
+		}
+
+		if key == "_key" {
+			continue
+		}
+
+		if value == nil {
+			updateFields += fmt.Sprintf("%s = null, ", key)
+			continue
+		}
+
+		valueType := reflect.TypeOf(value)
+		if valueType.Name() == "string" {
+			updateFields += fmt.Sprintf("%s = '%s', ", key, value.(string))
+		} else {
+			updateFields += fmt.Sprintf("%s = %v, ", key, value)
+		}
+	}
+	updateFields = strings.Trim(updateFields, " ")
+	updateFields = strings.TrimSuffix(updateFields, ",")
+
+	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = '%s'", KeySpace+"."+models.Collections.Authenticators, updateFields, authenticators.ID)
+	err = p.db.Query(query).Exec()
+	if err != nil {
+		return authenticators, err
+	}
+
+	return authenticators, nil
+}
+
+func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error) {
+	var authenticators models.Authenticator
+	query := fmt.Sprintf("SELECT id, user_id, method, secret, recovery_codes, verified_at, created_at, updated_at FROM %s WHERE user_id = '%s' AND method = '%s' LIMIT 1 ALLOW FILTERING", KeySpace+"."+models.Collections.Authenticators, userId, authenticatorType)
+	err := p.db.Query(query).Consistency(gocql.One).Scan(&authenticators.ID, &authenticators.UserID, &authenticators.Method, &authenticators.Secret, &authenticators.RecoveryCodes, &authenticators.VerifiedAt, &authenticators.CreatedAt, &authenticators.UpdatedAt)
+	if err != nil {
+		return nil, err
+	}
+	return &authenticators, nil
+}

server/db/providers/cassandradb/provider.go

@@ -261,12 +261,26 @@ func NewProvider() (*provider, error) {
 		log.Debug("Failed to alter table as column exists: ", err)
 		// continue
 	}
+	// Add app_data column to users table
+	appDataAlterQuery := fmt.Sprintf(`ALTER TABLE %s.%s ADD (app_data text);`, KeySpace, models.Collections.User)
+	err = session.Query(appDataAlterQuery).Exec()
+	if err != nil {
+		log.Debug("Failed to alter user table as app_data column exists: ", err)
+		// continue
+	}
 	// Add phone number index
 	otpIndexQueryPhoneNumber := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_otp_phone_number ON %s.%s (phone_number)", KeySpace, models.Collections.OTP)
 	err = session.Query(otpIndexQueryPhoneNumber).Exec()
 	if err != nil {
 		return nil, err
 	}
+	// add authenticators table
+	totpCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, user_id text, method text, secret text, recovery_codes text, verified_at bigint, updated_at bigint, created_at bigint, PRIMARY KEY (id))", KeySpace, models.Collections.Authenticators)
+	err = session.Query(totpCollectionQuery).Exec()
+	if err != nil {
+		return nil, err
+	}
+
 	return &provider{
 		db: session,
 	}, err

server/db/providers/cassandradb/user.go

@@ -78,6 +78,7 @@ func (p *provider) AddUser(ctx context.Context, user *models.User) (*models.User
 
 	query := fmt.Sprintf("INSERT INTO %s %s VALUES %s IF NOT EXISTS", KeySpace+"."+models.Collections.User, fields, values)
 	err = p.db.Query(query).Exec()
+
 	if err != nil {
 		return user, err
 	}
@@ -177,13 +178,17 @@ func (p *provider) ListUsers(ctx context.Context, pagination *model.Pagination)
 	// there is no offset in cassandra
 	// so we fetch till limit + offset
 	// and return the results from offset to limit
-	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s LIMIT %d", KeySpace+"."+models.Collections.User, pagination.Limit+pagination.Offset)
+	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s LIMIT %d", KeySpace+"."+models.Collections.User,
+		pagination.Limit+pagination.Offset)
 	scanner := p.db.Query(query).Iter().Scanner()
 	counter := int64(0)
 	for scanner.Next() {
 		if counter >= pagination.Offset {
 			var user models.User
-			err := scanner.Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods, &user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber, &user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled, &user.CreatedAt, &user.UpdatedAt)
+			err := scanner.Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods,
+				&user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber,
+				&user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled,
+				&user.AppData, &user.CreatedAt, &user.UpdatedAt)
 			if err != nil {
 				return nil, err
 			}
@@ -200,8 +205,8 @@ func (p *provider) ListUsers(ctx context.Context, pagination *model.Pagination)
 // GetUserByEmail to get user information from database using email address
 func (p *provider) GetUserByEmail(ctx context.Context, email string) (*models.User, error) {
 	var user models.User
-	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s WHERE email = '%s' LIMIT 1 ALLOW FILTERING", KeySpace+"."+models.Collections.User, email)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods, &user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber, &user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled, &user.CreatedAt, &user.UpdatedAt)
+	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s WHERE email = '%s' LIMIT 1 ALLOW FILTERING", KeySpace+"."+models.Collections.User, email)
+	err := p.db.Query(query).Consistency(gocql.One).Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods, &user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber, &user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled, &user.AppData, &user.CreatedAt, &user.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}
@@ -211,8 +216,8 @@ func (p *provider) GetUserByEmail(ctx context.Context, email string) (*models.Us
 // GetUserByID to get user information from database using user ID
 func (p *provider) GetUserByID(ctx context.Context, id string) (*models.User, error) {
 	var user models.User
-	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s WHERE id = '%s' LIMIT 1", KeySpace+"."+models.Collections.User, id)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods, &user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber, &user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled, &user.CreatedAt, &user.UpdatedAt)
+	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s WHERE id = '%s' LIMIT 1", KeySpace+"."+models.Collections.User, id)
+	err := p.db.Query(query).Consistency(gocql.One).Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods, &user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber, &user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled, &user.AppData, &user.CreatedAt, &user.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}
@@ -297,17 +302,15 @@ func (p *provider) UpdateUsers(ctx context.Context, data map[string]interface{},
 				return err
 			}
 		}
-
 	}
-
 	return nil
 }
 
 // GetUserByPhoneNumber to get user information from database using phone number
 func (p *provider) GetUserByPhoneNumber(ctx context.Context, phoneNumber string) (*models.User, error) {
 	var user models.User
-	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s WHERE phone_number = '%s' LIMIT 1 ALLOW FILTERING", KeySpace+"."+models.Collections.User, phoneNumber)
-	err := p.db.Query(query).Consistency(gocql.One).Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods, &user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber, &user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled, &user.CreatedAt, &user.UpdatedAt)
+	query := fmt.Sprintf("SELECT id, email, email_verified_at, password, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s WHERE phone_number = '%s' LIMIT 1 ALLOW FILTERING", KeySpace+"."+models.Collections.User, phoneNumber)
+	err := p.db.Query(query).Consistency(gocql.One).Scan(&user.ID, &user.Email, &user.EmailVerifiedAt, &user.Password, &user.SignupMethods, &user.GivenName, &user.FamilyName, &user.MiddleName, &user.Nickname, &user.Birthdate, &user.PhoneNumber, &user.PhoneNumberVerifiedAt, &user.Picture, &user.Roles, &user.RevokedTimestamp, &user.IsMultiFactorAuthEnabled, &user.AppData, &user.CreatedAt, &user.UpdatedAt)
 	if err != nil {
 		return nil, err
 	}

server/db/providers/couchbase/authenticator.go

@@ -0,0 +1,81 @@
+package couchbase
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/couchbase/gocb/v2"
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+func (p *provider) AddAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	exists, _ := p.GetAuthenticatorDetailsByUserId(ctx, authenticators.UserID, authenticators.Method)
+	if exists != nil {
+		return authenticators, nil
+	}
+
+	if authenticators.ID == "" {
+		authenticators.ID = uuid.New().String()
+	}
+	authenticators.Key = authenticators.ID
+	authenticators.CreatedAt = time.Now().Unix()
+	authenticators.UpdatedAt = time.Now().Unix()
+	insertOpt := gocb.InsertOptions{
+		Context: ctx,
+	}
+	_, err := p.db.Collection(models.Collections.Authenticators).Insert(authenticators.ID, authenticators, &insertOpt)
+	if err != nil {
+		return authenticators, err
+	}
+	return authenticators, nil
+}
+
+func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	authenticators.UpdatedAt = time.Now().Unix()
+	bytes, err := json.Marshal(authenticators)
+	if err != nil {
+		return nil, err
+	}
+	// use decoder instead of json.Unmarshall, because it converts int64 -> float64 after unmarshalling
+	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
+	decoder.UseNumber()
+	authenticator := map[string]interface{}{}
+	err = decoder.Decode(&authenticator)
+	if err != nil {
+		return nil, err
+	}
+	updateFields, params := GetSetFields(authenticator)
+	query := fmt.Sprintf("UPDATE %s.%s SET %s WHERE _id = '%s'", p.scopeName, models.Collections.Authenticators, updateFields, authenticators.ID)
+	_, err = p.db.Query(query, &gocb.QueryOptions{
+		Context:         ctx,
+		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
+		NamedParameters: params,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return authenticators, nil
+}
+
+func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error) {
+	var authenticators *models.Authenticator
+	query := fmt.Sprintf("SELECT _id, user_id, method, secret, recovery_code, verified_at, created_at, updated_at FROM %s.%s WHERE user_id = $1 AND method = $2 LIMIT 1", p.scopeName, models.Collections.Authenticators)
+	q, err := p.db.Query(query, &gocb.QueryOptions{
+		ScanConsistency:      gocb.QueryScanConsistencyRequestPlus,
+		Context:              ctx,
+		PositionalParameters: []interface{}{userId, authenticatorType},
+	})
+	if err != nil {
+		return authenticators, err
+	}
+	err = q.One(&authenticators)
+	if err != nil {
+		return authenticators, err
+	}
+	return authenticators, nil
+}

server/db/providers/couchbase/user.go

@@ -43,10 +43,10 @@ func (p *provider) AddUser(ctx context.Context, user *models.User) (*models.User
 // UpdateUser to update user information in database
 func (p *provider) UpdateUser(ctx context.Context, user *models.User) (*models.User, error) {
 	user.UpdatedAt = time.Now().Unix()
-	unsertOpt := gocb.UpsertOptions{
+	upsertOpt := gocb.UpsertOptions{
 		Context: ctx,
 	}
-	_, err := p.db.Collection(models.Collections.User).Upsert(user.ID, user, &unsertOpt)
+	_, err := p.db.Collection(models.Collections.User).Upsert(user.ID, user, &upsertOpt)
 	if err != nil {
 		return user, err
 	}
@@ -69,7 +69,7 @@ func (p *provider) DeleteUser(ctx context.Context, user *models.User) error {
 func (p *provider) ListUsers(ctx context.Context, pagination *model.Pagination) (*model.Users, error) {
 	users := []*model.User{}
 	paginationClone := pagination
-	userQuery := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s.%s ORDER BY id OFFSET $1 LIMIT $2", p.scopeName, models.Collections.User)
+	userQuery := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s.%s ORDER BY id OFFSET $1 LIMIT $2", p.scopeName, models.Collections.User)
 	queryResult, err := p.db.Query(userQuery, &gocb.QueryOptions{
 		ScanConsistency:      gocb.QueryScanConsistencyRequestPlus,
 		Context:              ctx,
@@ -103,7 +103,7 @@ func (p *provider) ListUsers(ctx context.Context, pagination *model.Pagination)
 // GetUserByEmail to get user information from database using email address
 func (p *provider) GetUserByEmail(ctx context.Context, email string) (*models.User, error) {
 	var user *models.User
-	query := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s.%s WHERE email = $1 LIMIT 1", p.scopeName, models.Collections.User)
+	query := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s.%s WHERE email = $1 LIMIT 1", p.scopeName, models.Collections.User)
 	q, err := p.db.Query(query, &gocb.QueryOptions{
 		ScanConsistency:      gocb.QueryScanConsistencyRequestPlus,
 		Context:              ctx,
@@ -122,7 +122,7 @@ func (p *provider) GetUserByEmail(ctx context.Context, email string) (*models.Us
 // GetUserByID to get user information from database using user ID
 func (p *provider) GetUserByID(ctx context.Context, id string) (*models.User, error) {
 	var user *models.User
-	query := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s.%s WHERE _id = $1 LIMIT 1", p.scopeName, models.Collections.User)
+	query := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s.%s WHERE _id = $1 LIMIT 1", p.scopeName, models.Collections.User)
 	q, err := p.db.Query(query, &gocb.QueryOptions{
 		ScanConsistency:      gocb.QueryScanConsistencyRequestPlus,
 		Context:              ctx,
@@ -175,7 +175,7 @@ func (p *provider) UpdateUsers(ctx context.Context, data map[string]interface{},
 // GetUserByPhoneNumber to get user information from database using phone number
 func (p *provider) GetUserByPhoneNumber(ctx context.Context, phoneNumber string) (*models.User, error) {
 	var user *models.User
-	query := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, created_at, updated_at FROM %s.%s WHERE phone_number = $1 LIMIT 1", p.scopeName, models.Collections.User)
+	query := fmt.Sprintf("SELECT _id, email, email_verified_at, `password`, signup_methods, given_name, family_name, middle_name, nickname, birthdate, phone_number, phone_number_verified_at, picture, roles, revoked_timestamp, is_multi_factor_auth_enabled, app_data, created_at, updated_at FROM %s.%s WHERE phone_number = $1 LIMIT 1", p.scopeName, models.Collections.User)
 	q, err := p.db.Query(query, &gocb.QueryOptions{
 		ScanConsistency:      gocb.QueryScanConsistencyRequestPlus,
 		Context:              ctx,

server/db/providers/dynamodb/authenticator.go

@@ -0,0 +1,57 @@
+package dynamodb
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+func (p *provider) AddAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	exists, _ := p.GetAuthenticatorDetailsByUserId(ctx, authenticators.UserID, authenticators.Method)
+	if exists != nil {
+		return authenticators, nil
+	}
+
+	collection := p.db.Table(models.Collections.Authenticators)
+	if authenticators.ID == "" {
+		authenticators.ID = uuid.New().String()
+	}
+
+	authenticators.CreatedAt = time.Now().Unix()
+	authenticators.UpdatedAt = time.Now().Unix()
+	err := collection.Put(authenticators).RunWithContext(ctx)
+	if err != nil {
+		return authenticators, err
+	}
+	return authenticators, nil
+}
+
+func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	collection := p.db.Table(models.Collections.Authenticators)
+	if authenticators.ID != "" {
+		authenticators.UpdatedAt = time.Now().Unix()
+		err := UpdateByHashKey(collection, "id", authenticators.ID, authenticators)
+		if err != nil {
+			return authenticators, err
+		}
+	}
+	return authenticators, nil
+
+}
+
+func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error) {
+	var authenticators *models.Authenticator
+	collection := p.db.Table(models.Collections.Authenticators)
+	iter := collection.Scan().Filter("'user_id' = ?", userId).Filter("'method' = ?", authenticatorType).Iter()
+	for iter.NextWithContext(ctx, &authenticators) {
+		return authenticators, nil
+	}
+	err := iter.Err()
+	if err != nil {
+		return authenticators, err
+	}
+	return authenticators, nil
+}

server/db/providers/dynamodb/provider.go

@@ -52,6 +52,7 @@ func NewProvider() (*provider, error) {
 	db.CreateTable(models.Collections.VerificationRequest, models.VerificationRequest{}).Wait()
 	db.CreateTable(models.Collections.Webhook, models.Webhook{}).Wait()
 	db.CreateTable(models.Collections.WebhookLog, models.WebhookLog{}).Wait()
+	db.CreateTable(models.Collections.Authenticators, models.Authenticator{}).Wait()
 	return &provider{
 		db: db,
 	}, nil

server/db/providers/dynamodb/user.go

@@ -53,10 +53,6 @@ func (p *provider) UpdateUser(ctx context.Context, user *models.User) (*models.U
 		if err != nil {
 			return user, err
 		}
-		if err != nil {
-			return user, err
-		}
-
 	}
 	return user, nil
 }
@@ -136,7 +132,7 @@ func (p *provider) GetUserByID(ctx context.Context, id string) (*models.User, er
 	var user *models.User
 	err := collection.Get("id", id).OneWithContext(ctx, &user)
 	if err != nil {
-		if user.Email == "" {
+		if refs.StringValue(user.Email) == "" {
 			return user, errors.New("no documets found")
 		} else {
 			return user, nil

server/db/providers/mongodb/authenticator.go

@@ -0,0 +1,52 @@
+package mongodb
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo/options"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+func (p *provider) AddAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	exists, _ := p.GetAuthenticatorDetailsByUserId(ctx, authenticators.UserID, authenticators.Method)
+	if exists != nil {
+		return authenticators, nil
+	}
+
+	if authenticators.ID == "" {
+		authenticators.ID = uuid.New().String()
+	}
+	authenticators.CreatedAt = time.Now().Unix()
+	authenticators.UpdatedAt = time.Now().Unix()
+	authenticators.Key = authenticators.ID
+	authenticatorsCollection := p.db.Collection(models.Collections.Authenticators, options.Collection())
+	_, err := authenticatorsCollection.InsertOne(ctx, authenticators)
+	if err != nil {
+		return authenticators, err
+	}
+	return authenticators, nil
+}
+
+func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	authenticators.UpdatedAt = time.Now().Unix()
+	authenticatorsCollection := p.db.Collection(models.Collections.Authenticators, options.Collection())
+	_, err := authenticatorsCollection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": authenticators.ID}}, bson.M{"$set": authenticators})
+	if err != nil {
+		return authenticators, err
+	}
+	return authenticators, nil
+}
+
+func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error) {
+	var authenticators *models.Authenticator
+	authenticatorsCollection := p.db.Collection(models.Collections.Authenticators, options.Collection())
+	err := authenticatorsCollection.FindOne(ctx, bson.M{"user_id": userId, "method": authenticatorType}).Decode(&authenticators)
+	if err != nil {
+		return authenticators, err
+	}
+	return authenticators, nil
+}

server/db/providers/mongodb/provider.go

@@ -47,8 +47,6 @@ func NewProvider() (*provider, error) {
 			Keys:    bson.M{"email": 1},
 			Options: options.Index().SetUnique(true).SetSparse(true),
 		},
-	}, options.CreateIndexes())
-	userCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
 		{
 			Keys: bson.M{"phone_number": 1},
 			Options: options.Index().SetUnique(true).SetSparse(true).SetPartialFilterExpression(map[string]interface{}{
@@ -56,7 +54,6 @@ func NewProvider() (*provider, error) {
 			}),
 		},
 	}, options.CreateIndexes())
-
 	mongodb.CreateCollection(ctx, models.Collections.VerificationRequest, options.CreateCollection())
 	verificationRequestCollection := mongodb.Collection(models.Collections.VerificationRequest, options.Collection())
 	verificationRequestCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
@@ -125,6 +122,15 @@ func NewProvider() (*provider, error) {
 		},
 	}, options.CreateIndexes())
 
+	mongodb.CreateCollection(ctx, models.Collections.Authenticators, options.CreateCollection())
+	authenticatorsCollection := mongodb.Collection(models.Collections.Authenticators, options.Collection())
+	authenticatorsCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
+		{
+			Keys:    bson.M{"user_id": 1},
+			Options: options.Index().SetSparse(true),
+		},
+	}, options.CreateIndexes())
+
 	return &provider{
 		db: mongodb,
 	}, nil

server/db/providers/provider_template/authenticator.go

@@ -0,0 +1,34 @@
+package provider_template
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+func (p *provider) AddAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	exists, _ := p.GetAuthenticatorDetailsByUserId(ctx, authenticators.UserID, authenticators.Method)
+	if exists != nil {
+		return authenticators, nil
+	}
+
+	if authenticators.ID == "" {
+		authenticators.ID = uuid.New().String()
+	}
+	authenticators.CreatedAt = time.Now().Unix()
+	authenticators.UpdatedAt = time.Now().Unix()
+	return authenticators, nil
+}
+
+func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	authenticators.UpdatedAt = time.Now().Unix()
+	return authenticators, nil
+}
+
+func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error) {
+	var authenticators *models.Authenticator
+	return authenticators, nil
+}

server/db/providers/providers.go

@@ -26,7 +26,7 @@ type Provider interface {
 	// If ids set to nil / empty all the users will be updated
 	UpdateUsers(ctx context.Context, data map[string]interface{}, ids []string) error
 
-	// AddVerification to save verification request in database
+	// AddVerificationRequest to save verification request in database
 	AddVerificationRequest(ctx context.Context, verificationRequest *models.VerificationRequest) (*models.VerificationRequest, error)
 	// GetVerificationRequestByToken to get verification request from database using token
 	GetVerificationRequestByToken(ctx context.Context, token string) (*models.VerificationRequest, error)
@@ -53,7 +53,7 @@ type Provider interface {
 	AddWebhook(ctx context.Context, webhook *models.Webhook) (*model.Webhook, error)
 	// UpdateWebhook to update webhook
 	UpdateWebhook(ctx context.Context, webhook *models.Webhook) (*model.Webhook, error)
-	// ListWebhooks to list webhook
+	// ListWebhook to list webhook
 	ListWebhook(ctx context.Context, pagination *model.Pagination) (*model.Webhooks, error)
 	// GetWebhookByID to get webhook by id
 	GetWebhookByID(ctx context.Context, webhookID string) (*model.Webhook, error)
@@ -71,7 +71,7 @@ type Provider interface {
 	AddEmailTemplate(ctx context.Context, emailTemplate *models.EmailTemplate) (*model.EmailTemplate, error)
 	// UpdateEmailTemplate to update EmailTemplate
 	UpdateEmailTemplate(ctx context.Context, emailTemplate *models.EmailTemplate) (*model.EmailTemplate, error)
-	// ListEmailTemplates to list EmailTemplate
+	// ListEmailTemplate to list EmailTemplate
 	ListEmailTemplate(ctx context.Context, pagination *model.Pagination) (*model.EmailTemplates, error)
 	// GetEmailTemplateByID to get EmailTemplate by id
 	GetEmailTemplateByID(ctx context.Context, emailTemplateID string) (*model.EmailTemplate, error)
@@ -88,4 +88,15 @@ type Provider interface {
 	GetOTPByPhoneNumber(ctx context.Context, phoneNumber string) (*models.OTP, error)
 	// DeleteOTP to delete otp
 	DeleteOTP(ctx context.Context, otp *models.OTP) error
+
+	// AddAuthenticator adds a new authenticator document to the database.
+	// If the authenticator doesn't have an ID, a new one is generated.
+	// The created document is returned, or an error if the operation fails.
+	AddAuthenticator(ctx context.Context, totp *models.Authenticator) (*models.Authenticator, error)
+	// UpdateAuthenticator updates an existing authenticator document in the database.
+	// The updated document is returned, or an error if the operation fails.
+	UpdateAuthenticator(ctx context.Context, totp *models.Authenticator) (*models.Authenticator, error)
+	// GetAuthenticatorDetailsByUserId retrieves details of an authenticator document based on user ID and authenticator type.
+	// If found, the authenticator document is returned, or an error if not found or an error occurs during the retrieval.
+	GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error)
 }

server/db/providers/sql/authenticator.go

@@ -0,0 +1,52 @@
+package sql
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm/clause"
+
+	"github.com/authorizerdev/authorizer/server/db/models"
+)
+
+func (p *provider) AddAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	exists, _ := p.GetAuthenticatorDetailsByUserId(ctx, authenticators.UserID, authenticators.Method)
+	if exists != nil {
+		return authenticators, nil
+	}
+
+	if authenticators.ID == "" {
+		authenticators.ID = uuid.New().String()
+	}
+	authenticators.Key = authenticators.ID
+	authenticators.CreatedAt = time.Now().Unix()
+	authenticators.UpdatedAt = time.Now().Unix()
+	res := p.db.Clauses(
+		clause.OnConflict{
+			UpdateAll: true,
+			Columns:   []clause.Column{{Name: "id"}},
+		}).Create(&authenticators)
+	if res.Error != nil {
+		return nil, res.Error
+	}
+	return authenticators, nil
+}
+
+func (p *provider) UpdateAuthenticator(ctx context.Context, authenticators *models.Authenticator) (*models.Authenticator, error) {
+	authenticators.UpdatedAt = time.Now().Unix()
+	result := p.db.Save(&authenticators)
+	if result.Error != nil {
+		return authenticators, result.Error
+	}
+	return authenticators, nil
+}
+
+func (p *provider) GetAuthenticatorDetailsByUserId(ctx context.Context, userId string, authenticatorType string) (*models.Authenticator, error) {
+	var authenticators models.Authenticator
+	result := p.db.Where("user_id = ?", userId).Where("method = ?", authenticatorType).First(&authenticators)
+	if result.Error != nil {
+		return nil, result.Error
+	}
+	return &authenticators, nil
+}

server/db/providers/sql/provider.go

@@ -6,6 +6,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/memorystore"
+	libsql "github.com/ekristen/gorm-libsql"
 	"github.com/glebarez/sqlite"
 	"github.com/sirupsen/logrus"
 	"gorm.io/driver/mysql"
@@ -60,6 +61,8 @@ func NewProvider() (*provider, error) {
 		sqlDB, err = gorm.Open(postgres.Open(dbURL), ormConfig)
 	case constants.DbTypeSqlite:
 		sqlDB, err = gorm.Open(sqlite.Open(dbURL+"?_pragma=busy_timeout(5000)&_pragma=journal_mode(WAL)"), ormConfig)
+	case constants.DbTypeLibSQL:
+		sqlDB, err = gorm.Open(libsql.Open(dbURL), ormConfig)
 	case constants.DbTypeMysql, constants.DbTypeMariaDB, constants.DbTypePlanetScaleDB:
 		sqlDB, err = gorm.Open(mysql.Open(dbURL), ormConfig)
 	case constants.DbTypeSqlserver:
@@ -77,7 +80,7 @@ func NewProvider() (*provider, error) {
 		logrus.Debug("Failed to drop phone number constraint:", err)
 	}
 
-	err = sqlDB.AutoMigrate(&models.User{}, &models.VerificationRequest{}, &models.Session{}, &models.Env{}, &models.Webhook{}, &models.WebhookLog{}, &models.EmailTemplate{}, &models.OTP{})
+	err = sqlDB.AutoMigrate(&models.User{}, &models.VerificationRequest{}, &models.Session{}, &models.Env{}, &models.Webhook{}, &models.WebhookLog{}, &models.EmailTemplate{}, &models.OTP{}, &models.Authenticator{})
 	if err != nil {
 		return nil, err
 	}

server/email/email.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
+	"os"
 	"strconv"
 	"strings"
 	"text/template"
@@ -91,10 +92,16 @@ func SendEmail(to []string, event string, data map[string]interface{}) error {
 
 	tmp, err := getEmailTemplate(event, data)
 	if err != nil {
-		log.Errorf("Failed to get event template: ", err)
+		log.Error("Failed to get event template: ", err)
 		return err
 	}
 
+	mailgunAPIKey := os.Getenv("MAILGUN_API_KEY")
+
+	if len(mailgunAPIKey) > 0 {
+		return SendMailgun(to, event, data)
+	}
+
 	m := gomail.NewMessage()
 	senderEmail, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeySenderEmail)
 	if err != nil {

server/email/mailgun.go

@@ -0,0 +1,83 @@
+package email
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"time"
+
+	mailgun "github.com/mailgun/mailgun-go/v4"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/authorizerdev/authorizer/server/constants"
+)
+
+const apiURL = "https://api.mailgun.net/v3/%s/messages"
+
+func MailgunRest(to string, data map[string]interface{}, subject string, template string) error {
+	var mailgunAPIKey = os.Getenv("MAILGUN_API_KEY")
+	var mailgunDomain = os.Getenv("MAILGUN_DOMAIN")
+	sender := mailgunDomain + "<noreply@" + mailgunDomain + ">"
+	log.Printf("%r", data)
+	mg := mailgun.NewMailgun(mailgunDomain, mailgunAPIKey)
+	m := mg.NewMessage(sender, subject, "", to)
+	m.SetTemplate(template)
+	m.AddTemplateVariable("verification_url", data["verification_url"])
+	userMap, ok := data["user"].(map[string]interface{})
+	if !ok {
+		log.Println("Error: Unable to retrieve user information from the data map.")
+	}
+	userName, ok := userMap["GivenName"].(string)
+	if ok {
+		m.AddTemplateVariable("username", userName)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
+	defer cancel()
+
+	resp, id, err := mg.Send(ctx, m)
+
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Printf("ID: %s Resp: %s\n", id, resp)
+
+	return err
+}
+
+// SendMailgun function to send
+func SendMailgun(to []string, event string, data map[string]interface{}) error {
+	template := "authorizer_email_confirmation"
+
+	switch event {
+	case constants.VerificationTypeBasicAuthSignup:
+		template = "authorizer_email_confirmation"
+	case constants.VerificationTypeForgotPassword:
+		template = "authorizer_password_reset"
+	case constants.VerificationTypeInviteMember:
+		template = "author_invited"
+	case constants.VerificationTypeMagicLinkLogin:
+		template = "magic_link_login"
+	case constants.VerificationTypeOTP:
+		template = "one_time_password"
+	case constants.VerificationTypeUpdateEmail:
+		template = "email_update"
+	}
+
+	subject := "Подтверждение почты"
+
+	// TODO: language selection logic here
+
+	err := MailgunRest(to[0], data, subject, template)
+
+	// Log the response
+	if err != nil {
+		log.Printf("Error sending email: %v", err)
+	} else {
+		log.Println("Email sent successfully")
+	}
+
+	return err
+}

server/env/env.go

@@ -104,6 +104,8 @@ func InitAllEnv() error {
 	osDisableStrongPassword := os.Getenv(constants.EnvKeyDisableStrongPassword)
 	osEnforceMultiFactorAuthentication := os.Getenv(constants.EnvKeyEnforceMultiFactorAuthentication)
 	osDisableMultiFactorAuthentication := os.Getenv(constants.EnvKeyDisableMultiFactorAuthentication)
+	osDisableTOTPLogin := os.Getenv(constants.EnvKeyDisableTOTPLogin)
+	osDisableMailOTPLogin := os.Getenv(constants.EnvKeyDisableMailOTPLogin)
 	// phone verification var
 	osDisablePhoneVerification := os.Getenv(constants.EnvKeyDisablePhoneVerification)
 	osDisablePlayground := os.Getenv(constants.EnvKeyDisablePlayGround)
@@ -689,20 +691,13 @@ func InitAllEnv() error {
 		envData[constants.EnvKeyDisableEmailVerification] = true
 		envData[constants.EnvKeyDisableMagicLinkLogin] = true
 		envData[constants.EnvKeyIsEmailServiceEnabled] = false
+		envData[constants.EnvKeyDisableMailOTPLogin] = true
 	}
 
 	if envData[constants.EnvKeySmtpHost] != "" && envData[constants.EnvKeySmtpUsername] != "" && envData[constants.EnvKeySmtpPassword] != "" && envData[constants.EnvKeySenderEmail] != "" && envData[constants.EnvKeySmtpPort] != "" {
 		envData[constants.EnvKeyIsEmailServiceEnabled] = true
 	}
 
-	if envData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && !envData[constants.EnvKeyIsEmailServiceEnabled].(bool) && !envData[constants.EnvKeyIsSMSServiceEnabled].(bool) {
-		return errors.New("to enable multi factor authentication, please enable email service")
-	}
-
-	if !envData[constants.EnvKeyIsEmailServiceEnabled].(bool) {
-		envData[constants.EnvKeyDisableMultiFactorAuthentication] = true
-	}
-
 	if envData[constants.EnvKeyDisableEmailVerification].(bool) {
 		envData[constants.EnvKeyDisableMagicLinkLogin] = true
 	}
@@ -839,6 +834,33 @@ func InitAllEnv() error {
 			envData[constants.EnvKeyDisablePlayGround] = boolValue
 		}
 	}
+	// TODO: remove after beta launch
+	envData[constants.EnvKeyDisableTOTPLogin] = true
+	if _, ok := envData[constants.EnvKeyDisableTOTPLogin]; !ok {
+		envData[constants.EnvKeyDisableTOTPLogin] = osDisableTOTPLogin == "true"
+	}
+	if osDisableTOTPLogin != "" {
+		boolValue, err := strconv.ParseBool(osDisableTOTPLogin)
+		if err != nil {
+			return err
+		}
+		if boolValue != envData[constants.EnvKeyDisableTOTPLogin].(bool) {
+			envData[constants.EnvKeyDisableTOTPLogin] = boolValue
+		}
+	}
+
+	if _, ok := envData[constants.EnvKeyDisableMailOTPLogin]; !ok {
+		envData[constants.EnvKeyDisableMailOTPLogin] = osDisableMailOTPLogin == "true"
+	}
+	if osDisableMailOTPLogin != "" {
+		boolValue, err := strconv.ParseBool(osDisableMailOTPLogin)
+		if err != nil {
+			return err
+		}
+		if boolValue != envData[constants.EnvKeyDisableMailOTPLogin].(bool) {
+			envData[constants.EnvKeyDisableMailOTPLogin] = boolValue
+		}
+	}
 
 	err = memorystore.Provider.UpdateEnvStore(envData)
 	if err != nil {

server/env/persist_env.go

@@ -196,7 +196,7 @@ func PersistEnv() error {
 				envValue := strings.TrimSpace(os.Getenv(key))
 				if envValue != "" {
 					switch key {
-					case constants.EnvKeyIsProd, constants.EnvKeyDisableBasicAuthentication, constants.EnvKeyDisableMobileBasicAuthentication, constants.EnvKeyDisableEmailVerification, constants.EnvKeyDisableLoginPage, constants.EnvKeyDisableMagicLinkLogin, constants.EnvKeyDisableSignUp, constants.EnvKeyDisableRedisForEnv, constants.EnvKeyDisableStrongPassword, constants.EnvKeyIsEmailServiceEnabled, constants.EnvKeyIsSMSServiceEnabled, constants.EnvKeyEnforceMultiFactorAuthentication, constants.EnvKeyDisableMultiFactorAuthentication, constants.EnvKeyAdminCookieSecure, constants.EnvKeyAppCookieSecure, constants.EnvKeyDisablePhoneVerification, constants.EnvKeyDisablePlayGround:
+					case constants.EnvKeyIsProd, constants.EnvKeyDisableBasicAuthentication, constants.EnvKeyDisableMobileBasicAuthentication, constants.EnvKeyDisableEmailVerification, constants.EnvKeyDisableLoginPage, constants.EnvKeyDisableMagicLinkLogin, constants.EnvKeyDisableSignUp, constants.EnvKeyDisableRedisForEnv, constants.EnvKeyDisableStrongPassword, constants.EnvKeyIsEmailServiceEnabled, constants.EnvKeyIsSMSServiceEnabled, constants.EnvKeyEnforceMultiFactorAuthentication, constants.EnvKeyDisableMultiFactorAuthentication, constants.EnvKeyAdminCookieSecure, constants.EnvKeyAppCookieSecure, constants.EnvKeyDisablePhoneVerification, constants.EnvKeyDisablePlayGround, constants.EnvKeyDisableTOTPLogin, constants.EnvKeyDisableMailOTPLogin:
 						if envValueBool, err := strconv.ParseBool(envValue); err == nil {
 							if value.(bool) != envValueBool {
 								storeData[key] = envValueBool
@@ -218,15 +218,20 @@ func PersistEnv() error {
 		if storeData[constants.EnvKeySmtpHost] == "" || storeData[constants.EnvKeySmtpUsername] == "" || storeData[constants.EnvKeySmtpPassword] == "" || storeData[constants.EnvKeySenderEmail] == "" && storeData[constants.EnvKeySmtpPort] == "" {
 			storeData[constants.EnvKeyIsEmailServiceEnabled] = false
 
-			if !storeData[constants.EnvKeyDisableEmailVerification].(bool) {
+			if val, ok := storeData[constants.EnvKeyDisableEmailVerification]; ok && val != nil && !val.(bool) {
 				storeData[constants.EnvKeyDisableEmailVerification] = true
 				hasChanged = true
 			}
 
-			if !storeData[constants.EnvKeyDisableMagicLinkLogin].(bool) {
+			if val, ok := storeData[constants.EnvKeyDisableMagicLinkLogin]; ok && val != nil && !val.(bool) {
 				storeData[constants.EnvKeyDisableMagicLinkLogin] = true
 				hasChanged = true
 			}
+
+			if val, ok := storeData[constants.EnvKeyDisableMailOTPLogin]; ok && val != nil && !val.(bool) {
+				storeData[constants.EnvKeyDisableMailOTPLogin] = true
+				hasChanged = true
+			}
 		}
 
 		err = memorystore.Provider.UpdateEnvStore(storeData)

server/go.mod

@@ -1,42 +1,128 @@
 module github.com/authorizerdev/authorizer/server
 
-go 1.16
+go 1.21
+
+toolchain go1.21.4
 
 require (
-	github.com/99designs/gqlgen v0.17.20
-	github.com/arangodb/go-driver v1.2.1
-	github.com/aws/aws-sdk-go v1.44.298
-	github.com/coreos/go-oidc/v3 v3.1.0
-	github.com/couchbase/gocb/v2 v2.6.0
-	github.com/gin-gonic/gin v1.8.1
-	github.com/glebarez/sqlite v1.5.0
-	github.com/go-playground/validator/v10 v10.11.1 // indirect
-	github.com/goccy/go-json v0.9.11 // indirect
-	github.com/gocql/gocql v1.2.0
+	github.com/99designs/gqlgen v0.17.39
+	github.com/arangodb/go-driver v1.6.0
+	github.com/aws/aws-sdk-go v1.47.4
+	github.com/coreos/go-oidc/v3 v3.6.0
+	github.com/couchbase/gocb/v2 v2.6.4
+	github.com/ekristen/gorm-libsql v0.0.0-20231101204708-6e113112bcc2
+	github.com/gin-gonic/gin v1.9.1
+	github.com/glebarez/sqlite v1.10.0
+	github.com/gocql/gocql v1.6.0
+	github.com/gokyle/twofactor v1.0.1
 	github.com/golang-jwt/jwt v3.2.2+incompatible
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.6 // indirect
-	github.com/google/uuid v1.3.0
-	github.com/guregu/dynamo v1.20.0
-	github.com/joho/godotenv v1.3.0
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
-	github.com/redis/go-redis/v9 v9.0.3
-	github.com/robertkrimen/otto v0.0.0-20211024170158-b87d35c0b86f
-	github.com/sirupsen/logrus v1.8.1
-	github.com/stretchr/testify v1.8.0
-	github.com/twilio/twilio-go v1.7.2
-	github.com/vektah/gqlparser/v2 v2.5.1
-	go.mongodb.org/mongo-driver v1.8.1
-	golang.org/x/crypto v0.4.0
-	golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914
-	google.golang.org/appengine v1.6.7
-	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	github.com/google/uuid v1.3.1
+	github.com/guregu/dynamo v1.20.2
+	github.com/joho/godotenv v1.5.1
+	github.com/mailgun/mailgun-go/v4 v4.12.0
+	github.com/pquerna/otp v1.4.0
+	github.com/redis/go-redis/v9 v9.2.1
+	github.com/robertkrimen/otto v0.2.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.8.4
+	github.com/tuotoo/qrcode v0.0.0-20220425170535-52ccc2bebf5d
+	github.com/twilio/twilio-go v1.14.1
+	github.com/vektah/gqlparser/v2 v2.5.10
+	go.mongodb.org/mongo-driver v1.12.1
+	golang.org/x/crypto v0.14.0
+	golang.org/x/oauth2 v0.13.0
+	google.golang.org/appengine v1.6.8
 	gopkg.in/mail.v2 v2.3.1
 	gopkg.in/square/go-jose.v2 v2.6.0
-	gorm.io/driver/mysql v1.4.3
-	gorm.io/driver/postgres v1.4.7
-	gorm.io/driver/sqlserver v1.4.1
-	gorm.io/gorm v1.24.2
+	gorm.io/driver/mysql v1.5.2
+	gorm.io/driver/postgres v1.5.4
+	gorm.io/driver/sqlserver v1.5.2
+	gorm.io/gorm v1.25.5
+)
+
+require (
+	github.com/agnivade/levenshtein v1.1.1 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 // indirect
+	github.com/arangodb/go-velocypack v0.0.0-20200318135517-5af53c29c67e // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
+	github.com/bytedance/sonic v1.9.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
+	github.com/couchbase/gocbcore/v10 v10.2.8 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/glebarez/go-sqlite v1.21.2 // indirect
+	github.com/go-chi/chi/v5 v5.0.8 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-playground/locales v0.14.1 // indirect
+	github.com/go-playground/universal-translator v0.18.1 // indirect
+	github.com/go-playground/validator/v10 v10.14.0 // indirect
+	github.com/go-sql-driver/mysql v1.7.0 // indirect
+	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
+	github.com/golang-sql/sqlexp v0.1.0 // indirect
+	github.com/golang/mock v1.6.0 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.3 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.4.3 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/klauspost/compress v1.15.15 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/leodido/go-urn v1.2.4 // indirect
+	github.com/libsql/libsql-client-go v0.0.0-20231026052543-fce76c0f39a7 // indirect
+	github.com/libsql/sqlite-antlr4-parser v0.0.0-20230802215326-5cb5bb604475 // indirect
+	github.com/maruel/rs v1.1.0 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/microsoft/go-mssqldb v1.6.0 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/montanaflynn/stats v0.7.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sosodev/duration v1.1.0 // indirect
+	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
+	github.com/ugorji/go/codec v1.2.11 // indirect
+	github.com/urfave/cli/v2 v2.25.5 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.1.2 // indirect
+	github.com/xdg-go/stringprep v1.0.4 // indirect
+	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20181117223130-1be2e3e5546d // indirect
+	golang.org/x/arch v0.3.0 // indirect
+	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
+	golang.org/x/mod v0.10.0 // indirect
+	golang.org/x/net v0.17.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
+	google.golang.org/protobuf v1.31.0 // indirect
+	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/sourcemap.v1 v1.0.5 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	modernc.org/libc v1.22.5 // indirect
+	modernc.org/mathutil v1.5.0 // indirect
+	modernc.org/memory v1.5.0 // indirect
+	modernc.org/sqlite v1.23.1 // indirect
+	nhooyr.io/websocket v1.8.7 // indirect
+	rsc.io/qr v0.2.0 // indirect
 )

server/graph/model/models_gen.go

@@ -6,15 +6,15 @@ type AddEmailTemplateRequest struct {
 	EventName string  `json:"event_name"`
 	Subject   string  `json:"subject"`
 	Template  string  `json:"template"`
-	Design    *string `json:"design"`
+	Design    *string `json:"design,omitempty"`
 }
 
 type AddWebhookRequest struct {
 	EventName        string                 `json:"event_name"`
-	EventDescription *string                `json:"event_description"`
+	EventDescription *string                `json:"event_description,omitempty"`
 	Endpoint         string                 `json:"endpoint"`
 	Enabled          bool                   `json:"enabled"`
-	Headers          map[string]interface{} `json:"headers"`
+	Headers          map[string]interface{} `json:"headers,omitempty"`
 }
 
 type AdminLoginInput struct {
@@ -26,14 +26,18 @@ type AdminSignupInput struct {
 }
 
 type AuthResponse struct {
-	Message                   string  `json:"message"`
-	ShouldShowEmailOtpScreen  *bool   `json:"should_show_email_otp_screen"`
-	ShouldShowMobileOtpScreen *bool   `json:"should_show_mobile_otp_screen"`
-	AccessToken               *string `json:"access_token"`
-	IDToken                   *string `json:"id_token"`
-	RefreshToken              *string `json:"refresh_token"`
-	ExpiresIn                 *int64  `json:"expires_in"`
-	User                      *User   `json:"user"`
+	Message                    string    `json:"message"`
+	ShouldShowEmailOtpScreen   *bool     `json:"should_show_email_otp_screen,omitempty"`
+	ShouldShowMobileOtpScreen  *bool     `json:"should_show_mobile_otp_screen,omitempty"`
+	ShouldShowTotpScreen       *bool     `json:"should_show_totp_screen,omitempty"`
+	AccessToken                *string   `json:"access_token,omitempty"`
+	IDToken                    *string   `json:"id_token,omitempty"`
+	RefreshToken               *string   `json:"refresh_token,omitempty"`
+	ExpiresIn                  *int64    `json:"expires_in,omitempty"`
+	User                       *User     `json:"user,omitempty"`
+	AuthenticatorScannerImage  *string   `json:"authenticator_scanner_image,omitempty"`
+	AuthenticatorSecret        *string   `json:"authenticator_secret,omitempty"`
+	AuthenticatorRecoveryCodes []*string `json:"authenticator_recovery_codes,omitempty"`
 }
 
 type DeleteEmailTemplateRequest struct {
@@ -50,8 +54,8 @@ type EmailTemplate struct {
 	Template  string `json:"template"`
 	Design    string `json:"design"`
 	Subject   string `json:"subject"`
-	CreatedAt *int64 `json:"created_at"`
-	UpdatedAt *int64 `json:"updated_at"`
+	CreatedAt *int64 `json:"created_at,omitempty"`
+	UpdatedAt *int64 `json:"updated_at,omitempty"`
 }
 
 type EmailTemplates struct {
@@ -60,33 +64,33 @@ type EmailTemplates struct {
 }
 
 type Env struct {
-	AccessTokenExpiryTime            *string  `json:"ACCESS_TOKEN_EXPIRY_TIME"`
-	AdminSecret                      *string  `json:"ADMIN_SECRET"`
-	DatabaseName                     *string  `json:"DATABASE_NAME"`
-	DatabaseURL                      *string  `json:"DATABASE_URL"`
-	DatabaseType                     *string  `json:"DATABASE_TYPE"`
-	DatabaseUsername                 *string  `json:"DATABASE_USERNAME"`
-	DatabasePassword                 *string  `json:"DATABASE_PASSWORD"`
-	DatabaseHost                     *string  `json:"DATABASE_HOST"`
-	DatabasePort                     *string  `json:"DATABASE_PORT"`
+	AccessTokenExpiryTime            *string  `json:"ACCESS_TOKEN_EXPIRY_TIME,omitempty"`
+	AdminSecret                      *string  `json:"ADMIN_SECRET,omitempty"`
+	DatabaseName                     *string  `json:"DATABASE_NAME,omitempty"`
+	DatabaseURL                      *string  `json:"DATABASE_URL,omitempty"`
+	DatabaseType                     *string  `json:"DATABASE_TYPE,omitempty"`
+	DatabaseUsername                 *string  `json:"DATABASE_USERNAME,omitempty"`
+	DatabasePassword                 *string  `json:"DATABASE_PASSWORD,omitempty"`
+	DatabaseHost                     *string  `json:"DATABASE_HOST,omitempty"`
+	DatabasePort                     *string  `json:"DATABASE_PORT,omitempty"`
 	ClientID                         string   `json:"CLIENT_ID"`
 	ClientSecret                     string   `json:"CLIENT_SECRET"`
-	CustomAccessTokenScript          *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT"`
-	SMTPHost                         *string  `json:"SMTP_HOST"`
-	SMTPPort                         *string  `json:"SMTP_PORT"`
-	SMTPUsername                     *string  `json:"SMTP_USERNAME"`
-	SMTPPassword                     *string  `json:"SMTP_PASSWORD"`
-	SMTPLocalName                    *string  `json:"SMTP_LOCAL_NAME"`
-	SenderEmail                      *string  `json:"SENDER_EMAIL"`
-	SenderName                       *string  `json:"SENDER_NAME"`
-	JwtType                          *string  `json:"JWT_TYPE"`
-	JwtSecret                        *string  `json:"JWT_SECRET"`
-	JwtPrivateKey                    *string  `json:"JWT_PRIVATE_KEY"`
-	JwtPublicKey                     *string  `json:"JWT_PUBLIC_KEY"`
-	AllowedOrigins                   []string `json:"ALLOWED_ORIGINS"`
-	AppURL                           *string  `json:"APP_URL"`
-	RedisURL                         *string  `json:"REDIS_URL"`
-	ResetPasswordURL                 *string  `json:"RESET_PASSWORD_URL"`
+	CustomAccessTokenScript          *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT,omitempty"`
+	SMTPHost                         *string  `json:"SMTP_HOST,omitempty"`
+	SMTPPort                         *string  `json:"SMTP_PORT,omitempty"`
+	SMTPUsername                     *string  `json:"SMTP_USERNAME,omitempty"`
+	SMTPPassword                     *string  `json:"SMTP_PASSWORD,omitempty"`
+	SMTPLocalName                    *string  `json:"SMTP_LOCAL_NAME,omitempty"`
+	SenderEmail                      *string  `json:"SENDER_EMAIL,omitempty"`
+	SenderName                       *string  `json:"SENDER_NAME,omitempty"`
+	JwtType                          *string  `json:"JWT_TYPE,omitempty"`
+	JwtSecret                        *string  `json:"JWT_SECRET,omitempty"`
+	JwtPrivateKey                    *string  `json:"JWT_PRIVATE_KEY,omitempty"`
+	JwtPublicKey                     *string  `json:"JWT_PUBLIC_KEY,omitempty"`
+	AllowedOrigins                   []string `json:"ALLOWED_ORIGINS,omitempty"`
+	AppURL                           *string  `json:"APP_URL,omitempty"`
+	RedisURL                         *string  `json:"REDIS_URL,omitempty"`
+	ResetPasswordURL                 *string  `json:"RESET_PASSWORD_URL,omitempty"`
 	DisableEmailVerification         bool     `json:"DISABLE_EMAIL_VERIFICATION"`
 	DisableBasicAuthentication       bool     `json:"DISABLE_BASIC_AUTHENTICATION"`
 	DisableMagicLinkLogin            bool     `json:"DISABLE_MAGIC_LINK_LOGIN"`
@@ -96,32 +100,38 @@ type Env struct {
 	DisableStrongPassword            bool     `json:"DISABLE_STRONG_PASSWORD"`
 	DisableMultiFactorAuthentication bool     `json:"DISABLE_MULTI_FACTOR_AUTHENTICATION"`
 	EnforceMultiFactorAuthentication bool     `json:"ENFORCE_MULTI_FACTOR_AUTHENTICATION"`
-	Roles                            []string `json:"ROLES"`
-	ProtectedRoles                   []string `json:"PROTECTED_ROLES"`
-	DefaultRoles                     []string `json:"DEFAULT_ROLES"`
-	JwtRoleClaim                     *string  `json:"JWT_ROLE_CLAIM"`
-	GoogleClientID                   *string  `json:"GOOGLE_CLIENT_ID"`
-	GoogleClientSecret               *string  `json:"GOOGLE_CLIENT_SECRET"`
-	GithubClientID                   *string  `json:"GITHUB_CLIENT_ID"`
-	GithubClientSecret               *string  `json:"GITHUB_CLIENT_SECRET"`
-	FacebookClientID                 *string  `json:"FACEBOOK_CLIENT_ID"`
-	FacebookClientSecret             *string  `json:"FACEBOOK_CLIENT_SECRET"`
-	LinkedinClientID                 *string  `json:"LINKEDIN_CLIENT_ID"`
-	LinkedinClientSecret             *string  `json:"LINKEDIN_CLIENT_SECRET"`
-	AppleClientID                    *string  `json:"APPLE_CLIENT_ID"`
-	AppleClientSecret                *string  `json:"APPLE_CLIENT_SECRET"`
-	TwitterClientID                  *string  `json:"TWITTER_CLIENT_ID"`
-	TwitterClientSecret              *string  `json:"TWITTER_CLIENT_SECRET"`
-	MicrosoftClientID                *string  `json:"MICROSOFT_CLIENT_ID"`
-	MicrosoftClientSecret            *string  `json:"MICROSOFT_CLIENT_SECRET"`
-	MicrosoftActiveDirectoryTenantID *string  `json:"MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID"`
-	OrganizationName                 *string  `json:"ORGANIZATION_NAME"`
-	OrganizationLogo                 *string  `json:"ORGANIZATION_LOGO"`
+	Roles                            []string `json:"ROLES,omitempty"`
+	ProtectedRoles                   []string `json:"PROTECTED_ROLES,omitempty"`
+	DefaultRoles                     []string `json:"DEFAULT_ROLES,omitempty"`
+	JwtRoleClaim                     *string  `json:"JWT_ROLE_CLAIM,omitempty"`
+	GoogleClientID                   *string  `json:"GOOGLE_CLIENT_ID,omitempty"`
+	GoogleClientSecret               *string  `json:"GOOGLE_CLIENT_SECRET,omitempty"`
+	GithubClientID                   *string  `json:"GITHUB_CLIENT_ID,omitempty"`
+	GithubClientSecret               *string  `json:"GITHUB_CLIENT_SECRET,omitempty"`
+	FacebookClientID                 *string  `json:"FACEBOOK_CLIENT_ID,omitempty"`
+	FacebookClientSecret             *string  `json:"FACEBOOK_CLIENT_SECRET,omitempty"`
+	LinkedinClientID                 *string  `json:"LINKEDIN_CLIENT_ID,omitempty"`
+	LinkedinClientSecret             *string  `json:"LINKEDIN_CLIENT_SECRET,omitempty"`
+	AppleClientID                    *string  `json:"APPLE_CLIENT_ID,omitempty"`
+	AppleClientSecret                *string  `json:"APPLE_CLIENT_SECRET,omitempty"`
+	DiscordClientID                  *string  `json:"DISCORD_CLIENT_ID,omitempty"`
+	DiscordClientSecret              *string  `json:"DISCORD_CLIENT_SECRET,omitempty"`
+	TwitterClientID                  *string  `json:"TWITTER_CLIENT_ID,omitempty"`
+	TwitterClientSecret              *string  `json:"TWITTER_CLIENT_SECRET,omitempty"`
+	MicrosoftClientID                *string  `json:"MICROSOFT_CLIENT_ID,omitempty"`
+	MicrosoftClientSecret            *string  `json:"MICROSOFT_CLIENT_SECRET,omitempty"`
+	MicrosoftActiveDirectoryTenantID *string  `json:"MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID,omitempty"`
+	TwitchClientID                   *string  `json:"TWITCH_CLIENT_ID,omitempty"`
+	TwitchClientSecret               *string  `json:"TWITCH_CLIENT_SECRET,omitempty"`
+	OrganizationName                 *string  `json:"ORGANIZATION_NAME,omitempty"`
+	OrganizationLogo                 *string  `json:"ORGANIZATION_LOGO,omitempty"`
 	AppCookieSecure                  bool     `json:"APP_COOKIE_SECURE"`
 	AdminCookieSecure                bool     `json:"ADMIN_COOKIE_SECURE"`
-	DefaultAuthorizeResponseType     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_TYPE"`
-	DefaultAuthorizeResponseMode     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_MODE"`
+	DefaultAuthorizeResponseType     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_TYPE,omitempty"`
+	DefaultAuthorizeResponseMode     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_MODE,omitempty"`
 	DisablePlayground                bool     `json:"DISABLE_PLAYGROUND"`
+	DisableMailOtpLogin              bool     `json:"DISABLE_MAIL_OTP_LOGIN"`
+	DisableTotpLogin                 bool     `json:"DISABLE_TOTP_LOGIN"`
 }
 
 type Error struct {
@@ -130,9 +140,15 @@ type Error struct {
 }
 
 type ForgotPasswordInput struct {
-	Email       string  `json:"email"`
-	State       *string `json:"state"`
-	RedirectURI *string `json:"redirect_uri"`
+	Email       *string `json:"email,omitempty"`
+	PhoneNumber *string `json:"phone_number,omitempty"`
+	State       *string `json:"state,omitempty"`
+	RedirectURI *string `json:"redirect_uri,omitempty"`
+}
+
+type ForgotPasswordResponse struct {
+	Message                   string `json:"message"`
+	ShouldShowMobileOtpScreen *bool  `json:"should_show_mobile_otp_screen,omitempty"`
 }
 
 type GenerateJWTKeysInput struct {
@@ -140,19 +156,19 @@ type GenerateJWTKeysInput struct {
 }
 
 type GenerateJWTKeysResponse struct {
-	Secret     *string `json:"secret"`
-	PublicKey  *string `json:"public_key"`
-	PrivateKey *string `json:"private_key"`
+	Secret     *string `json:"secret,omitempty"`
+	PublicKey  *string `json:"public_key,omitempty"`
+	PrivateKey *string `json:"private_key,omitempty"`
 }
 
 type GetUserRequest struct {
-	ID    *string `json:"id"`
-	Email *string `json:"email"`
+	ID    *string `json:"id,omitempty"`
+	Email *string `json:"email,omitempty"`
 }
 
 type InviteMemberInput struct {
 	Emails      []string `json:"emails"`
-	RedirectURI *string  `json:"redirect_uri"`
+	RedirectURI *string  `json:"redirect_uri,omitempty"`
 }
 
 type InviteMembersResponse struct {
@@ -161,70 +177,75 @@ type InviteMembersResponse struct {
 }
 
 type ListWebhookLogRequest struct {
-	Pagination *PaginationInput `json:"pagination"`
-	WebhookID  *string          `json:"webhook_id"`
+	Pagination *PaginationInput `json:"pagination,omitempty"`
+	WebhookID  *string          `json:"webhook_id,omitempty"`
 }
 
 type LoginInput struct {
-	Email    string   `json:"email"`
-	Password string   `json:"password"`
-	Roles    []string `json:"roles"`
-	Scope    []string `json:"scope"`
-	State    *string  `json:"state"`
+	Email       *string  `json:"email,omitempty"`
+	PhoneNumber *string  `json:"phone_number,omitempty"`
+	Password    string   `json:"password"`
+	Roles       []string `json:"roles,omitempty"`
+	Scope       []string `json:"scope,omitempty"`
+	State       *string  `json:"state,omitempty"`
 }
 
 type MagicLinkLoginInput struct {
 	Email       string   `json:"email"`
-	Roles       []string `json:"roles"`
-	Scope       []string `json:"scope"`
-	State       *string  `json:"state"`
-	RedirectURI *string  `json:"redirect_uri"`
+	Roles       []string `json:"roles,omitempty"`
+	Scope       []string `json:"scope,omitempty"`
+	State       *string  `json:"state,omitempty"`
+	RedirectURI *string  `json:"redirect_uri,omitempty"`
 }
 
 type Meta struct {
-	Version                      string `json:"version"`
-	ClientID                     string `json:"client_id"`
-	IsGoogleLoginEnabled         bool   `json:"is_google_login_enabled"`
-	IsFacebookLoginEnabled       bool   `json:"is_facebook_login_enabled"`
-	IsGithubLoginEnabled         bool   `json:"is_github_login_enabled"`
-	IsLinkedinLoginEnabled       bool   `json:"is_linkedin_login_enabled"`
-	IsAppleLoginEnabled          bool   `json:"is_apple_login_enabled"`
-	IsTwitterLoginEnabled        bool   `json:"is_twitter_login_enabled"`
-	IsMicrosoftLoginEnabled      bool   `json:"is_microsoft_login_enabled"`
-	IsEmailVerificationEnabled   bool   `json:"is_email_verification_enabled"`
-	IsBasicAuthenticationEnabled bool   `json:"is_basic_authentication_enabled"`
-	IsMagicLinkLoginEnabled      bool   `json:"is_magic_link_login_enabled"`
-	IsSignUpEnabled              bool   `json:"is_sign_up_enabled"`
-	IsStrongPasswordEnabled      bool   `json:"is_strong_password_enabled"`
-	IsMultiFactorAuthEnabled     bool   `json:"is_multi_factor_auth_enabled"`
+	Version                            string `json:"version"`
+	ClientID                           string `json:"client_id"`
+	IsGoogleLoginEnabled               bool   `json:"is_google_login_enabled"`
+	IsFacebookLoginEnabled             bool   `json:"is_facebook_login_enabled"`
+	IsGithubLoginEnabled               bool   `json:"is_github_login_enabled"`
+	IsLinkedinLoginEnabled             bool   `json:"is_linkedin_login_enabled"`
+	IsAppleLoginEnabled                bool   `json:"is_apple_login_enabled"`
+	IsDiscordLoginEnabled              bool   `json:"is_discord_login_enabled"`
+	IsTwitterLoginEnabled              bool   `json:"is_twitter_login_enabled"`
+	IsMicrosoftLoginEnabled            bool   `json:"is_microsoft_login_enabled"`
+	IsTwitchLoginEnabled               bool   `json:"is_twitch_login_enabled"`
+	IsEmailVerificationEnabled         bool   `json:"is_email_verification_enabled"`
+	IsBasicAuthenticationEnabled       bool   `json:"is_basic_authentication_enabled"`
+	IsMagicLinkLoginEnabled            bool   `json:"is_magic_link_login_enabled"`
+	IsSignUpEnabled                    bool   `json:"is_sign_up_enabled"`
+	IsStrongPasswordEnabled            bool   `json:"is_strong_password_enabled"`
+	IsMultiFactorAuthEnabled           bool   `json:"is_multi_factor_auth_enabled"`
+	IsMobileBasicAuthenticationEnabled bool   `json:"is_mobile_basic_authentication_enabled"`
+	IsPhoneVerificationEnabled         bool   `json:"is_phone_verification_enabled"`
 }
 
 type MobileLoginInput struct {
 	PhoneNumber string   `json:"phone_number"`
 	Password    string   `json:"password"`
-	Roles       []string `json:"roles"`
-	Scope       []string `json:"scope"`
-	State       *string  `json:"state"`
+	Roles       []string `json:"roles,omitempty"`
+	Scope       []string `json:"scope,omitempty"`
+	State       *string  `json:"state,omitempty"`
 }
 
 type MobileSignUpInput struct {
-	Email                    *string                `json:"email"`
-	GivenName                *string                `json:"given_name"`
-	FamilyName               *string                `json:"family_name"`
-	MiddleName               *string                `json:"middle_name"`
-	Nickname                 *string                `json:"nickname"`
-	Gender                   *string                `json:"gender"`
-	Birthdate                *string                `json:"birthdate"`
+	Email                    *string                `json:"email,omitempty"`
+	GivenName                *string                `json:"given_name,omitempty"`
+	FamilyName               *string                `json:"family_name,omitempty"`
+	MiddleName               *string                `json:"middle_name,omitempty"`
+	Nickname                 *string                `json:"nickname,omitempty"`
+	Gender                   *string                `json:"gender,omitempty"`
+	Birthdate                *string                `json:"birthdate,omitempty"`
 	PhoneNumber              string                 `json:"phone_number"`
-	Picture                  *string                `json:"picture"`
+	Picture                  *string                `json:"picture,omitempty"`
 	Password                 string                 `json:"password"`
 	ConfirmPassword          string                 `json:"confirm_password"`
-	Roles                    []string               `json:"roles"`
-	Scope                    []string               `json:"scope"`
-	RedirectURI              *string                `json:"redirect_uri"`
-	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
-	State                    *string                `json:"state"`
-	AppData                  map[string]interface{} `json:"app_data"`
+	Roles                    []string               `json:"roles,omitempty"`
+	Scope                    []string               `json:"scope,omitempty"`
+	RedirectURI              *string                `json:"redirect_uri,omitempty"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled,omitempty"`
+	State                    *string                `json:"state,omitempty"`
+	AppData                  map[string]interface{} `json:"app_data,omitempty"`
 }
 
 type OAuthRevokeInput struct {
@@ -232,7 +253,7 @@ type OAuthRevokeInput struct {
 }
 
 type PaginatedInput struct {
-	Pagination *PaginationInput `json:"pagination"`
+	Pagination *PaginationInput `json:"pagination,omitempty"`
 }
 
 type Pagination struct {
@@ -243,26 +264,28 @@ type Pagination struct {
 }
 
 type PaginationInput struct {
-	Limit *int64 `json:"limit"`
-	Page  *int64 `json:"page"`
+	Limit *int64 `json:"limit,omitempty"`
+	Page  *int64 `json:"page,omitempty"`
 }
 
 type ResendOTPRequest struct {
-	Email       *string `json:"email"`
-	PhoneNumber *string `json:"phone_number"`
-	State       *string `json:"state"`
+	Email       *string `json:"email,omitempty"`
+	PhoneNumber *string `json:"phone_number,omitempty"`
+	State       *string `json:"state,omitempty"`
 }
 
 type ResendVerifyEmailInput struct {
 	Email      string  `json:"email"`
 	Identifier string  `json:"identifier"`
-	State      *string `json:"state"`
+	State      *string `json:"state,omitempty"`
 }
 
 type ResetPasswordInput struct {
-	Token           string `json:"token"`
-	Password        string `json:"password"`
-	ConfirmPassword string `json:"confirm_password"`
+	Token           *string `json:"token,omitempty"`
+	Otp             *string `json:"otp,omitempty"`
+	PhoneNumber     *string `json:"phone_number,omitempty"`
+	Password        string  `json:"password"`
+	ConfirmPassword string  `json:"confirm_password"`
 }
 
 type Response struct {
@@ -275,44 +298,44 @@ type SMSVerificationRequests struct {
 	CodeExpiresAt int64  `json:"code_expires_at"`
 	PhoneNumber   string `json:"phone_number"`
 	CreatedAt     int64  `json:"created_at"`
-	UpdatedAt     *int64 `json:"updated_at"`
+	UpdatedAt     *int64 `json:"updated_at,omitempty"`
 }
 
 type SessionQueryInput struct {
-	Roles []string `json:"roles"`
-	Scope []string `json:"scope"`
+	Roles []string `json:"roles,omitempty"`
+	Scope []string `json:"scope,omitempty"`
 }
 
 type SignUpInput struct {
-	Email                    string                 `json:"email"`
-	GivenName                *string                `json:"given_name"`
-	FamilyName               *string                `json:"family_name"`
-	MiddleName               *string                `json:"middle_name"`
-	Nickname                 *string                `json:"nickname"`
-	Gender                   *string                `json:"gender"`
-	Birthdate                *string                `json:"birthdate"`
-	PhoneNumber              *string                `json:"phone_number"`
-	Picture                  *string                `json:"picture"`
+	Email                    *string                `json:"email,omitempty"`
+	GivenName                *string                `json:"given_name,omitempty"`
+	FamilyName               *string                `json:"family_name,omitempty"`
+	MiddleName               *string                `json:"middle_name,omitempty"`
+	Nickname                 *string                `json:"nickname,omitempty"`
+	Gender                   *string                `json:"gender,omitempty"`
+	Birthdate                *string                `json:"birthdate,omitempty"`
+	PhoneNumber              *string                `json:"phone_number,omitempty"`
+	Picture                  *string                `json:"picture,omitempty"`
 	Password                 string                 `json:"password"`
 	ConfirmPassword          string                 `json:"confirm_password"`
-	Roles                    []string               `json:"roles"`
-	Scope                    []string               `json:"scope"`
-	RedirectURI              *string                `json:"redirect_uri"`
-	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
-	State                    *string                `json:"state"`
-	AppData                  map[string]interface{} `json:"app_data"`
+	Roles                    []string               `json:"roles,omitempty"`
+	Scope                    []string               `json:"scope,omitempty"`
+	RedirectURI              *string                `json:"redirect_uri,omitempty"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled,omitempty"`
+	State                    *string                `json:"state,omitempty"`
+	AppData                  map[string]interface{} `json:"app_data,omitempty"`
 }
 
 type TestEndpointRequest struct {
 	Endpoint         string                 `json:"endpoint"`
 	EventName        string                 `json:"event_name"`
-	EventDescription *string                `json:"event_description"`
-	Headers          map[string]interface{} `json:"headers"`
+	EventDescription *string                `json:"event_description,omitempty"`
+	Headers          map[string]interface{} `json:"headers,omitempty"`
 }
 
 type TestEndpointResponse struct {
-	HTTPStatus *int64  `json:"http_status"`
-	Response   *string `json:"response"`
+	HTTPStatus *int64  `json:"http_status,omitempty"`
+	Response   *string `json:"response,omitempty"`
 }
 
 type UpdateAccessInput struct {
@@ -321,132 +344,138 @@ type UpdateAccessInput struct {
 
 type UpdateEmailTemplateRequest struct {
 	ID        string  `json:"id"`
-	EventName *string `json:"event_name"`
-	Template  *string `json:"template"`
-	Subject   *string `json:"subject"`
-	Design    *string `json:"design"`
+	EventName *string `json:"event_name,omitempty"`
+	Template  *string `json:"template,omitempty"`
+	Subject   *string `json:"subject,omitempty"`
+	Design    *string `json:"design,omitempty"`
 }
 
 type UpdateEnvInput struct {
-	AccessTokenExpiryTime            *string  `json:"ACCESS_TOKEN_EXPIRY_TIME"`
-	AdminSecret                      *string  `json:"ADMIN_SECRET"`
-	CustomAccessTokenScript          *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT"`
-	OldAdminSecret                   *string  `json:"OLD_ADMIN_SECRET"`
-	SMTPHost                         *string  `json:"SMTP_HOST"`
-	SMTPPort                         *string  `json:"SMTP_PORT"`
-	SMTPUsername                     *string  `json:"SMTP_USERNAME"`
-	SMTPPassword                     *string  `json:"SMTP_PASSWORD"`
-	SMTPLocalName                    *string  `json:"SMTP_LOCAL_NAME"`
-	SenderEmail                      *string  `json:"SENDER_EMAIL"`
-	SenderName                       *string  `json:"SENDER_NAME"`
-	JwtType                          *string  `json:"JWT_TYPE"`
-	JwtSecret                        *string  `json:"JWT_SECRET"`
-	JwtPrivateKey                    *string  `json:"JWT_PRIVATE_KEY"`
-	JwtPublicKey                     *string  `json:"JWT_PUBLIC_KEY"`
-	AllowedOrigins                   []string `json:"ALLOWED_ORIGINS"`
-	AppURL                           *string  `json:"APP_URL"`
-	ResetPasswordURL                 *string  `json:"RESET_PASSWORD_URL"`
-	AppCookieSecure                  *bool    `json:"APP_COOKIE_SECURE"`
-	AdminCookieSecure                *bool    `json:"ADMIN_COOKIE_SECURE"`
-	DisableEmailVerification         *bool    `json:"DISABLE_EMAIL_VERIFICATION"`
-	DisableBasicAuthentication       *bool    `json:"DISABLE_BASIC_AUTHENTICATION"`
-	DisableMagicLinkLogin            *bool    `json:"DISABLE_MAGIC_LINK_LOGIN"`
-	DisableLoginPage                 *bool    `json:"DISABLE_LOGIN_PAGE"`
-	DisableSignUp                    *bool    `json:"DISABLE_SIGN_UP"`
-	DisableRedisForEnv               *bool    `json:"DISABLE_REDIS_FOR_ENV"`
-	DisableStrongPassword            *bool    `json:"DISABLE_STRONG_PASSWORD"`
-	DisableMultiFactorAuthentication *bool    `json:"DISABLE_MULTI_FACTOR_AUTHENTICATION"`
-	EnforceMultiFactorAuthentication *bool    `json:"ENFORCE_MULTI_FACTOR_AUTHENTICATION"`
-	Roles                            []string `json:"ROLES"`
-	ProtectedRoles                   []string `json:"PROTECTED_ROLES"`
-	DefaultRoles                     []string `json:"DEFAULT_ROLES"`
-	JwtRoleClaim                     *string  `json:"JWT_ROLE_CLAIM"`
-	GoogleClientID                   *string  `json:"GOOGLE_CLIENT_ID"`
-	GoogleClientSecret               *string  `json:"GOOGLE_CLIENT_SECRET"`
-	GithubClientID                   *string  `json:"GITHUB_CLIENT_ID"`
-	GithubClientSecret               *string  `json:"GITHUB_CLIENT_SECRET"`
-	FacebookClientID                 *string  `json:"FACEBOOK_CLIENT_ID"`
-	FacebookClientSecret             *string  `json:"FACEBOOK_CLIENT_SECRET"`
-	LinkedinClientID                 *string  `json:"LINKEDIN_CLIENT_ID"`
-	LinkedinClientSecret             *string  `json:"LINKEDIN_CLIENT_SECRET"`
-	AppleClientID                    *string  `json:"APPLE_CLIENT_ID"`
-	AppleClientSecret                *string  `json:"APPLE_CLIENT_SECRET"`
-	TwitterClientID                  *string  `json:"TWITTER_CLIENT_ID"`
-	TwitterClientSecret              *string  `json:"TWITTER_CLIENT_SECRET"`
-	MicrosoftClientID                *string  `json:"MICROSOFT_CLIENT_ID"`
-	MicrosoftClientSecret            *string  `json:"MICROSOFT_CLIENT_SECRET"`
-	MicrosoftActiveDirectoryTenantID *string  `json:"MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID"`
-	OrganizationName                 *string  `json:"ORGANIZATION_NAME"`
-	OrganizationLogo                 *string  `json:"ORGANIZATION_LOGO"`
-	DefaultAuthorizeResponseType     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_TYPE"`
-	DefaultAuthorizeResponseMode     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_MODE"`
-	DisablePlayground                *bool    `json:"DISABLE_PLAYGROUND"`
+	AccessTokenExpiryTime            *string  `json:"ACCESS_TOKEN_EXPIRY_TIME,omitempty"`
+	AdminSecret                      *string  `json:"ADMIN_SECRET,omitempty"`
+	CustomAccessTokenScript          *string  `json:"CUSTOM_ACCESS_TOKEN_SCRIPT,omitempty"`
+	OldAdminSecret                   *string  `json:"OLD_ADMIN_SECRET,omitempty"`
+	SMTPHost                         *string  `json:"SMTP_HOST,omitempty"`
+	SMTPPort                         *string  `json:"SMTP_PORT,omitempty"`
+	SMTPUsername                     *string  `json:"SMTP_USERNAME,omitempty"`
+	SMTPPassword                     *string  `json:"SMTP_PASSWORD,omitempty"`
+	SMTPLocalName                    *string  `json:"SMTP_LOCAL_NAME,omitempty"`
+	SenderEmail                      *string  `json:"SENDER_EMAIL,omitempty"`
+	SenderName                       *string  `json:"SENDER_NAME,omitempty"`
+	JwtType                          *string  `json:"JWT_TYPE,omitempty"`
+	JwtSecret                        *string  `json:"JWT_SECRET,omitempty"`
+	JwtPrivateKey                    *string  `json:"JWT_PRIVATE_KEY,omitempty"`
+	JwtPublicKey                     *string  `json:"JWT_PUBLIC_KEY,omitempty"`
+	AllowedOrigins                   []string `json:"ALLOWED_ORIGINS,omitempty"`
+	AppURL                           *string  `json:"APP_URL,omitempty"`
+	ResetPasswordURL                 *string  `json:"RESET_PASSWORD_URL,omitempty"`
+	AppCookieSecure                  *bool    `json:"APP_COOKIE_SECURE,omitempty"`
+	AdminCookieSecure                *bool    `json:"ADMIN_COOKIE_SECURE,omitempty"`
+	DisableEmailVerification         *bool    `json:"DISABLE_EMAIL_VERIFICATION,omitempty"`
+	DisableBasicAuthentication       *bool    `json:"DISABLE_BASIC_AUTHENTICATION,omitempty"`
+	DisableMagicLinkLogin            *bool    `json:"DISABLE_MAGIC_LINK_LOGIN,omitempty"`
+	DisableLoginPage                 *bool    `json:"DISABLE_LOGIN_PAGE,omitempty"`
+	DisableSignUp                    *bool    `json:"DISABLE_SIGN_UP,omitempty"`
+	DisableRedisForEnv               *bool    `json:"DISABLE_REDIS_FOR_ENV,omitempty"`
+	DisableStrongPassword            *bool    `json:"DISABLE_STRONG_PASSWORD,omitempty"`
+	DisableMultiFactorAuthentication *bool    `json:"DISABLE_MULTI_FACTOR_AUTHENTICATION,omitempty"`
+	EnforceMultiFactorAuthentication *bool    `json:"ENFORCE_MULTI_FACTOR_AUTHENTICATION,omitempty"`
+	Roles                            []string `json:"ROLES,omitempty"`
+	ProtectedRoles                   []string `json:"PROTECTED_ROLES,omitempty"`
+	DefaultRoles                     []string `json:"DEFAULT_ROLES,omitempty"`
+	JwtRoleClaim                     *string  `json:"JWT_ROLE_CLAIM,omitempty"`
+	GoogleClientID                   *string  `json:"GOOGLE_CLIENT_ID,omitempty"`
+	GoogleClientSecret               *string  `json:"GOOGLE_CLIENT_SECRET,omitempty"`
+	GithubClientID                   *string  `json:"GITHUB_CLIENT_ID,omitempty"`
+	GithubClientSecret               *string  `json:"GITHUB_CLIENT_SECRET,omitempty"`
+	FacebookClientID                 *string  `json:"FACEBOOK_CLIENT_ID,omitempty"`
+	FacebookClientSecret             *string  `json:"FACEBOOK_CLIENT_SECRET,omitempty"`
+	LinkedinClientID                 *string  `json:"LINKEDIN_CLIENT_ID,omitempty"`
+	LinkedinClientSecret             *string  `json:"LINKEDIN_CLIENT_SECRET,omitempty"`
+	AppleClientID                    *string  `json:"APPLE_CLIENT_ID,omitempty"`
+	AppleClientSecret                *string  `json:"APPLE_CLIENT_SECRET,omitempty"`
+	DiscordClientID                  *string  `json:"DISCORD_CLIENT_ID,omitempty"`
+	DiscordClientSecret              *string  `json:"DISCORD_CLIENT_SECRET,omitempty"`
+	TwitterClientID                  *string  `json:"TWITTER_CLIENT_ID,omitempty"`
+	TwitterClientSecret              *string  `json:"TWITTER_CLIENT_SECRET,omitempty"`
+	MicrosoftClientID                *string  `json:"MICROSOFT_CLIENT_ID,omitempty"`
+	MicrosoftClientSecret            *string  `json:"MICROSOFT_CLIENT_SECRET,omitempty"`
+	MicrosoftActiveDirectoryTenantID *string  `json:"MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID,omitempty"`
+	TwitchClientID                   *string  `json:"TWITCH_CLIENT_ID,omitempty"`
+	TwitchClientSecret               *string  `json:"TWITCH_CLIENT_SECRET,omitempty"`
+	OrganizationName                 *string  `json:"ORGANIZATION_NAME,omitempty"`
+	OrganizationLogo                 *string  `json:"ORGANIZATION_LOGO,omitempty"`
+	DefaultAuthorizeResponseType     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_TYPE,omitempty"`
+	DefaultAuthorizeResponseMode     *string  `json:"DEFAULT_AUTHORIZE_RESPONSE_MODE,omitempty"`
+	DisablePlayground                *bool    `json:"DISABLE_PLAYGROUND,omitempty"`
+	DisableMailOtpLogin              *bool    `json:"DISABLE_MAIL_OTP_LOGIN,omitempty"`
+	DisableTotpLogin                 *bool    `json:"DISABLE_TOTP_LOGIN,omitempty"`
 }
 
 type UpdateProfileInput struct {
-	OldPassword              *string                `json:"old_password"`
-	NewPassword              *string                `json:"new_password"`
-	ConfirmNewPassword       *string                `json:"confirm_new_password"`
-	Email                    *string                `json:"email"`
-	GivenName                *string                `json:"given_name"`
-	FamilyName               *string                `json:"family_name"`
-	MiddleName               *string                `json:"middle_name"`
-	Nickname                 *string                `json:"nickname"`
-	Gender                   *string                `json:"gender"`
-	Birthdate                *string                `json:"birthdate"`
-	PhoneNumber              *string                `json:"phone_number"`
-	Picture                  *string                `json:"picture"`
-	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
-	AppData                  map[string]interface{} `json:"app_data"`
+	OldPassword              *string                `json:"old_password,omitempty"`
+	NewPassword              *string                `json:"new_password,omitempty"`
+	ConfirmNewPassword       *string                `json:"confirm_new_password,omitempty"`
+	Email                    *string                `json:"email,omitempty"`
+	GivenName                *string                `json:"given_name,omitempty"`
+	FamilyName               *string                `json:"family_name,omitempty"`
+	MiddleName               *string                `json:"middle_name,omitempty"`
+	Nickname                 *string                `json:"nickname,omitempty"`
+	Gender                   *string                `json:"gender,omitempty"`
+	Birthdate                *string                `json:"birthdate,omitempty"`
+	PhoneNumber              *string                `json:"phone_number,omitempty"`
+	Picture                  *string                `json:"picture,omitempty"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled,omitempty"`
+	AppData                  map[string]interface{} `json:"app_data,omitempty"`
 }
 
 type UpdateUserInput struct {
 	ID                       string                 `json:"id"`
-	Email                    *string                `json:"email"`
-	EmailVerified            *bool                  `json:"email_verified"`
-	GivenName                *string                `json:"given_name"`
-	FamilyName               *string                `json:"family_name"`
-	MiddleName               *string                `json:"middle_name"`
-	Nickname                 *string                `json:"nickname"`
-	Gender                   *string                `json:"gender"`
-	Birthdate                *string                `json:"birthdate"`
-	PhoneNumber              *string                `json:"phone_number"`
-	Picture                  *string                `json:"picture"`
-	Roles                    []*string              `json:"roles"`
-	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
-	AppData                  map[string]interface{} `json:"app_data"`
+	Email                    *string                `json:"email,omitempty"`
+	EmailVerified            *bool                  `json:"email_verified,omitempty"`
+	GivenName                *string                `json:"given_name,omitempty"`
+	FamilyName               *string                `json:"family_name,omitempty"`
+	MiddleName               *string                `json:"middle_name,omitempty"`
+	Nickname                 *string                `json:"nickname,omitempty"`
+	Gender                   *string                `json:"gender,omitempty"`
+	Birthdate                *string                `json:"birthdate,omitempty"`
+	PhoneNumber              *string                `json:"phone_number,omitempty"`
+	Picture                  *string                `json:"picture,omitempty"`
+	Roles                    []*string              `json:"roles,omitempty"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled,omitempty"`
+	AppData                  map[string]interface{} `json:"app_data,omitempty"`
 }
 
 type UpdateWebhookRequest struct {
 	ID               string                 `json:"id"`
-	EventName        *string                `json:"event_name"`
-	EventDescription *string                `json:"event_description"`
-	Endpoint         *string                `json:"endpoint"`
-	Enabled          *bool                  `json:"enabled"`
-	Headers          map[string]interface{} `json:"headers"`
+	EventName        *string                `json:"event_name,omitempty"`
+	EventDescription *string                `json:"event_description,omitempty"`
+	Endpoint         *string                `json:"endpoint,omitempty"`
+	Enabled          *bool                  `json:"enabled,omitempty"`
+	Headers          map[string]interface{} `json:"headers,omitempty"`
 }
 
 type User struct {
 	ID                       string                 `json:"id"`
-	Email                    string                 `json:"email"`
+	Email                    *string                `json:"email,omitempty"`
 	EmailVerified            bool                   `json:"email_verified"`
 	SignupMethods            string                 `json:"signup_methods"`
-	GivenName                *string                `json:"given_name"`
-	FamilyName               *string                `json:"family_name"`
-	MiddleName               *string                `json:"middle_name"`
-	Nickname                 *string                `json:"nickname"`
-	PreferredUsername        *string                `json:"preferred_username"`
-	Gender                   *string                `json:"gender"`
-	Birthdate                *string                `json:"birthdate"`
-	PhoneNumber              *string                `json:"phone_number"`
-	PhoneNumberVerified      *bool                  `json:"phone_number_verified"`
-	Picture                  *string                `json:"picture"`
+	GivenName                *string                `json:"given_name,omitempty"`
+	FamilyName               *string                `json:"family_name,omitempty"`
+	MiddleName               *string                `json:"middle_name,omitempty"`
+	Nickname                 *string                `json:"nickname,omitempty"`
+	PreferredUsername        *string                `json:"preferred_username,omitempty"`
+	Gender                   *string                `json:"gender,omitempty"`
+	Birthdate                *string                `json:"birthdate,omitempty"`
+	PhoneNumber              *string                `json:"phone_number,omitempty"`
+	PhoneNumberVerified      *bool                  `json:"phone_number_verified,omitempty"`
+	Picture                  *string                `json:"picture,omitempty"`
 	Roles                    []string               `json:"roles"`
-	CreatedAt                *int64                 `json:"created_at"`
-	UpdatedAt                *int64                 `json:"updated_at"`
-	RevokedTimestamp         *int64                 `json:"revoked_timestamp"`
-	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled"`
-	AppData                  map[string]interface{} `json:"app_data"`
+	CreatedAt                *int64                 `json:"created_at,omitempty"`
+	UpdatedAt                *int64                 `json:"updated_at,omitempty"`
+	RevokedTimestamp         *int64                 `json:"revoked_timestamp,omitempty"`
+	IsMultiFactorAuthEnabled *bool                  `json:"is_multi_factor_auth_enabled,omitempty"`
+	AppData                  map[string]interface{} `json:"app_data,omitempty"`
 }
 
 type Users struct {
@@ -457,17 +486,17 @@ type Users struct {
 type ValidateJWTTokenInput struct {
 	TokenType string   `json:"token_type"`
 	Token     string   `json:"token"`
-	Roles     []string `json:"roles"`
+	Roles     []string `json:"roles,omitempty"`
 }
 
 type ValidateJWTTokenResponse struct {
 	IsValid bool                   `json:"is_valid"`
-	Claims  map[string]interface{} `json:"claims"`
+	Claims  map[string]interface{} `json:"claims,omitempty"`
 }
 
 type ValidateSessionInput struct {
 	Cookie string   `json:"cookie"`
-	Roles  []string `json:"roles"`
+	Roles  []string `json:"roles,omitempty"`
 }
 
 type ValidateSessionResponse struct {
@@ -477,14 +506,14 @@ type ValidateSessionResponse struct {
 
 type VerificationRequest struct {
 	ID          string  `json:"id"`
-	Identifier  *string `json:"identifier"`
-	Token       *string `json:"token"`
-	Email       *string `json:"email"`
-	Expires     *int64  `json:"expires"`
-	CreatedAt   *int64  `json:"created_at"`
-	UpdatedAt   *int64  `json:"updated_at"`
-	Nonce       *string `json:"nonce"`
-	RedirectURI *string `json:"redirect_uri"`
+	Identifier  *string `json:"identifier,omitempty"`
+	Token       *string `json:"token,omitempty"`
+	Email       *string `json:"email,omitempty"`
+	Expires     *int64  `json:"expires,omitempty"`
+	CreatedAt   *int64  `json:"created_at,omitempty"`
+	UpdatedAt   *int64  `json:"updated_at,omitempty"`
+	Nonce       *string `json:"nonce,omitempty"`
+	RedirectURI *string `json:"redirect_uri,omitempty"`
 }
 
 type VerificationRequests struct {
@@ -494,35 +523,36 @@ type VerificationRequests struct {
 
 type VerifyEmailInput struct {
 	Token string  `json:"token"`
-	State *string `json:"state"`
+	State *string `json:"state,omitempty"`
 }
 
 type VerifyOTPRequest struct {
-	Email       *string `json:"email"`
-	PhoneNumber *string `json:"phone_number"`
+	Email       *string `json:"email,omitempty"`
+	PhoneNumber *string `json:"phone_number,omitempty"`
 	Otp         string  `json:"otp"`
-	State       *string `json:"state"`
+	IsTotp      *bool   `json:"is_totp,omitempty"`
+	State       *string `json:"state,omitempty"`
 }
 
 type Webhook struct {
 	ID               string                 `json:"id"`
-	EventName        *string                `json:"event_name"`
-	EventDescription *string                `json:"event_description"`
-	Endpoint         *string                `json:"endpoint"`
-	Enabled          *bool                  `json:"enabled"`
-	Headers          map[string]interface{} `json:"headers"`
-	CreatedAt        *int64                 `json:"created_at"`
-	UpdatedAt        *int64                 `json:"updated_at"`
+	EventName        *string                `json:"event_name,omitempty"`
+	EventDescription *string                `json:"event_description,omitempty"`
+	Endpoint         *string                `json:"endpoint,omitempty"`
+	Enabled          *bool                  `json:"enabled,omitempty"`
+	Headers          map[string]interface{} `json:"headers,omitempty"`
+	CreatedAt        *int64                 `json:"created_at,omitempty"`
+	UpdatedAt        *int64                 `json:"updated_at,omitempty"`
 }
 
 type WebhookLog struct {
 	ID         string  `json:"id"`
-	HTTPStatus *int64  `json:"http_status"`
-	Response   *string `json:"response"`
-	Request    *string `json:"request"`
-	WebhookID  *string `json:"webhook_id"`
-	CreatedAt  *int64  `json:"created_at"`
-	UpdatedAt  *int64  `json:"updated_at"`
+	HTTPStatus *int64  `json:"http_status,omitempty"`
+	Response   *string `json:"response,omitempty"`
+	Request    *string `json:"request,omitempty"`
+	WebhookID  *string `json:"webhook_id,omitempty"`
+	CreatedAt  *int64  `json:"created_at,omitempty"`
+	UpdatedAt  *int64  `json:"updated_at,omitempty"`
 }
 
 type WebhookLogs struct {

server/graph/schema.graphqls

@@ -20,19 +20,24 @@ type Meta {
   is_github_login_enabled: Boolean!
   is_linkedin_login_enabled: Boolean!
   is_apple_login_enabled: Boolean!
+  is_discord_login_enabled: Boolean!
   is_twitter_login_enabled: Boolean!
   is_microsoft_login_enabled: Boolean!
+  is_twitch_login_enabled: Boolean!
   is_email_verification_enabled: Boolean!
   is_basic_authentication_enabled: Boolean!
   is_magic_link_login_enabled: Boolean!
   is_sign_up_enabled: Boolean!
   is_strong_password_enabled: Boolean!
   is_multi_factor_auth_enabled: Boolean!
+  is_mobile_basic_authentication_enabled: Boolean!
+  is_phone_verification_enabled: Boolean!
 }
 
 type User {
   id: ID!
-  email: String!
+  # email or phone_number is always present
+  email: String
   email_verified: Boolean!
   signup_methods: String!
   given_name: String
@@ -94,17 +99,30 @@ type AuthResponse {
   message: String!
   should_show_email_otp_screen: Boolean
   should_show_mobile_otp_screen: Boolean
+  should_show_totp_screen: Boolean
   access_token: String
   id_token: String
   refresh_token: String
   expires_in: Int64
   user: User
+  # key for totp login
+  # it is a base64 image url
+  authenticator_scanner_image: String
+  # string which can be used instead of scanner image
+  authenticator_secret: String
+  # recovery codes for totp login shared with user only once
+  authenticator_recovery_codes: [String]
 }
 
 type Response {
   message: String!
 }
 
+type ForgotPasswordResponse {
+  message: String!
+  should_show_mobile_otp_screen: Boolean
+}
+
 type InviteMembersResponse {
   message: String!
   Users: [User!]!
@@ -161,11 +179,15 @@ type Env {
   LINKEDIN_CLIENT_SECRET: String
   APPLE_CLIENT_ID: String
   APPLE_CLIENT_SECRET: String
+  DISCORD_CLIENT_ID: String
+  DISCORD_CLIENT_SECRET: String
   TWITTER_CLIENT_ID: String
   TWITTER_CLIENT_SECRET: String
   MICROSOFT_CLIENT_ID: String
   MICROSOFT_CLIENT_SECRET: String
   MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID: String
+  TWITCH_CLIENT_ID: String
+  TWITCH_CLIENT_SECRET: String
   ORGANIZATION_NAME: String
   ORGANIZATION_LOGO: String
   APP_COOKIE_SECURE: Boolean!
@@ -173,6 +195,8 @@ type Env {
   DEFAULT_AUTHORIZE_RESPONSE_TYPE: String
   DEFAULT_AUTHORIZE_RESPONSE_MODE: String
   DISABLE_PLAYGROUND: Boolean!
+  DISABLE_MAIL_OTP_LOGIN: Boolean!
+  DISABLE_TOTP_LOGIN: Boolean!
 }
 
 type ValidateJWTTokenResponse {
@@ -286,16 +310,22 @@ input UpdateEnvInput {
   LINKEDIN_CLIENT_SECRET: String
   APPLE_CLIENT_ID: String
   APPLE_CLIENT_SECRET: String
+  DISCORD_CLIENT_ID: String
+  DISCORD_CLIENT_SECRET: String
   TWITTER_CLIENT_ID: String
   TWITTER_CLIENT_SECRET: String
   MICROSOFT_CLIENT_ID: String
   MICROSOFT_CLIENT_SECRET: String
   MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID: String
+  TWITCH_CLIENT_ID: String
+  TWITCH_CLIENT_SECRET: String
   ORGANIZATION_NAME: String
   ORGANIZATION_LOGO: String
   DEFAULT_AUTHORIZE_RESPONSE_TYPE: String
   DEFAULT_AUTHORIZE_RESPONSE_MODE: String
   DISABLE_PLAYGROUND: Boolean
+  DISABLE_MAIL_OTP_LOGIN: Boolean
+  DISABLE_TOTP_LOGIN: Boolean
 }
 
 input AdminLoginInput {
@@ -306,6 +336,7 @@ input AdminSignupInput {
   admin_secret: String!
 }
 
+# Deprecated from v1.2.0
 input MobileSignUpInput {
   email: String
   given_name: String
@@ -330,7 +361,7 @@ input MobileSignUpInput {
 }
 
 input SignUpInput {
-  email: String!
+  email: String
   given_name: String
   family_name: String
   middle_name: String
@@ -353,7 +384,8 @@ input SignUpInput {
 }
 
 input LoginInput {
-  email: String!
+  email: String
+  phone_number: String
   password: String!
   roles: [String!]
   scope: [String!]
@@ -363,6 +395,7 @@ input LoginInput {
   state: String
 }
 
+# Deprecated from v1.2.0
 input MobileLoginInput {
   phone_number: String!
   password: String!
@@ -426,13 +459,16 @@ input UpdateUserInput {
 }
 
 input ForgotPasswordInput {
-  email: String!
+  email: String
+  phone_number: String
   state: String
   redirect_uri: String
 }
 
 input ResetPasswordInput {
-  token: String!
+  token: String
+  otp: String
+  phone_number: String
   password: String!
   confirm_password: String!
 }
@@ -548,10 +584,11 @@ input DeleteEmailTemplateRequest {
 }
 
 input VerifyOTPRequest {
-  # either email or phone_number is required
+  # either email, phone_number or totp_token is required
   email: String
   phone_number: String
   otp: String!
+  is_totp: Boolean
   # state is used for authorization code grant flow
   # it is used to get code for an on-going auth process during login
   # and use that code for setting `c_hash` in id_token
@@ -574,15 +611,17 @@ input GetUserRequest {
 
 type Mutation {
   signup(params: SignUpInput!): AuthResponse!
+  # Deprecated from v1.2.0
   mobile_signup(params: MobileSignUpInput): AuthResponse!
   login(params: LoginInput!): AuthResponse!
+  # Deprecated from v1.2.0
   mobile_login(params: MobileLoginInput!): AuthResponse!
   magic_link_login(params: MagicLinkLoginInput!): Response!
   logout: Response!
   update_profile(params: UpdateProfileInput!): Response!
   verify_email(params: VerifyEmailInput!): AuthResponse!
   resend_verify_email(params: ResendVerifyEmailInput!): Response!
-  forgot_password(params: ForgotPasswordInput!): Response!
+  forgot_password(params: ForgotPasswordInput!): ForgotPasswordResponse!
   reset_password(params: ResetPasswordInput!): Response!
   revoke(params: OAuthRevokeInput!): Response!
   verify_otp(params: VerifyOTPRequest!): AuthResponse!
@@ -612,6 +651,7 @@ type Query {
   meta: Meta!
   session(params: SessionQueryInput): AuthResponse!
   profile: User!
+  is_registered(email: String!): Response! # custom api
   validate_jwt_token(params: ValidateJWTTokenInput!): ValidateJWTTokenResponse!
   validate_session(params: ValidateSessionInput): ValidateSessionResponse!
   # admin only apis

server/graph/schema.resolvers.go

@@ -2,10 +2,10 @@ package graph
 
 // This file will be automatically regenerated based on the schema, any resolver implementations
 // will be copied through when generating and any unknown code will be moved to the end.
+// Code generated by github.com/99designs/gqlgen version v0.17.39
 
 import (
 	"context"
-	"fmt"
 
 	"github.com/authorizerdev/authorizer/server/graph/generated"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -58,7 +58,7 @@ func (r *mutationResolver) ResendVerifyEmail(ctx context.Context, params model.R
 }
 
 // ForgotPassword is the resolver for the forgot_password field.
-func (r *mutationResolver) ForgotPassword(ctx context.Context, params model.ForgotPasswordInput) (*model.Response, error) {
+func (r *mutationResolver) ForgotPassword(ctx context.Context, params model.ForgotPasswordInput) (*model.ForgotPasswordResponse, error) {
 	return resolvers.ForgotPasswordResolver(ctx, params)
 }
 
@@ -84,7 +84,7 @@ func (r *mutationResolver) ResendOtp(ctx context.Context, params model.ResendOTP
 
 // DeactivateAccount is the resolver for the deactivate_account field.
 func (r *mutationResolver) DeactivateAccount(ctx context.Context) (*model.Response, error) {
-	panic(fmt.Errorf("not implemented: DeactivateAccount - deactivate_account"))
+	return resolvers.DeactivateAccountResolver(ctx)
 }
 
 // DeleteUser is the resolver for the _delete_user field.
@@ -187,6 +187,11 @@ func (r *queryResolver) Profile(ctx context.Context) (*model.User, error) {
 	return resolvers.ProfileResolver(ctx)
 }
 
+// IsRegistered is the resolver for the signup field.
+func (r *queryResolver) IsRegistered(ctx context.Context, email string) (*model.Response, error) {
+	return resolvers.IsRegisteredResolver(ctx, email)
+}
+
 // ValidateJwtToken is the resolver for the validate_jwt_token field.
 func (r *queryResolver) ValidateJwtToken(ctx context.Context, params model.ValidateJWTTokenInput) (*model.ValidateJWTTokenResponse, error) {
 	return resolvers.ValidateJwtTokenResolver(ctx, params)

server/handlers/authorize.go

@@ -55,6 +55,8 @@ import (
 const (
 	authorizeWebMessageTemplate = "authorize_web_message.tmpl"
 	authorizeFormPostTemplate   = "authorize_form_post.tmpl"
+	baseAppPath                 = "/app"
+	signupPath                  = "/app/signup"
 )
 
 // AuthorizeHandler is the handler for the /authorize route
@@ -74,6 +76,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		clientID := strings.TrimSpace(gc.Query("client_id"))
 		responseMode := strings.TrimSpace(gc.Query("response_mode"))
 		nonce := strings.TrimSpace(gc.Query("nonce"))
+		screenHint := strings.TrimSpace(gc.Query("screen_hint"))
 
 		var scope []string
 		if scopeString == "" {
@@ -120,27 +123,33 @@ func AuthorizeHandler() gin.HandlerFunc {
 
 		// TODO add state with timeout
 		// used for response mode query or fragment
-		loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
+		authState := "state=" + state + "&scope=" + scopeString + "&redirect_uri=" + redirectURI
 		if responseType == constants.ResponseTypeCode {
-			loginState += "&code=" + code
+			authState += "&code=" + code
 			if err := memorystore.Provider.SetState(state, code+"@@"+codeChallenge); err != nil {
 				log.Debug("Error setting temp code", err)
 			}
 		} else {
-			loginState += "&nonce=" + nonce
+			authState += "&nonce=" + nonce
 			if err := memorystore.Provider.SetState(state, nonce); err != nil {
 				log.Debug("Error setting temp code", err)
 			}
 		}
 
-		loginURL := "/app?" + loginState
+		authURL := baseAppPath + "?" + authState
 
-		if responseMode == constants.ResponseModeFragment {
-			loginURL = "/app#" + loginState
+		if screenHint == constants.ScreenHintSignUp {
+			authURL = signupPath + "?" + authState
+		}
+
+		if responseMode == constants.ResponseModeFragment && screenHint == constants.ScreenHintSignUp {
+			authURL = signupPath + "#" + authState
+		} else if responseMode == constants.ResponseModeFragment {
+			authURL = baseAppPath + "#" + authState
 		}
 
 		if responseType == constants.ResponseTypeCode && codeChallenge == "" {
-			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+			handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{
 				"type": "authorization_response",
 				"response": map[string]interface{}{
 					"error":             "code_challenge_required",
@@ -160,7 +169,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		sessionToken, err := cookie.GetSession(gc)
 		if err != nil {
 			log.Debug("GetSession failed: ", err)
-			handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+			handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 			return
 		}
 
@@ -168,7 +177,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		claims, err := token.ValidateBrowserSession(gc, sessionToken)
 		if err != nil {
 			log.Debug("ValidateBrowserSession failed: ", err)
-			handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+			handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 			return
 		}
 
@@ -176,7 +185,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		user, err := db.Provider.GetUserByID(gc, userID)
 		if err != nil {
 			log.Debug("GetUserByID failed: ", err)
-			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+			handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{
 				"type": "authorization_response",
 				"response": map[string]interface{}{
 					"error":             "signup_required",
@@ -197,27 +206,27 @@ func AuthorizeHandler() gin.HandlerFunc {
 			newSessionTokenData, newSessionToken, newSessionExpiresAt, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
 			if err != nil {
 				log.Debug("CreateSessionToken failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+				handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 				return
 			}
 
 			// TODO: add state with timeout
 			// if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
 			// 	log.Debug("SetState failed: ", err)
-			// 	handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+			// 	handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 			// 	return
 			// }
 
 			// TODO: add state with timeout
 			if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+newSessionToken); err != nil {
 				log.Debug("SetState failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+				handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 				return
 			}
 
 			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken, newSessionExpiresAt); err != nil {
 				log.Debug("SetUserSession failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+				handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 				return
 			}
 
@@ -251,7 +260,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 				}
 			}
 
-			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+			handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{
 				"type": "authorization_response",
 				"response": map[string]interface{}{
 					"code":  code,
@@ -267,19 +276,19 @@ func AuthorizeHandler() gin.HandlerFunc {
 			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod, nonce, "")
 			if err != nil {
 				log.Debug("CreateAuthToken failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+				handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 				return
 			}
 
 			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+nonce, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt); err != nil {
 				log.Debug("SetUserSession failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+				handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 				return
 			}
 
 			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+nonce, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt); err != nil {
 				log.Debug("SetUserSession failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+				handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 				return
 			}
 
@@ -322,14 +331,14 @@ func AuthorizeHandler() gin.HandlerFunc {
 				}
 			}
 
-			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+			handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{
 				"type":     "authorization_response",
 				"response": res,
 			}, http.StatusOK)
 			return
 		}
 
-		handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+		handleResponse(gc, responseMode, authURL, redirectURI, loginError, http.StatusOK)
 	}
 }
 
@@ -352,14 +361,14 @@ func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeC
 	return nil
 }
 
-func handleResponse(gc *gin.Context, responseMode, loginURI, redirectURI string, data map[string]interface{}, httpStatusCode int) {
+func handleResponse(gc *gin.Context, responseMode, authURI, redirectURI string, data map[string]interface{}, httpStatusCode int) {
 	isAuthenticationRequired := false
 	if _, ok := data["response"].(map[string]interface{})["error"]; ok {
 		isAuthenticationRequired = true
 	}
 
 	if isAuthenticationRequired && responseMode != constants.ResponseModeWebMessage {
-		gc.Redirect(http.StatusFound, loginURI)
+		gc.Redirect(http.StatusFound, authURI)
 		return
 	}
 

server/handlers/oauth_callback.go

@@ -7,15 +7,16 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"strconv"
 	"strings"
 	"time"
 
+	"golang.org/x/oauth2"
+
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/oauth2"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
@@ -23,6 +24,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/oauth"
+	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
@@ -51,7 +53,16 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
 		inputRoles := strings.Split(sessionSplit[2], ",")
-		scopes := strings.Split(sessionSplit[3], ",")
+		scopeString := sessionSplit[3]
+		scopes := []string{}
+		if scopeString != "" {
+			if strings.Contains(scopeString, ",") {
+				scopes = strings.Split(scopeString, ",")
+			}
+			if strings.Contains(scopeString, " ") {
+				scopes = strings.Split(scopeString, " ")
+			}
+		}
 		var user *models.User
 		oauthCode := ctx.Request.FormValue("code")
 		if oauthCode == "" {
@@ -70,10 +81,14 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			user, err = processLinkedInUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodApple:
 			user, err = processAppleUserInfo(ctx, oauthCode)
+		case constants.AuthRecipeMethodDiscord:
+			user, err = processDiscordUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodTwitter:
 			user, err = processTwitterUserInfo(ctx, oauthCode, sessionState)
 		case constants.AuthRecipeMethodMicrosoft:
 			user, err = processMicrosoftUserInfo(ctx, oauthCode)
+		case constants.AuthRecipeMethodTwitch:
+			user, err = processTwitchUserInfo(ctx, oauthCode)
 		default:
 			log.Info("Invalid oauth provider")
 			err = fmt.Errorf(`invalid oauth provider`)
@@ -85,7 +100,7 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			return
 		}
 
-		existingUser, err := db.Provider.GetUserByEmail(ctx, user.Email)
+		existingUser, err := db.Provider.GetUserByEmail(ctx, refs.StringValue(user.Email))
 		log := log.WithField("user", user.Email)
 		isSignUp := false
 
@@ -243,8 +258,9 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			expiresIn = 1
 		}
 
-		params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + stateValue + "&id_token=" + authToken.IDToken.Token + "&nonce=" + nonce
-
+		// params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + stateValue + "&id_token=" + authToken.IDToken.Token + "&nonce=" + nonce
+		// Note: If OIDC breaks in the future, use the above params
+		params := "state=" + stateValue + "&nonce=" + nonce
 		if code != "" {
 			params += "&code=" + code
 		}
@@ -284,11 +300,10 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 }
 
 func processGoogleUserInfo(ctx context.Context, code string) (*models.User, error) {
-	var user *models.User
 	oauth2Token, err := oauth.OAuthProviders.GoogleConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
-		return user, fmt.Errorf("invalid google exchange code: %s", err.Error())
+		return nil, fmt.Errorf("invalid google exchange code: %s", err.Error())
 	}
 	verifier := oauth.OIDCProviders.GoogleOIDC.Verifier(&oidc.Config{ClientID: oauth.OAuthProviders.GoogleConfig.ClientID})
 
@@ -296,36 +311,35 @@ func processGoogleUserInfo(ctx context.Context, code string) (*models.User, erro
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
 	if !ok {
 		log.Debug("Failed to extract ID Token from OAuth2 token")
-		return user, fmt.Errorf("unable to extract id_token")
+		return nil, fmt.Errorf("unable to extract id_token")
 	}
 
 	// Parse and verify ID Token payload.
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		log.Debug("Failed to verify ID Token: ", err)
-		return user, fmt.Errorf("unable to verify id_token: %s", err.Error())
+		return nil, fmt.Errorf("unable to verify id_token: %s", err.Error())
 	}
-
+	user := &models.User{}
 	if err := idToken.Claims(&user); err != nil {
 		log.Debug("Failed to parse ID Token claims: ", err)
-		return user, fmt.Errorf("unable to extract claims")
+		return nil, fmt.Errorf("unable to extract claims")
 	}
 
 	return user, nil
 }
 
 func processGithubUserInfo(ctx context.Context, code string) (*models.User, error) {
-	var user *models.User
 	oauth2Token, err := oauth.OAuthProviders.GithubConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
-		return user, fmt.Errorf("invalid github exchange code: %s", err.Error())
+		return nil, fmt.Errorf("invalid github exchange code: %s", err.Error())
 	}
 	client := http.Client{}
 	req, err := http.NewRequest("GET", constants.GithubUserInfoURL, nil)
 	if err != nil {
 		log.Debug("Failed to create github user info request: ", err)
-		return user, fmt.Errorf("error creating github user info request: %s", err.Error())
+		return nil, fmt.Errorf("error creating github user info request: %s", err.Error())
 	}
 	req.Header.Set(
 		"Authorization", fmt.Sprintf("token %s", oauth2Token.AccessToken),
@@ -334,18 +348,18 @@ func processGithubUserInfo(ctx context.Context, code string) (*models.User, erro
 	response, err := client.Do(req)
 	if err != nil {
 		log.Debug("Failed to request github user info: ", err)
-		return user, err
+		return nil, err
 	}
 
 	defer response.Body.Close()
 	body, err := io.ReadAll(response.Body)
 	if err != nil {
 		log.Debug("Failed to read github user info response body: ", err)
-		return user, fmt.Errorf("failed to read github response body: %s", err.Error())
+		return nil, fmt.Errorf("failed to read github response body: %s", err.Error())
 	}
 	if response.StatusCode >= 400 {
 		log.Debug("Failed to request github user info: ", string(body))
-		return user, fmt.Errorf("failed to request github user info: %s", string(body))
+		return nil, fmt.Errorf("failed to request github user info: %s", string(body))
 	}
 
 	userRawData := make(map[string]string)
@@ -374,7 +388,7 @@ func processGithubUserInfo(ctx context.Context, code string) (*models.User, erro
 		req, err := http.NewRequest(http.MethodGet, constants.GithubUserEmails, nil)
 		if err != nil {
 			log.Debug("Failed to create github emails request: ", err)
-			return user, fmt.Errorf("error creating github user info request: %s", err.Error())
+			return nil, fmt.Errorf("error creating github user info request: %s", err.Error())
 		}
 		req.Header.Set(
 			"Authorization", fmt.Sprintf("token %s", oauth2Token.AccessToken),
@@ -383,24 +397,25 @@ func processGithubUserInfo(ctx context.Context, code string) (*models.User, erro
 		response, err := client.Do(req)
 		if err != nil {
 			log.Debug("Failed to request github user email: ", err)
-			return user, err
+			return nil, err
 		}
 
 		defer response.Body.Close()
 		body, err := io.ReadAll(response.Body)
 		if err != nil {
 			log.Debug("Failed to read github user email response body: ", err)
-			return user, fmt.Errorf("failed to read github response body: %s", err.Error())
+			return nil, fmt.Errorf("failed to read github response body: %s", err.Error())
 		}
 		if response.StatusCode >= 400 {
 			log.Debug("Failed to request github user email: ", string(body))
-			return user, fmt.Errorf("failed to request github user info: %s", string(body))
+			return nil, fmt.Errorf("failed to request github user info: %s", string(body))
 		}
 
 		emailData := []GithubUserEmails{}
 		err = json.Unmarshal(body, &emailData)
 		if err != nil {
 			log.Debug("Failed to parse github user email: ", err)
+			return nil, fmt.Errorf("failed to parse github user email: %s", err.Error())
 		}
 
 		for _, userEmail := range emailData {
@@ -411,45 +426,44 @@ func processGithubUserInfo(ctx context.Context, code string) (*models.User, erro
 		}
 	}
 
-	user = &models.User{
+	user := &models.User{
 		GivenName:  &firstName,
 		FamilyName: &lastName,
 		Picture:    &picture,
-		Email:      email,
+		Email:      &email,
 	}
 
 	return user, nil
 }
 
 func processFacebookUserInfo(ctx context.Context, code string) (*models.User, error) {
-	var user *models.User
 	oauth2Token, err := oauth.OAuthProviders.FacebookConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Invalid facebook exchange code: ", err)
-		return user, fmt.Errorf("invalid facebook exchange code: %s", err.Error())
+		return nil, fmt.Errorf("invalid facebook exchange code: %s", err.Error())
 	}
 	client := http.Client{}
 	req, err := http.NewRequest("GET", constants.FacebookUserInfoURL+oauth2Token.AccessToken, nil)
 	if err != nil {
 		log.Debug("Error creating facebook user info request: ", err)
-		return user, fmt.Errorf("error creating facebook user info request: %s", err.Error())
+		return nil, fmt.Errorf("error creating facebook user info request: %s", err.Error())
 	}
 
 	response, err := client.Do(req)
 	if err != nil {
 		log.Debug("Failed to process facebook user: ", err)
-		return user, err
+		return nil, err
 	}
 
 	defer response.Body.Close()
 	body, err := io.ReadAll(response.Body)
 	if err != nil {
 		log.Debug("Failed to read facebook response: ", err)
-		return user, fmt.Errorf("failed to read facebook response body: %s", err.Error())
+		return nil, fmt.Errorf("failed to read facebook response body: %s", err.Error())
 	}
 	if response.StatusCode >= 400 {
 		log.Debug("Failed to request facebook user info: ", string(body))
-		return user, fmt.Errorf("failed to request facebook user info: %s", string(body))
+		return nil, fmt.Errorf("failed to request facebook user info: %s", string(body))
 	}
 	userRawData := make(map[string]interface{})
 	json.Unmarshal(body, &userRawData)
@@ -462,29 +476,28 @@ func processFacebookUserInfo(ctx context.Context, code string) (*models.User, er
 	lastName := fmt.Sprintf("%v", userRawData["last_name"])
 	picture := fmt.Sprintf("%v", picDataObject["url"])
 
-	user = &models.User{
+	user := &models.User{
 		GivenName:  &firstName,
 		FamilyName: &lastName,
 		Picture:    &picture,
-		Email:      email,
+		Email:      &email,
 	}
 
 	return user, nil
 }
 
 func processLinkedInUserInfo(ctx context.Context, code string) (*models.User, error) {
-	var user *models.User
 	oauth2Token, err := oauth.OAuthProviders.LinkedInConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
-		return user, fmt.Errorf("invalid linkedin exchange code: %s", err.Error())
+		return nil, fmt.Errorf("invalid linkedin exchange code: %s", err.Error())
 	}
 
 	client := http.Client{}
 	req, err := http.NewRequest("GET", constants.LinkedInUserInfoURL, nil)
 	if err != nil {
 		log.Debug("Failed to create linkedin user info request: ", err)
-		return user, fmt.Errorf("error creating linkedin user info request: %s", err.Error())
+		return nil, fmt.Errorf("error creating linkedin user info request: %s", err.Error())
 	}
 	req.Header = http.Header{
 		"Authorization": []string{fmt.Sprintf("Bearer %s", oauth2Token.AccessToken)},
@@ -493,19 +506,19 @@ func processLinkedInUserInfo(ctx context.Context, code string) (*models.User, er
 	response, err := client.Do(req)
 	if err != nil {
 		log.Debug("Failed to request linkedin user info: ", err)
-		return user, err
+		return nil, err
 	}
 
 	defer response.Body.Close()
 	body, err := io.ReadAll(response.Body)
 	if err != nil {
 		log.Debug("Failed to read linkedin user info response body: ", err)
-		return user, fmt.Errorf("failed to read linkedin response body: %s", err.Error())
+		return nil, fmt.Errorf("failed to read linkedin response body: %s", err.Error())
 	}
 
 	if response.StatusCode >= 400 {
 		log.Debug("Failed to request linkedin user info: ", string(body))
-		return user, fmt.Errorf("failed to request linkedin user info: %s", string(body))
+		return nil, fmt.Errorf("failed to request linkedin user info: %s", string(body))
 	}
 
 	userRawData := make(map[string]interface{})
@@ -514,7 +527,7 @@ func processLinkedInUserInfo(ctx context.Context, code string) (*models.User, er
 	req, err = http.NewRequest("GET", constants.LinkedInEmailURL, nil)
 	if err != nil {
 		log.Debug("Failed to create linkedin email info request: ", err)
-		return user, fmt.Errorf("error creating linkedin user info request: %s", err.Error())
+		return nil, fmt.Errorf("error creating linkedin user info request: %s", err.Error())
 	}
 	req.Header = http.Header{
 		"Authorization": []string{fmt.Sprintf("Bearer %s", oauth2Token.AccessToken)},
@@ -523,18 +536,18 @@ func processLinkedInUserInfo(ctx context.Context, code string) (*models.User, er
 	response, err = client.Do(req)
 	if err != nil {
 		log.Debug("Failed to request linkedin email info: ", err)
-		return user, err
+		return nil, err
 	}
 
 	defer response.Body.Close()
 	body, err = io.ReadAll(response.Body)
 	if err != nil {
 		log.Debug("Failed to read linkedin email info response body: ", err)
-		return user, fmt.Errorf("failed to read linkedin email response body: %s", err.Error())
+		return nil, fmt.Errorf("failed to read linkedin email response body: %s", err.Error())
 	}
 	if response.StatusCode >= 400 {
 		log.Debug("Failed to request linkedin user info: ", string(body))
-		return user, fmt.Errorf("failed to request linkedin user info: %s", string(body))
+		return nil, fmt.Errorf("failed to request linkedin user info: %s", string(body))
 	}
 	emailRawData := make(map[string]interface{})
 	json.Unmarshal(body, &emailRawData)
@@ -544,18 +557,18 @@ func processLinkedInUserInfo(ctx context.Context, code string) (*models.User, er
 	profilePicture := userRawData["profilePicture"].(map[string]interface{})["displayImage~"].(map[string]interface{})["elements"].([]interface{})[0].(map[string]interface{})["identifiers"].([]interface{})[0].(map[string]interface{})["identifier"].(string)
 	emailAddress := emailRawData["elements"].([]interface{})[0].(map[string]interface{})["handle~"].(map[string]interface{})["emailAddress"].(string)
 
-	user = &models.User{
+	user := &models.User{
 		GivenName:  &firstName,
 		FamilyName: &lastName,
 		Picture:    &profilePicture,
-		Email:      emailAddress,
+		Email:      &emailAddress,
 	}
 
 	return user, nil
 }
 
 func processAppleUserInfo(ctx context.Context, code string) (*models.User, error) {
-	var user *models.User
+	var user = &models.User{}
 	oauth2Token, err := oauth.OAuthProviders.AppleConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
@@ -583,12 +596,12 @@ func processAppleUserInfo(ctx context.Context, code string) (*models.User, error
 		log.Debug("Failed to unmarshal claims data: ", err)
 		return user, fmt.Errorf("failed to unmarshal claims data: %s", err.Error())
 	}
-
-	if val, ok := claims["email"]; !ok {
+	if val, ok := claims["email"]; !ok || val == nil {
 		log.Debug("Failed to extract email from claims.")
 		return user, fmt.Errorf("unable to extract email, please check the scopes enabled for your app. It needs `email`, `name` scopes")
 	} else {
-		user.Email = val.(string)
+		email := val.(string)
+		user.Email = &email
 	}
 
 	if val, ok := claims["name"]; ok {
@@ -607,19 +620,83 @@ func processAppleUserInfo(ctx context.Context, code string) (*models.User, error
 	return user, err
 }
 
+func processDiscordUserInfo(ctx context.Context, code string) (*models.User, error) {
+	oauth2Token, err := oauth.OAuthProviders.DiscordConfig.Exchange(ctx, code)
+	if err != nil {
+		log.Debug("Failed to exchange code for token: ", err)
+		return nil, fmt.Errorf("invalid discord exchange code: %s", err.Error())
+	}
+
+	client := http.Client{}
+	req, err := http.NewRequest("GET", constants.DiscordUserInfoURL, nil)
+	if err != nil {
+		log.Debug("Failed to create Discord user info request: ", err)
+		return nil, fmt.Errorf("error creating Discord user info request: %s", err.Error())
+	}
+	req.Header = http.Header{
+		"Authorization": []string{fmt.Sprintf("Bearer %s", oauth2Token.AccessToken)},
+	}
+
+	response, err := client.Do(req)
+	if err != nil {
+		log.Debug("Failed to request Discord user info: ", err)
+		return nil, err
+	}
+
+	defer response.Body.Close()
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		log.Debug("Failed to read Discord user info response body: ", err)
+		return nil, fmt.Errorf("failed to read Discord response body: %s", err.Error())
+	}
+
+	if response.StatusCode >= 400 {
+		log.Debug("Failed to request Discord user info: ", string(body))
+		return nil, fmt.Errorf("failed to request Discord user info: %s", string(body))
+	}
+
+	// Unmarshal the response body into a map
+	responseRawData := make(map[string]interface{})
+	if err := json.Unmarshal(body, &responseRawData); err != nil {
+		log.Debug("Failed to unmarshal Discord response: ", err)
+		return nil, fmt.Errorf("failed to unmarshal Discord response: %s", err.Error())
+	}
+
+	// Safely extract the user data
+	userRawData, ok := responseRawData["user"].(map[string]interface{})
+	if !ok {
+		log.Debug("User data is not in expected format or missing in response")
+		return nil, fmt.Errorf("user data is not in expected format or missing in response")
+	}
+
+	// Extract the username
+	firstName, ok := userRawData["username"].(string)
+	if !ok {
+		log.Debug("Username is not in expected format or missing in user data")
+		return nil, fmt.Errorf("username is not in expected format or missing in user data")
+	}
+	profilePicture := fmt.Sprintf("https://cdn.discordapp.com/avatars/%s/%s.png", userRawData["id"].(string), userRawData["avatar"].(string))
+
+	user := &models.User{
+		GivenName: &firstName,
+		Picture:   &profilePicture,
+	}
+
+	return user, nil
+}
+
 func processTwitterUserInfo(ctx context.Context, code, verifier string) (*models.User, error) {
-	var user *models.User
 	oauth2Token, err := oauth.OAuthProviders.TwitterConfig.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", verifier))
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
-		return user, fmt.Errorf("invalid twitter exchange code: %s", err.Error())
+		return nil, fmt.Errorf("invalid twitter exchange code: %s", err.Error())
 	}
 
 	client := http.Client{}
 	req, err := http.NewRequest("GET", constants.TwitterUserInfoURL, nil)
 	if err != nil {
 		log.Debug("Failed to create Twitter user info request: ", err)
-		return user, fmt.Errorf("error creating Twitter user info request: %s", err.Error())
+		return nil, fmt.Errorf("error creating Twitter user info request: %s", err.Error())
 	}
 	req.Header = http.Header{
 		"Authorization": []string{fmt.Sprintf("Bearer %s", oauth2Token.AccessToken)},
@@ -628,19 +705,19 @@ func processTwitterUserInfo(ctx context.Context, code, verifier string) (*models
 	response, err := client.Do(req)
 	if err != nil {
 		log.Debug("Failed to request Twitter user info: ", err)
-		return user, err
+		return nil, err
 	}
 
 	defer response.Body.Close()
 	body, err := io.ReadAll(response.Body)
 	if err != nil {
 		log.Debug("Failed to read Twitter user info response body: ", err)
-		return user, fmt.Errorf("failed to read Twitter response body: %s", err.Error())
+		return nil, fmt.Errorf("failed to read Twitter response body: %s", err.Error())
 	}
 
 	if response.StatusCode >= 400 {
 		log.Debug("Failed to request Twitter user info: ", string(body))
-		return user, fmt.Errorf("failed to request Twitter user info: %s", string(body))
+		return nil, fmt.Errorf("failed to request Twitter user info: %s", string(body))
 	}
 
 	responseRawData := make(map[string]interface{})
@@ -664,7 +741,7 @@ func processTwitterUserInfo(ctx context.Context, code, verifier string) (*models
 	nickname := userRawData["username"].(string)
 	profilePicture := userRawData["profile_image_url"].(string)
 
-	user = &models.User{
+	user := &models.User{
 		GivenName:  &firstName,
 		FamilyName: &lastName,
 		Picture:    &profilePicture,
@@ -676,11 +753,10 @@ func processTwitterUserInfo(ctx context.Context, code, verifier string) (*models
 
 // process microsoft user information
 func processMicrosoftUserInfo(ctx context.Context, code string) (*models.User, error) {
-	var user *models.User
 	oauth2Token, err := oauth.OAuthProviders.MicrosoftConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
-		return user, fmt.Errorf("invalid microsoft exchange code: %s", err.Error())
+		return nil, fmt.Errorf("invalid microsoft exchange code: %s", err.Error())
 	}
 	// we need to skip issuer check because for common tenant it will return internal issuer which does not match
 	verifier := oauth.OIDCProviders.MicrosoftOIDC.Verifier(&oidc.Config{
@@ -691,18 +767,53 @@ func processMicrosoftUserInfo(ctx context.Context, code string) (*models.User, e
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
 	if !ok {
 		log.Debug("Failed to extract ID Token from OAuth2 token")
-		return user, fmt.Errorf("unable to extract id_token")
+		return nil, fmt.Errorf("unable to extract id_token")
 	}
 	// Parse and verify ID Token payload.
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		log.Debug("Failed to verify ID Token: ", err)
-		return user, fmt.Errorf("unable to verify id_token: %s", err.Error())
+		return nil, fmt.Errorf("unable to verify id_token: %s", err.Error())
 	}
-
+	user := &models.User{}
 	if err := idToken.Claims(&user); err != nil {
 		log.Debug("Failed to parse ID Token claims: ", err)
-		return user, fmt.Errorf("unable to extract claims")
+		return nil, fmt.Errorf("unable to extract claims")
+	}
+
+	return user, nil
+}
+
+// process twitch user information
+func processTwitchUserInfo(ctx context.Context, code string) (*models.User, error) {
+	oauth2Token, err := oauth.OAuthProviders.TwitchConfig.Exchange(ctx, code)
+	if err != nil {
+		log.Debug("Failed to exchange code for token: ", err)
+		return nil, fmt.Errorf("invalid twitch exchange code: %s", err.Error())
+	}
+
+	// Extract the ID Token from OAuth2 token.
+	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
+	if !ok {
+		log.Debug("Failed to extract ID Token from OAuth2 token")
+		return nil, fmt.Errorf("unable to extract id_token")
+	}
+	verifier := oauth.OIDCProviders.TwitchOIDC.Verifier(&oidc.Config{
+		ClientID:        oauth.OAuthProviders.TwitchConfig.ClientID,
+		SkipIssuerCheck: true,
+	})
+
+	// Parse and verify ID Token payload.
+	idToken, err := verifier.Verify(ctx, rawIDToken)
+	if err != nil {
+		log.Debug("Failed to verify ID Token: ", err)
+		return nil, fmt.Errorf("unable to verify id_token: %s", err.Error())
+	}
+
+	user := &models.User{}
+	if err := idToken.Claims(&user); err != nil {
+		log.Debug("Failed to parse ID Token claims: ", err)
+		return nil, fmt.Errorf("unable to extract claims")
 	}
 
 	return user, nil

server/handlers/oauth_login.go

@@ -4,10 +4,12 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/gin-gonic/gin"
-	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 
+	"github.com/gin-gonic/gin"
+
+	log "github.com/sirupsen/logrus"
+
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/oauth"
@@ -190,6 +192,24 @@ func OAuthLoginHandler() gin.HandlerFunc {
 			oauth.OAuthProviders.TwitterConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodTwitter
 			url := oauth.OAuthProviders.TwitterConfig.AuthCodeURL(oauthStateString, oauth2.SetAuthURLParam("code_challenge", challenge), oauth2.SetAuthURLParam("code_challenge_method", "S256"))
 			c.Redirect(http.StatusTemporaryRedirect, url)
+
+		case constants.AuthRecipeMethodDiscord:
+			if oauth.OAuthProviders.DiscordConfig == nil {
+				log.Debug("Discord OAuth provider is not configured")
+				isProviderConfigured = false
+				break
+			}
+			err := memorystore.Provider.SetState(oauthStateString, constants.AuthRecipeMethodDiscord)
+			if err != nil {
+				log.Debug("Error setting state: ", err)
+				c.JSON(500, gin.H{
+					"error": "internal server error",
+				})
+				return
+			}
+			oauth.OAuthProviders.DiscordConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodDiscord
+			url := oauth.OAuthProviders.DiscordConfig.AuthCodeURL(oauthStateString)
+			c.Redirect(http.StatusTemporaryRedirect, url)
 		case constants.AuthRecipeMethodApple:
 			if oauth.OAuthProviders.AppleConfig == nil {
 				log.Debug("Apple OAuth provider is not configured")
@@ -227,6 +247,24 @@ func OAuthLoginHandler() gin.HandlerFunc {
 			oauth.OAuthProviders.MicrosoftConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodMicrosoft
 			url := oauth.OAuthProviders.MicrosoftConfig.AuthCodeURL(oauthStateString)
 			c.Redirect(http.StatusTemporaryRedirect, url)
+		case constants.AuthRecipeMethodTwitch:
+			if oauth.OAuthProviders.TwitchConfig == nil {
+				log.Debug("Twitch OAuth provider is not configured")
+				isProviderConfigured = false
+				break
+			}
+			err := memorystore.Provider.SetState(oauthStateString, constants.AuthRecipeMethodTwitch)
+			if err != nil {
+				log.Debug("Error setting state: ", err)
+				c.JSON(500, gin.H{
+					"error": "internal server error",
+				})
+				return
+			}
+			// during the init of OAuthProvider authorizer url might be empty
+			oauth.OAuthProviders.TwitchConfig.RedirectURL = hostname + "/oauth_callback/" + constants.AuthRecipeMethodTwitch
+			url := oauth.OAuthProviders.TwitchConfig.AuthCodeURL(oauthStateString)
+			c.Redirect(http.StatusTemporaryRedirect, url)
 		default:
 			log.Debug("Invalid oauth provider: ", provider)
 			c.JSON(422, gin.H{

server/handlers/openid_config.go

@@ -24,7 +24,7 @@ func OpenIDConfigurationHandler() gin.HandlerFunc {
 			"response_types_supported":              []string{"code", "token", "id_token"},
 			"scopes_supported":                      []string{"openid", "email", "profile"},
 			"response_modes_supported":              []string{"query", "fragment", "form_post", "web_message"},
-			"subject_types_supported":               "public",
+			"subject_types_supported":               []string{"public"},
 			"id_token_signing_alg_values_supported": []string{jwtType},
 			"claims_supported":                      []string{"aud", "exp", "iss", "iat", "sub", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "picture", "email", "email_verified", "roles", "role", "gender", "birthdate", "phone_number", "phone_number_verified", "nonce", "updated_at", "created_at", "revoked_timestamp", "login_method", "signup_methods", "token_type"},
 		})

server/handlers/token.go

@@ -105,7 +105,7 @@ func TokenHandler() gin.HandlerFunc {
 
 			if codeVerifier == "" && clientSecret == "" {
 				gc.JSON(http.StatusBadRequest, gin.H{
-					"error":             "invalid_dat",
+					"error":             "invalid_data",
 					"error_description": "The code verifier or client secret is required",
 				})
 				return
@@ -263,12 +263,10 @@ func TokenHandler() gin.HandlerFunc {
 			"roles":        roles,
 			"expires_in":   expiresIn,
 		}
-
 		if authToken.RefreshToken != nil {
 			res["refresh_token"] = authToken.RefreshToken.Token
 			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
 		}
-
 		gc.JSON(http.StatusOK, res)
 	}
 }

server/handlers/userinfo.go

@@ -21,7 +21,6 @@ func UserInfoHandler() gin.HandlerFunc {
 			})
 			return
 		}
-
 		claims, err := token.ValidateAccessToken(gc, accessToken)
 		if err != nil {
 			log.Debug("Error validating access token: ", err)
@@ -30,7 +29,6 @@ func UserInfoHandler() gin.HandlerFunc {
 			})
 			return
 		}
-
 		userID := claims["sub"].(string)
 		user, err := db.Provider.GetUserByID(gc, userID)
 		if err != nil {

server/handlers/verify_email.go

@@ -74,7 +74,13 @@ func VerifyEmailHandler() gin.HandlerFunc {
 			now := time.Now().Unix()
 			user.EmailVerifiedAt = &now
 			isSignUp = true
-			db.Provider.UpdateUser(c, user)
+			user, err = db.Provider.UpdateUser(c, user)
+			if err != nil {
+				log.Debug("Error updating user: ", err)
+				errorRes["error"] = err.Error()
+				utils.HandleRedirectORJsonResponse(c, http.StatusBadRequest, errorRes, generateRedirectURL(redirectURL, errorRes))
+				return
+			}
 		}
 		// delete from verification table
 		db.Provider.DeleteVerificationRequest(c, verificationRequest)

server/logs/logs.go

@@ -7,22 +7,11 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-// LogUTCFormatter hels in setting UTC time format for the logs
-type LogUTCFormatter struct {
-	log.Formatter
-}
-
-// Format helps fomratting time to UTC
-func (u LogUTCFormatter) Format(e *log.Entry) ([]byte, error) {
-	e.Time = e.Time.UTC()
-	return u.Formatter.Format(e)
-}
-
 func InitLog(cliLogLevel string) *log.Logger {
 
 	// log instance for gin server
 	log := logrus.New()
-	log.SetFormatter(LogUTCFormatter{&logrus.JSONFormatter{}})
+	log.SetFormatter(&LogTextFormatter{})
 
 	if cliLogLevel == "" {
 		cliLogLevel = os.Getenv("LOG_LEVEL")

server/logs/text.go

@@ -0,0 +1,18 @@
+package logs
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+)
+
+// LogTextFormatter is a custom log formatter for text output
+type LogTextFormatter struct {
+	logrus.Formatter
+}
+
+// Format helps fomratting time to UTC
+func (u LogTextFormatter) Format(e *logrus.Entry) ([]byte, error) {
+	return []byte(fmt.Sprintf("[%s] %s", strings.ToUpper(e.Level.String()), e.Message)), nil
+}

server/logs/utc.go

@@ -0,0 +1,16 @@
+package logs
+
+import (
+	log "github.com/sirupsen/logrus"
+)
+
+// LogUTCFormatter hels in setting UTC time format for the logs
+type LogUTCFormatter struct {
+	log.Formatter
+}
+
+// Format helps fomratting time to UTC
+func (u LogUTCFormatter) Format(e *log.Entry) ([]byte, error) {
+	e.Time = e.Time.UTC()
+	return u.Formatter.Format(e)
+}

server/main.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"flag"
+	"github.com/authorizerdev/authorizer/server/authenticators"
 
 	"github.com/authorizerdev/authorizer/server/cli"
 	"github.com/authorizerdev/authorizer/server/constants"
@@ -27,7 +28,7 @@ func main() {
 	flag.Parse()
 
 	// global log level
-	logrus.SetFormatter(logs.LogUTCFormatter{&logrus.JSONFormatter{}})
+	logrus.SetFormatter(&logs.LogTextFormatter{})
 
 	constants.VERSION = VERSION
 
@@ -70,6 +71,11 @@ func main() {
 		log.Fatalln("Error while initializing oauth: ", err)
 	}
 
+	err = authenticators.InitTOTPStore()
+	if err != nil {
+		log.Fatalln("Error while initializing authenticator: ", err)
+	}
+
 	router := routes.InitRouter(log)
 	log.Info("Starting Authorizer: ", VERSION)
 	port, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyPort)

server/memorystore/memory_store.go

@@ -36,9 +36,11 @@ func InitMemStore() error {
 		constants.EnvKeyIsSMSServiceEnabled:              false,
 		constants.EnvKeyEnforceMultiFactorAuthentication: false,
 		constants.EnvKeyDisableMultiFactorAuthentication: false,
+		constants.EnvKeyDisableTOTPLogin:                 false,
 		constants.EnvKeyAppCookieSecure:                  true,
 		constants.EnvKeyAdminCookieSecure:                true,
 		constants.EnvKeyDisablePlayGround:                true,
+		constants.EnvKeyDisableMailOTPLogin:              true,
 	}
 
 	requiredEnvs := RequiredEnvStoreObj.GetRequiredEnv()

server/memorystore/providers/inmemory/store.go

@@ -3,8 +3,11 @@ package inmemory
 import (
 	"fmt"
 	"os"
+	"errors"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/memorystore/providers/redis"
 )
 
 // SetUserSession sets the user session for given user identifier in form recipe:user_id
@@ -119,3 +122,25 @@ func (c *provider) GetBoolStoreEnvVariable(key string) (bool, error) {
 	}
 	return res.(bool), nil
 }
+
+// GetUserAppDataFromRedis retrieves user profile and follows from Redis, combines them into a JSON format,
+// and assigns the JSON string to the provided user's ID.
+func (c *provider) GetUserAppDataFromRedis(userId string) (string, error) {
+    redisURL := os.Getenv(constants.EnvKeyRedisURL)
+    if redisURL == "" {
+        return "", errors.New("Redis URL not found")
+    }
+
+    log.Info("Initializing Redis provider")
+    red, err := redis.NewRedisProvider(redisURL)
+    if err != nil {
+        return "", fmt.Errorf("failed to initialize Redis provider: %w", err)
+    }
+
+	combinedData, err := red.GetUserAppDataFromRedis(userId)    
+	if err != nil {
+        return "", fmt.Errorf("failed to get Redis app data: %w", err)
+    }
+
+    return combinedData, nil
+}

server/memorystore/providers/providers.go

@@ -38,4 +38,6 @@ type Provider interface {
 	GetStringStoreEnvVariable(key string) (string, error)
 	// GetBoolStoreEnvVariable to get the bool env variable from env store
 	GetBoolStoreEnvVariable(key string) (bool, error)
+
+	GetUserAppDataFromRedis(userId string) (string, error)
 }

server/memorystore/providers/redis/store.go

@@ -176,7 +176,7 @@ func (c *provider) GetEnvStore() (map[string]interface{}, error) {
 		return nil, err
 	}
 	for key, value := range data {
-		if key == constants.EnvKeyDisableBasicAuthentication || key == constants.EnvKeyDisableMobileBasicAuthentication || key == constants.EnvKeyDisableEmailVerification || key == constants.EnvKeyDisableLoginPage || key == constants.EnvKeyDisableMagicLinkLogin || key == constants.EnvKeyDisableRedisForEnv || key == constants.EnvKeyDisableSignUp || key == constants.EnvKeyDisableStrongPassword || key == constants.EnvKeyIsEmailServiceEnabled || key == constants.EnvKeyIsSMSServiceEnabled || key == constants.EnvKeyEnforceMultiFactorAuthentication || key == constants.EnvKeyDisableMultiFactorAuthentication || key == constants.EnvKeyAppCookieSecure || key == constants.EnvKeyAdminCookieSecure  || key == constants.EnvKeyDisablePlayGround {
+		if key == constants.EnvKeyDisableBasicAuthentication || key == constants.EnvKeyDisableMobileBasicAuthentication || key == constants.EnvKeyDisableEmailVerification || key == constants.EnvKeyDisableLoginPage || key == constants.EnvKeyDisableMagicLinkLogin || key == constants.EnvKeyDisableRedisForEnv || key == constants.EnvKeyDisableSignUp || key == constants.EnvKeyDisableStrongPassword || key == constants.EnvKeyIsEmailServiceEnabled || key == constants.EnvKeyIsSMSServiceEnabled || key == constants.EnvKeyEnforceMultiFactorAuthentication || key == constants.EnvKeyDisableMultiFactorAuthentication || key == constants.EnvKeyAppCookieSecure || key == constants.EnvKeyAdminCookieSecure || key == constants.EnvKeyDisablePlayGround || key == constants.EnvKeyDisableTOTPLogin || key == constants.EnvKeyDisableMailOTPLogin {
 			boolValue, err := strconv.ParseBool(value)
 			if err != nil {
 				return res, err
@@ -218,3 +218,16 @@ func (c *provider) GetBoolStoreEnvVariable(key string) (bool, error) {
 
 	return data == "1", nil
 }
+
+// GetUserAppDataFromRedis retrieves user profile and follows from Redis, combines them into a JSON format,
+// and assigns the JSON string to the provided user's ID.
+func (c *provider) GetUserAppDataFromRedis(userId string) (string, error) {
+    // Retrieve user data from Redis
+    userProfile := c.store.Get(c.ctx, fmt.Sprintf(`user:%s:author`, userId))
+    userFollows := c.store.Get(c.ctx, fmt.Sprintf(`user:%s:follows`, userId))
+
+    // Combine user data into a JSON string
+    combinedData := fmt.Sprintf(`{"profile": %s, "follows": %s}`, userProfile, userFollows)
+
+    return combinedData, nil
+}

server/memorystore/required_env_store.go

@@ -38,7 +38,7 @@ type RequiredEnv struct {
 	CouchbaseBucketRAMQuotaMB string `json:"COUCHBASE_BUCKET_RAM_QUOTA"`
 }
 
-// RequiredEnvObj is a simple in-memory store for sessions.
+// RequiredEnvStore is a simple in-memory store for sessions.
 type RequiredEnvStore struct {
 	mutex       sync.Mutex
 	requiredEnv RequiredEnv

server/oauth/oauth.go

@@ -4,13 +4,16 @@ import (
 	"context"
 	"fmt"
 
-	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
+	"google.golang.org/appengine/log"
+
 	facebookOAuth2 "golang.org/x/oauth2/facebook"
 	githubOAuth2 "golang.org/x/oauth2/github"
 	linkedInOAuth2 "golang.org/x/oauth2/linkedin"
 	microsoftOAuth2 "golang.org/x/oauth2/microsoft"
-	"google.golang.org/appengine/log"
+	twitchOAuth2 "golang.org/x/oauth2/twitch"
+
+	"github.com/coreos/go-oidc/v3/oidc"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/memorystore"
@@ -27,14 +30,17 @@ type OAuthProvider struct {
 	FacebookConfig  *oauth2.Config
 	LinkedInConfig  *oauth2.Config
 	AppleConfig     *oauth2.Config
+	DiscordConfig   *oauth2.Config
 	TwitterConfig   *oauth2.Config
 	MicrosoftConfig *oauth2.Config
+	TwitchConfig    *oauth2.Config
 }
 
 // OIDCProviders is a struct that contains reference all the OpenID providers
 type OIDCProvider struct {
 	GoogleOIDC    *oidc.Provider
 	MicrosoftOIDC *oidc.Provider
+	TwitchOIDC    *oidc.Provider
 }
 
 var (
@@ -144,6 +150,27 @@ func InitOAuth() error {
 		}
 	}
 
+	discordClientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyDiscordClientID)
+	if err != nil {
+		discordClientID = ""
+	}
+	discordClientSecret, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyDiscordClientSecret)
+	if err != nil {
+		discordClientSecret = ""
+	}
+	if discordClientID != "" && discordClientSecret != "" {
+		OAuthProviders.DiscordConfig = &oauth2.Config{
+			ClientID:     discordClientID,
+			ClientSecret: discordClientSecret,
+			RedirectURL:  "/oauth_callback/discord",
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  "https://discord.com/oauth2/authorize",
+				TokenURL: "https://discord.com/api/oauth2/token",
+			},
+			Scopes: []string{"identify", "email"},
+		}
+	}
+
 	twitterClientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyTwitterClientID)
 	if err != nil {
 		twitterClientID = ""
@@ -198,5 +225,31 @@ func InitOAuth() error {
 		}
 	}
 
+	twitchClientID, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyTwitchClientID)
+	if err != nil {
+		twitchClientID = ""
+	}
+	twitchClientSecret, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyTwitchClientSecret)
+	if err != nil {
+		twitchClientSecret = ""
+	}
+
+	if twitchClientID != "" && twitchClientSecret != "" {
+		p, err := oidc.NewProvider(ctx, "https://id.twitch.tv/oauth2")
+		if err != nil {
+			log.Debugf(ctx, "Error while creating OIDC provider for Twitch: %v", err)
+			return err
+		}
+
+		OIDCProviders.TwitchOIDC = p
+		OAuthProviders.TwitchConfig = &oauth2.Config{
+			ClientID:     twitchClientID,
+			ClientSecret: twitchClientSecret,
+			RedirectURL:  "/oauth_callback/twitch",
+			Endpoint:     twitchOAuth2.Endpoint,
+			Scopes:       []string{oidc.ScopeOpenID},
+		}
+	}
+
 	return nil
 }

server/resolvers/deactivate_account.go

@@ -21,21 +21,15 @@ func DeactivateAccountResolver(ctx context.Context) (*model.Response, error) {
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
-	accessToken, err := token.GetAccessToken(gc)
+	tokenData, err := token.GetUserIDFromSessionOrAccessToken(gc)
 	if err != nil {
-		log.Debug("Failed to get access token: ", err)
+		log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err)
 		return res, err
 	}
-	claims, err := token.ValidateAccessToken(gc, accessToken)
-	if err != nil {
-		log.Debug("Failed to validate access token: ", err)
-		return res, err
-	}
-	userID := claims["sub"].(string)
 	log := log.WithFields(log.Fields{
-		"user_id": userID,
+		"user_id": tokenData.UserID,
 	})
-	user, err := db.Provider.GetUserByID(ctx, userID)
+	user, err := db.Provider.GetUserByID(ctx, tokenData.UserID)
 	if err != nil {
 		log.Debug("Failed to get user by id: ", err)
 		return res, err

server/resolvers/delete_user.go

@@ -10,6 +10,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
+	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 )
@@ -51,28 +52,41 @@ func DeleteUserResolver(ctx context.Context, params model.DeleteUserInput) (*mod
 
 	go func() {
 		// delete otp for given email
-		otp, err := db.Provider.GetOTPByEmail(ctx, user.Email)
+		otp, err := db.Provider.GetOTPByEmail(ctx, refs.StringValue(user.Email))
 		if err != nil {
 			log.Infof("No OTP found for email (%s): %v", user.Email, err)
 			// continue
 		} else {
 			err := db.Provider.DeleteOTP(ctx, otp)
 			if err != nil {
-				log.Debugf("Failed to delete otp for given email (%s): %v", user.Email, err)
+				log.Debugf("Failed to delete otp for given email (%s): %v", refs.StringValue(user.Email), err)
+				// continue
+			}
+		}
+
+		// delete otp for given phone number
+		otp, err = db.Provider.GetOTPByPhoneNumber(ctx, refs.StringValue(user.PhoneNumber))
+		if err != nil {
+			log.Infof("No OTP found for email (%s): %v", refs.StringValue(user.Email), err)
+			// continue
+		} else {
+			err := db.Provider.DeleteOTP(ctx, otp)
+			if err != nil {
+				log.Debugf("Failed to delete otp for given phone (%s): %v", refs.StringValue(user.PhoneNumber), err)
 				// continue
 			}
 		}
 
 		// delete verification requests for given email
 		for _, vt := range constants.VerificationTypes {
-			verificationRequest, err := db.Provider.GetVerificationRequestByEmail(ctx, user.Email, vt)
+			verificationRequest, err := db.Provider.GetVerificationRequestByEmail(ctx, refs.StringValue(user.Email), vt)
 			if err != nil {
-				log.Infof("No verification verification request found for email: %s, verification_request_type: %s. %v", user.Email, vt, err)
+				log.Infof("No verification verification request found for email: %s, verification_request_type: %s. %v", refs.StringValue(user.Email), vt, err)
 				// continue
 			} else {
 				err := db.Provider.DeleteVerificationRequest(ctx, verificationRequest)
 				if err != nil {
-					log.Debugf("Failed to DeleteVerificationRequest for email: %s, verification_request_type: %s. %v", user.Email, vt, err)
+					log.Debugf("Failed to DeleteVerificationRequest for email: %s, verification_request_type: %s. %v", refs.StringValue(user.Email), vt, err)
 					// continue
 				}
 			}

server/resolvers/env.go

@@ -149,6 +149,12 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 	if val, ok := store[constants.EnvKeyAppleClientSecret]; ok {
 		res.AppleClientSecret = refs.NewStringRef(val.(string))
 	}
+	if val, ok := store[constants.EnvKeyDiscordClientID]; ok {
+		res.DiscordClientID = refs.NewStringRef(val.(string))
+	}
+	if val, ok := store[constants.EnvKeyDiscordClientSecret]; ok {
+		res.DiscordClientSecret = refs.NewStringRef(val.(string))
+	}
 	if val, ok := store[constants.EnvKeyTwitterClientID]; ok {
 		res.TwitterClientID = refs.NewStringRef(val.(string))
 	}
@@ -164,7 +170,12 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 	if val, ok := store[constants.EnvKeyMicrosoftActiveDirectoryTenantID]; ok {
 		res.MicrosoftActiveDirectoryTenantID = refs.NewStringRef(val.(string))
 	}
-
+	if val, ok := store[constants.EnvKeyTwitchClientID]; ok {
+		res.TwitchClientID = refs.NewStringRef(val.(string))
+	}
+	if val, ok := store[constants.EnvKeyTwitchClientSecret]; ok {
+		res.TwitchClientSecret = refs.NewStringRef(val.(string))
+	}
 	if val, ok := store[constants.EnvKeyOrganizationName]; ok {
 		res.OrganizationName = refs.NewStringRef(val.(string))
 	}
@@ -203,6 +214,8 @@ func EnvResolver(ctx context.Context) (*model.Env, error) {
 	res.AdminCookieSecure = store[constants.EnvKeyAdminCookieSecure].(bool)
 	res.AppCookieSecure = store[constants.EnvKeyAppCookieSecure].(bool)
 	res.DisablePlayground = store[constants.EnvKeyDisablePlayGround].(bool)
+	res.DisableMailOtpLogin = store[constants.EnvKeyDisableMailOTPLogin].(bool)
+	res.DisableTotpLogin = store[constants.EnvKeyDisableTOTPLogin].(bool)
 
 	return res, nil
 }

server/resolvers/forgot_password.go

@@ -6,29 +6,29 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/authorizerdev/authorizer/server/email"
+	mailService "github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
 	"github.com/authorizerdev/authorizer/server/refs"
+	"github.com/authorizerdev/authorizer/server/smsproviders"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
-	"github.com/authorizerdev/authorizer/server/validators"
 )
 
 // ForgotPasswordResolver is a resolver for forgot password mutation
-func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInput) (*model.Response, error) {
-	var res *model.Response
-
+func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInput) (*model.ForgotPasswordResponse, error) {
 	gc, err := utils.GinContextFromContext(ctx)
 	if err != nil {
 		log.Debug("Failed to get GinContext: ", err)
-		return res, err
+		return nil, err
 	}
 
 	isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)
@@ -36,74 +36,144 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
 		log.Debug("Error getting basic auth disabled: ", err)
 		isBasicAuthDisabled = true
 	}
-	if isBasicAuthDisabled {
-		log.Debug("Basic authentication is disabled")
-		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
-	}
-	params.Email = strings.ToLower(params.Email)
-
-	if !validators.IsValidEmail(params.Email) {
-		log.Debug("Invalid email address: ", params.Email)
-		return res, fmt.Errorf("invalid email")
-	}
-
-	log := log.WithFields(log.Fields{
-		"email": params.Email,
-	})
-	user, err := db.Provider.GetUserByEmail(ctx, params.Email)
+	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
 	if err != nil {
-		log.Debug("User not found: ", err)
-		return res, fmt.Errorf(`user with this email not found`)
+		log.Debug("Error getting email verification disabled: ", err)
+		isEmailVerificationDisabled = true
+	}
+
+	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
+	if err != nil {
+		log.Debug("Error getting mobile basic auth disabled: ", err)
+		isMobileBasicAuthDisabled = true
+	}
+	isMobileVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisablePhoneVerification)
+	if err != nil {
+		log.Debug("Error getting mobile verification disabled: ", err)
+		isMobileVerificationDisabled = true
+	}
+
+	email := refs.StringValue(params.Email)
+	phoneNumber := refs.StringValue(params.PhoneNumber)
+	if email == "" && phoneNumber == "" {
+		log.Debug("Email or phone number is required")
+		return nil, fmt.Errorf(`email or phone number is required`)
+	}
+	log := log.WithFields(log.Fields{
+		"email":        refs.StringValue(params.Email),
+		"phone_number": refs.StringValue(params.PhoneNumber),
+	})
+	isEmailLogin := email != ""
+	isMobileLogin := phoneNumber != ""
+	if isBasicAuthDisabled && isEmailLogin && !isEmailVerificationDisabled {
+		log.Debug("Basic authentication is disabled.")
+		return nil, fmt.Errorf(`basic authentication is disabled for this instance`)
+	}
+	if isMobileBasicAuthDisabled && isMobileLogin && !isMobileVerificationDisabled {
+		log.Debug("Mobile basic authentication is disabled.")
+		return nil, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
+	}
+	var user *models.User
+	if isEmailLogin {
+		user, err = db.Provider.GetUserByEmail(ctx, email)
+	} else {
+		user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+	}
+	if err != nil {
+		log.Debug("Failed to get user: ", err)
+		return nil, fmt.Errorf(`bad user credentials`)
+	}
+
+	if user.SignupMethods == "magic_link_login" {
+		user.SignupMethods = "basic_auth"
+
+		user, err = db.Provider.UpdateUser(ctx, user)
+		if err != nil {
+			log.Debug("Failed to update user signup method: ", err)
+		}
 	}
 
 	hostname := parsers.GetHost(gc)
 	_, nonceHash, err := utils.GenerateNonce()
 	if err != nil {
 		log.Debug("Failed to generate nonce: ", err)
-		return res, err
+		return nil, err
 	}
-
-	redirectURI := ""
-	// give higher preference to params redirect uri
-	if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
-		redirectURI = refs.StringValue(params.RedirectURI)
-	} else {
-		redirectURI, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)
-		if err != nil {
-			log.Debug("ResetPasswordURL not found using default app url: ", err)
-			redirectURI = hostname + "/app/reset-password"
-			memorystore.Provider.UpdateEnvVariable(constants.EnvKeyResetPasswordURL, redirectURI)
+	if user.RevokedTimestamp != nil {
+		log.Debug("User access is revoked")
+		return nil, fmt.Errorf(`user access has been revoked`)
+	}
+	if isEmailLogin {
+		redirectURI := ""
+		// give higher preference to params redirect uri
+		if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
+			redirectURI = refs.StringValue(params.RedirectURI)
+		} else {
+			redirectURI, err = memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyResetPasswordURL)
+			if err != nil {
+				log.Debug("ResetPasswordURL not found using default app url: ", err)
+				redirectURI = hostname + "/app/reset-password"
+				memorystore.Provider.UpdateEnvVariable(constants.EnvKeyResetPasswordURL, redirectURI)
+			}
 		}
+		verificationToken, err := token.CreateVerificationToken(email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURI)
+		if err != nil {
+			log.Debug("Failed to create verification token", err)
+			return nil, err
+		}
+		_, err = db.Provider.AddVerificationRequest(ctx, &models.VerificationRequest{
+			Token:       verificationToken,
+			Identifier:  constants.VerificationTypeForgotPassword,
+			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
+			Email:       email,
+			Nonce:       nonceHash,
+			RedirectURI: redirectURI,
+		})
+		if err != nil {
+			log.Debug("Failed to add verification request", err)
+			return nil, err
+		}
+		// execute it as go routine so that we can reduce the api latency
+		go mailService.SendEmail([]string{email}, constants.VerificationTypeForgotPassword, map[string]interface{}{
+			"user":             user.ToMap(),
+			"organization":     utils.GetOrganization(),
+			"verification_url": utils.GetForgotPasswordURL(verificationToken, redirectURI),
+		})
+		return &model.ForgotPasswordResponse{
+			Message: `Please check your inbox! We have sent a password reset link.`,
+		}, nil
 	}
-
-	verificationToken, err := token.CreateVerificationToken(params.Email, constants.VerificationTypeForgotPassword, hostname, nonceHash, redirectURI)
-	if err != nil {
-		log.Debug("Failed to create verification token", err)
-		return res, err
+	if isMobileLogin {
+		expiresAt := time.Now().Add(1 * time.Minute).Unix()
+		otp := utils.GenerateOTP()
+		otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{
+			Email:       refs.StringValue(user.Email),
+			PhoneNumber: refs.StringValue(user.PhoneNumber),
+			Otp:         otp,
+			ExpiresAt:   expiresAt,
+		})
+		if err != nil {
+			log.Debug("Failed to add otp: ", err)
+			return nil, err
+		}
+		mfaSession := uuid.NewString()
+		err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expiresAt)
+		if err != nil {
+			log.Debug("Failed to add mfasession: ", err)
+			return nil, err
+		}
+		cookie.SetMfaSession(gc, mfaSession)
+		smsBody := strings.Builder{}
+		smsBody.WriteString("Your verification code is: ")
+		smsBody.WriteString(otpData.Otp)
+		if err := smsproviders.SendSMS(phoneNumber, smsBody.String()); err != nil {
+			log.Debug("Failed to send sms: ", err)
+			// continue
+		}
+		return &model.ForgotPasswordResponse{
+			Message:                   "Please enter the OTP sent to your phone number and change your password.",
+			ShouldShowMobileOtpScreen: refs.NewBoolRef(true),
+		}, nil
 	}
-	_, err = db.Provider.AddVerificationRequest(ctx, &models.VerificationRequest{
-		Token:       verificationToken,
-		Identifier:  constants.VerificationTypeForgotPassword,
-		ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-		Email:       params.Email,
-		Nonce:       nonceHash,
-		RedirectURI: redirectURI,
-	})
-	if err != nil {
-		log.Debug("Failed to add verification request", err)
-		return res, err
-	}
-
-	// execute it as go routine so that we can reduce the api latency
-	go email.SendEmail([]string{params.Email}, constants.VerificationTypeForgotPassword, map[string]interface{}{
-		"user":             user.ToMap(),
-		"organization":     utils.GetOrganization(),
-		"verification_url": utils.GetForgotPasswordURL(verificationToken, redirectURI),
-	})
-
-	res = &model.Response{
-		Message: `Please check your inbox! We have sent a password reset link.`,
-	}
-
-	return res, nil
+	return nil, fmt.Errorf(`email or phone number verification needs to be enabled`)
 }

server/resolvers/invite_members.go

@@ -106,7 +106,7 @@ func InviteMembersResolver(ctx context.Context, params model.InviteMemberInput)
 		}
 
 		user := &models.User{
-			Email: email,
+			Email: refs.NewStringRef(email),
 			Roles: strings.Join(defaultRoles, ","),
 		}
 		hostname := parsers.GetHost(gc)
@@ -171,7 +171,7 @@ func InviteMembersResolver(ctx context.Context, params model.InviteMemberInput)
 		}
 
 		// exec it as go routine so that we can reduce the api latency
-		go emailservice.SendEmail([]string{user.Email}, constants.VerificationTypeInviteMember, map[string]interface{}{
+		go emailservice.SendEmail([]string{refs.StringValue(user.Email)}, constants.VerificationTypeInviteMember, map[string]interface{}{
 			"user":             user.ToMap(),
 			"organization":     utils.GetOrganization(),
 			"verification_url": utils.GetInviteVerificationURL(verifyEmailURL, verificationToken, redirectURL),

server/resolvers/is_registered.go

@@ -0,0 +1,55 @@
+package resolvers
+
+import (
+	"context"
+	"fmt"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/refs"
+	log "github.com/sirupsen/logrus"
+	"strings"
+)
+
+// IsRegisteredResolver is a resolver for registered checkup query
+func IsRegisteredResolver(ctx context.Context, email string) (*model.Response, error) {
+	// Initialize the response object
+	res := &model.Response{}
+	res.Message = ""
+
+	// Convert email to lowercase
+	email = strings.ToLower(strings.TrimSpace(refs.StringValue(&email)))
+	if email == "" {
+		log.Debug("Email is required")
+		return res, fmt.Errorf("email is required")
+	}
+
+	// Initialize logger with a field
+	log := log.WithField("email", email)
+
+	// Find user with email
+	existingUser, err := db.Provider.GetUserByEmail(ctx, email)
+	if err != nil {
+		log.Debug("Failed to get user by email: ", err)
+	} else {
+		log.Debug("Found user by email: ", existingUser)
+		if existingUser != nil {
+		    if existingUser.SignupMethods == "magic_link_login" {
+		        res.Message = "registered"
+		    } else if existingUser.EmailVerifiedAt != nil {
+		        res.Message = "verified"
+		        log.Debug("Email is already verified and signed up.")
+		        return res, nil
+		    } else if existingUser.ID != "" && existingUser.EmailVerifiedAt == nil {
+		        res.Message = "not verified"
+		        log.Debug("Email is already signed up. Verification pending...")
+		        return res, nil
+		    } else {
+		        res.Message = "unknown"
+		        log.Debug("Unknown signup method.")
+		        return res, nil
+		    }
+		}
+	}
+
+	return res, nil
+}

server/resolvers/login.go

@@ -7,23 +7,27 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/crypto/bcrypt"
 
+	log "github.com/sirupsen/logrus"
+
+	"github.com/authorizerdev/authorizer/server/authenticators"
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/authorizerdev/authorizer/server/email"
+	mailService "github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
+	"github.com/authorizerdev/authorizer/server/smsproviders"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
 )
 
 // LoginResolver is a resolver for login mutation
+// User can login with email or phone number, but not both
 func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthResponse, error) {
 	var res *model.AuthResponse
 
@@ -39,43 +43,72 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		isBasicAuthDisabled = true
 	}
 
+	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
+	if err != nil {
+		log.Debug("Error getting mobile basic auth disabled: ", err)
+		isMobileBasicAuthDisabled = true
+	}
+
+	email := refs.StringValue(params.Email)
+	phoneNumber := refs.StringValue(params.PhoneNumber)
+	if email == "" && phoneNumber == "" {
+		log.Debug("Email or phone number is required")
+		return res, fmt.Errorf(`email or phone number is required`)
+	}
+	log := log.WithFields(log.Fields{
+		"email":        refs.StringValue(params.Email),
+		"phone_number": refs.StringValue(params.PhoneNumber),
+	})
+	isEmailLogin := email != ""
+	isMobileLogin := phoneNumber != ""
 	if isBasicAuthDisabled {
 		log.Debug("Basic authentication is disabled.")
 		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
 	}
-
-	log := log.WithFields(log.Fields{
-		"email": params.Email,
-	})
-	params.Email = strings.ToLower(params.Email)
-	user, err := db.Provider.GetUserByEmail(ctx, params.Email)
-	if err != nil {
-		log.Debug("Failed to get user by email: ", err)
-		return res, fmt.Errorf(`bad user credentials`)
+	if isMobileBasicAuthDisabled && isMobileLogin {
+		log.Debug("Mobile basic authentication is disabled.")
+		return res, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
+	}
+	var user *models.User
+	if isEmailLogin {
+		user, err = db.Provider.GetUserByEmail(ctx, email)
+	} else {
+		user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+	}
+	if err != nil {
+		log.Debug("Failed to get user: ", err)
+		return res, fmt.Errorf(`user not found`)
 	}
-
 	if user.RevokedTimestamp != nil {
 		log.Debug("User access is revoked")
 		return res, fmt.Errorf(`user access has been revoked`)
 	}
+	if isEmailLogin {
+		if !strings.Contains(user.SignupMethods, constants.AuthRecipeMethodBasicAuth) {
+			log.Debug("User signup method is not basic auth")
+			return res, fmt.Errorf(`user has not signed up email & password`)
+		}
 
-	if !strings.Contains(user.SignupMethods, constants.AuthRecipeMethodBasicAuth) {
-		log.Debug("User signup method is not basic auth")
-		return res, fmt.Errorf(`user has not signed up email & password`)
+		if user.EmailVerifiedAt == nil {
+			log.Debug("User email is not verified")
+			return res, fmt.Errorf(`email not verified`)
+		}
+	} else {
+		if !strings.Contains(user.SignupMethods, constants.AuthRecipeMethodMobileBasicAuth) {
+			log.Debug("User signup method is not mobile basic auth")
+			return res, fmt.Errorf(`user has not signed up with phone number & password`)
+		}
+
+		if user.PhoneNumberVerifiedAt == nil {
+			log.Debug("User phone number is not verified")
+			return res, fmt.Errorf(`phone number is not verified`)
+		}
 	}
-
-	if user.EmailVerifiedAt == nil {
-		log.Debug("User email is not verified")
-		return res, fmt.Errorf(`email not verified`)
-	}
-
-	err = bcrypt.CompareHashAndPassword([]byte(*user.Password), []byte(params.Password))
-
+	err = crypto.VerifyPassword(*user.Password, params.Password)
 	if err != nil {
 		log.Debug("Failed to compare password: ", err)
 		return res, fmt.Errorf(`bad user credentials`)
 	}
-
 	defaultRolesString, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyDefaultRoles)
 	roles := []string{}
 	if err != nil {
@@ -84,71 +117,163 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	} else {
 		roles = strings.Split(defaultRolesString, ",")
 	}
-
 	currentRoles := strings.Split(user.Roles, ",")
 	if len(params.Roles) > 0 {
 		if !validators.IsValidRoles(params.Roles, currentRoles) {
 			log.Debug("Invalid roles: ", params.Roles)
 			return res, fmt.Errorf(`invalid roles`)
 		}
-
 		roles = params.Roles
 	}
-
 	scope := []string{"openid", "email", "profile"}
 	if params.Scope != nil && len(scope) > 0 {
 		scope = params.Scope
 	}
-
 	isEmailServiceEnabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyIsEmailServiceEnabled)
 	if err != nil || !isEmailServiceEnabled {
 		log.Debug("Email service not enabled: ", err)
 	}
+	isSMSServiceEnabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyIsSMSServiceEnabled)
+	if err != nil || !isSMSServiceEnabled {
+		log.Debug("SMS service not enabled: ", err)
+	}
 
 	isMFADisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMultiFactorAuthentication)
 	if err != nil || !isMFADisabled {
 		log.Debug("MFA service not enabled: ", err)
 	}
 
-	// If email service is not enabled continue the process in any way
-	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && isEmailServiceEnabled && !isMFADisabled {
+	isTOTPLoginDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableTOTPLogin)
+	if err != nil || !isTOTPLoginDisabled {
+		log.Debug("totp service not enabled: ", err)
+	}
+
+	isMailOTPDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMailOTPLogin)
+	if err != nil || !isMailOTPDisabled {
+		log.Debug("mail OTP service not enabled: ", err)
+	}
+
+	isSMSOTPDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisablePhoneVerification)
+	if err != nil || !isSMSOTPDisabled {
+		log.Debug("sms OTP service not enabled: ", err)
+	}
+	setOTPMFaSession := func(expiresAt int64) error {
+		mfaSession := uuid.NewString()
+		err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expiresAt)
+		if err != nil {
+			log.Debug("Failed to add mfasession: ", err)
+			return err
+		}
+		cookie.SetMfaSession(gc, mfaSession)
+		return nil
+	}
+	// If multi factor authentication is enabled and we need to generate OTP for mail / sms based MFA
+	generateOTP := func(expiresAt int64) (*models.OTP, error) {
 		otp := utils.GenerateOTP()
-		expires := time.Now().Add(1 * time.Minute).Unix()
 		otpData, err := db.Provider.UpsertOTP(ctx, &models.OTP{
-			Email:     user.Email,
-			Otp:       otp,
-			ExpiresAt: expires,
+			Email:       refs.StringValue(user.Email),
+			PhoneNumber: refs.StringValue(user.PhoneNumber),
+			Otp:         otp,
+			ExpiresAt:   expiresAt,
 		})
 		if err != nil {
 			log.Debug("Failed to add otp: ", err)
 			return nil, err
 		}
-
-		mfaSession := uuid.NewString()
-		err = memorystore.Provider.SetMfaSession(user.ID, mfaSession, expires)
-		if err != nil {
-			log.Debug("Failed to add mfasession: ", err)
-			return nil, err
-		}
-		cookie.SetMfaSession(gc, mfaSession)
-
+		return otpData, nil
+	}
+	// If multi factor authentication is enabled and is email based login and email otp is enabled
+	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isMailOTPDisabled && isEmailServiceEnabled && isEmailLogin {
+		expiresAt := time.Now().Add(1 * time.Minute).Unix()
+		otpData, err := generateOTP(expiresAt)
 		go func() {
+			if err != nil {
+				log.Debug("Failed to generate otp: ", err)
+				return
+			}
+			if err := setOTPMFaSession(expiresAt); err != nil {
+				log.Debug("Failed to set mfa session: ", err)
+				return
+			}
 			// exec it as go routine so that we can reduce the api latency
-			go email.SendEmail([]string{params.Email}, constants.VerificationTypeOTP, map[string]interface{}{
+			if err := mailService.SendEmail([]string{email}, constants.VerificationTypeOTP, map[string]interface{}{
 				"user":         user.ToMap(),
 				"organization": utils.GetOrganization(),
 				"otp":          otpData.Otp,
-			})
-			if err != nil {
+			}); err != nil {
 				log.Debug("Failed to send otp email: ", err)
 			}
+			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
 		}()
-
 		return &model.AuthResponse{
-			Message:                  "Please check the OTP in your inbox",
-			ShouldShowEmailOtpScreen: refs.NewBoolRef(true),
+			Message:                  "Please check email inbox for the OTP",
+			ShouldShowEmailOtpScreen: refs.NewBoolRef(isMobileLogin),
 		}, nil
 	}
+	// If multi factor authentication is enabled and is sms based login and sms otp is enabled
+	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isSMSOTPDisabled && isSMSServiceEnabled && isMobileLogin {
+		expiresAt := time.Now().Add(1 * time.Minute).Unix()
+		otpData, err := generateOTP(expiresAt)
+		go func() {
+			if err != nil {
+				log.Debug("Failed to generate otp: ", err)
+				return
+			}
+			if err := setOTPMFaSession(expiresAt); err != nil {
+				log.Debug("Failed to set mfa session: ", err)
+				return
+			}
+			smsBody := strings.Builder{}
+			smsBody.WriteString("Your verification code is: ")
+			smsBody.WriteString(otpData.Otp)
+			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodMobileBasicAuth, user)
+			if err := smsproviders.SendSMS(phoneNumber, smsBody.String()); err != nil {
+				log.Debug("Failed to send sms: ", err)
+			}
+		}()
+		return &model.AuthResponse{
+			Message:                   "Please check text message for the OTP",
+			ShouldShowMobileOtpScreen: refs.NewBoolRef(isMobileLogin),
+		}, nil
+	}
+	// If mfa enabled and also totp enabled
+	if refs.BoolValue(user.IsMultiFactorAuthEnabled) && !isMFADisabled && !isTOTPLoginDisabled {
+		expiresAt := time.Now().Add(3 * time.Minute).Unix()
+		if err := setOTPMFaSession(expiresAt); err != nil {
+			log.Debug("Failed to set mfa session: ", err)
+			return nil, err
+		}
+		authenticator, err := db.Provider.GetAuthenticatorDetailsByUserId(ctx, user.ID, constants.EnvKeyTOTPAuthenticator)
+		if err != nil || authenticator == nil || authenticator.VerifiedAt == nil {
+			// generate totp
+			// Generate a base64 URL and initiate the registration for TOTP
+			authConfig, err := authenticators.Provider.Generate(ctx, user.ID)
+			if err != nil {
+				log.Debug("error while generating base64 url: ", err)
+				return nil, err
+			}
+			recoveryCodes := []*string{}
+			for _, code := range authConfig.RecoveryCodes {
+				recoveryCodes = append(recoveryCodes, refs.NewStringRef(code))
+			}
+			// when user is first time registering for totp
+			res = &model.AuthResponse{
+				Message:                    `Proceed to totp verification screen`,
+				ShouldShowTotpScreen:       refs.NewBoolRef(true),
+				AuthenticatorScannerImage:  refs.NewStringRef(authConfig.ScannerImage),
+				AuthenticatorSecret:        refs.NewStringRef(authConfig.Secret),
+				AuthenticatorRecoveryCodes: recoveryCodes,
+			}
+			return res, nil
+		} else {
+			//when user is already register for totp
+			res = &model.AuthResponse{
+				Message:              `Proceed to totp screen`,
+				ShouldShowTotpScreen: refs.NewBoolRef(true),
+			}
+			return res, nil
+		}
+	}
 
 	code := ""
 	codeChallenge := ""
@@ -191,6 +316,12 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		expiresIn = 1
 	}
 
+    appData, err := memorystore.Provider.GetUserAppDataFromRedis(user.ID)
+    if err == nil {
+        // Assign the combined data to the provided pointer
+        user.AppData = &appData
+    }
+
 	res = &model.AuthResponse{
 		Message:     `Logged in successfully`,
 		AccessToken: &authToken.AccessToken.Token,
@@ -210,7 +341,13 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	}
 
 	go func() {
-		utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
+		// Register event
+		if isEmailLogin {
+			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
+		} else {
+			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodMobileBasicAuth, user)
+		}
+		// Record session
 		db.Provider.AddSession(ctx, &models.Session{
 			UserID:    user.ID,
 			UserAgent: utils.GetUserAgent(gc.Request),

server/resolvers/logout.go

@@ -2,12 +2,10 @@ package resolvers
 
 import (
 	"context"
-	"encoding/json"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/authorizerdev/authorizer/server/cookie"
-	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/token"
@@ -22,31 +20,18 @@ func LogoutResolver(ctx context.Context) (*model.Response, error) {
 		return nil, err
 	}
 
-	// get fingerprint hash
-	fingerprintHash, err := cookie.GetSession(gc)
+	tokenData, err := token.GetUserIDFromSessionOrAccessToken(gc)
 	if err != nil {
-		log.Debug("Failed to get fingerprint hash: ", err)
+		log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err)
 		return nil, err
 	}
 
-	decryptedFingerPrint, err := crypto.DecryptAES(fingerprintHash)
-	if err != nil {
-		log.Debug("Failed to decrypt fingerprint hash: ", err)
-		return nil, err
+	sessionKey := tokenData.UserID
+	if tokenData.LoginMethod != "" {
+		sessionKey = tokenData.LoginMethod + ":" + tokenData.UserID
 	}
 
-	var sessionData token.SessionData
-	err = json.Unmarshal([]byte(decryptedFingerPrint), &sessionData)
-	if err != nil {
-		return nil, err
-	}
-
-	sessionKey := sessionData.Subject
-	if sessionData.LoginMethod != "" {
-		sessionKey = sessionData.LoginMethod + ":" + sessionData.Subject
-	}
-
-	memorystore.Provider.DeleteUserSession(sessionKey, sessionData.Nonce)
+	memorystore.Provider.DeleteUserSession(sessionKey, tokenData.Nonce)
 	cookie.DeleteSession(gc)
 
 	res := &model.Response{

server/resolvers/magic_link_login.go

@@ -56,7 +56,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 	inputRoles := []string{}
 
 	user := &models.User{
-		Email: params.Email,
+		Email: refs.NewStringRef(params.Email),
 	}
 
 	// find user with email

server/resolvers/meta.go

@@ -106,6 +106,16 @@ func MetaResolver(ctx context.Context) (*model.Meta, error) {
 		log.Debug("Failed to get Disable Basic Authentication from environment variable", err)
 		isBasicAuthDisabled = true
 	}
+	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
+	if err != nil {
+		log.Debug("Failed to get Disable Basic Authentication from environment variable", err)
+		isMobileBasicAuthDisabled = true
+	}
+	isMobileVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisablePhoneVerification)
+	if err != nil {
+		log.Debug("Failed to get Disable Basic Authentication from environment variable", err)
+		isMobileVerificationDisabled = true
+	}
 
 	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
 	if err != nil {
@@ -138,21 +148,23 @@ func MetaResolver(ctx context.Context) (*model.Meta, error) {
 	}
 
 	metaInfo := model.Meta{
-		Version:                      constants.VERSION,
-		ClientID:                     clientID,
-		IsGoogleLoginEnabled:         googleClientID != "" && googleClientSecret != "",
-		IsGithubLoginEnabled:         githubClientID != "" && githubClientSecret != "",
-		IsFacebookLoginEnabled:       facebookClientID != "" && facebookClientSecret != "",
-		IsLinkedinLoginEnabled:       linkedClientID != "" && linkedInClientSecret != "",
-		IsAppleLoginEnabled:          appleClientID != "" && appleClientSecret != "",
-		IsTwitterLoginEnabled:        twitterClientID != "" && twitterClientSecret != "",
-		IsMicrosoftLoginEnabled:      microsoftClientID != "" && microsoftClientSecret != "",
-		IsBasicAuthenticationEnabled: !isBasicAuthDisabled,
-		IsEmailVerificationEnabled:   !isEmailVerificationDisabled,
-		IsMagicLinkLoginEnabled:      !isMagicLinkLoginDisabled,
-		IsSignUpEnabled:              !isSignUpDisabled,
-		IsStrongPasswordEnabled:      !isStrongPasswordDisabled,
-		IsMultiFactorAuthEnabled:     !isMultiFactorAuthenticationEnabled,
+		Version:                            constants.VERSION,
+		ClientID:                           clientID,
+		IsGoogleLoginEnabled:               googleClientID != "" && googleClientSecret != "",
+		IsGithubLoginEnabled:               githubClientID != "" && githubClientSecret != "",
+		IsFacebookLoginEnabled:             facebookClientID != "" && facebookClientSecret != "",
+		IsLinkedinLoginEnabled:             linkedClientID != "" && linkedInClientSecret != "",
+		IsAppleLoginEnabled:                appleClientID != "" && appleClientSecret != "",
+		IsTwitterLoginEnabled:              twitterClientID != "" && twitterClientSecret != "",
+		IsMicrosoftLoginEnabled:            microsoftClientID != "" && microsoftClientSecret != "",
+		IsBasicAuthenticationEnabled:       !isBasicAuthDisabled,
+		IsEmailVerificationEnabled:         !isEmailVerificationDisabled,
+		IsMagicLinkLoginEnabled:            !isMagicLinkLoginDisabled,
+		IsSignUpEnabled:                    !isSignUpDisabled,
+		IsStrongPasswordEnabled:            !isStrongPasswordDisabled,
+		IsMultiFactorAuthEnabled:           !isMultiFactorAuthenticationEnabled,
+		IsMobileBasicAuthenticationEnabled: !isMobileBasicAuthDisabled,
+		IsPhoneVerificationEnabled:         !isMobileVerificationDisabled,
 	}
 	return &metaInfo, nil
 }

server/resolvers/mobile_login.go

@@ -8,10 +8,10 @@ import (
 
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/crypto/bcrypt"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/graph/model"
@@ -69,7 +69,7 @@ func MobileLoginResolver(ctx context.Context, params model.MobileLoginInput) (*m
 		return res, fmt.Errorf(`phone number is not verified`)
 	}
 
-	err = bcrypt.CompareHashAndPassword([]byte(*user.Password), []byte(params.Password))
+	err = crypto.VerifyPassword(*user.Password, params.Password)
 
 	if err != nil {
 		log.Debug("Failed to compare password: ", err)

server/resolvers/mobile_signup.go

@@ -131,7 +131,7 @@ func MobileSignupResolver(ctx context.Context, params *model.MobileSignUpInput)
 	}
 
 	user := &models.User{
-		Email:       emailInput,
+		Email:       &emailInput,
 		PhoneNumber: &mobile,
 	}
 

server/resolvers/profile.go

@@ -20,25 +20,15 @@ func ProfileResolver(ctx context.Context) (*model.User, error) {
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
-
-	accessToken, err := token.GetAccessToken(gc)
+	tokenData, err := token.GetUserIDFromSessionOrAccessToken(gc)
 	if err != nil {
-		log.Debug("Failed to get access token: ", err)
+		log.Debug("Failed GetUserIDFromSessionOrAccessToken: ", err)
 		return res, err
 	}
-
-	claims, err := token.ValidateAccessToken(gc, accessToken)
-	if err != nil {
-		log.Debug("Failed to validate access token: ", err)
-		return res, err
-	}
-
-	userID := claims["sub"].(string)
-
 	log := log.WithFields(log.Fields{
-		"user_id": userID,
+		"user_id": tokenData.UserID,
 	})
-	user, err := db.Provider.GetUserByID(ctx, userID)
+	user, err := db.Provider.GetUserByID(ctx, tokenData.UserID)
 	if err != nil {
 		log.Debug("Failed to get user: ", err)
 		return res, err

server/resolvers/resend_otp.go

@@ -100,7 +100,7 @@ func ResendOTPResolver(ctx context.Context, params model.ResendOTPRequest) (*mod
 
 	otp := utils.GenerateOTP()
 	if _, err := db.Provider.UpsertOTP(ctx, &models.OTP{
-		Email:     user.Email,
+		Email:     refs.StringValue(user.Email),
 		Otp:       otp,
 		ExpiresAt: time.Now().Add(1 * time.Minute).Unix(),
 	}); err != nil {

server/resolvers/reset_password.go

@@ -9,8 +9,10 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/authorizerdev/authorizer/server/constants"
+	"github.com/authorizerdev/authorizer/server/cookie"
 	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/db/models"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
@@ -29,97 +31,155 @@ func ResetPasswordResolver(ctx context.Context, params model.ResetPasswordInput)
 		log.Debug("Failed to get GinContext: ", err)
 		return res, err
 	}
-
+	verifyingToken := refs.StringValue(params.Token)
+	otp := refs.StringValue(params.Otp)
+	if verifyingToken == "" && otp == "" {
+		log.Debug("Token or OTP is required")
+		return res, fmt.Errorf(`token or otp is required`)
+	}
+	isTokenVerification := verifyingToken != ""
+	isOtpVerification := otp != ""
+	if isOtpVerification && refs.StringValue(params.PhoneNumber) == "" {
+		log.Debug("Phone number is required")
+		return res, fmt.Errorf(`phone number is required`)
+	}
 	isBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableBasicAuthentication)
 	if err != nil {
 		log.Debug("Error getting basic auth disabled: ", err)
 		isBasicAuthDisabled = true
 	}
-	if isBasicAuthDisabled {
+	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
+	if err != nil {
+		log.Debug("Error getting mobile basic auth disabled: ", err)
+		isBasicAuthDisabled = true
+	}
+	if isTokenVerification && isBasicAuthDisabled {
 		log.Debug("Basic authentication is disabled")
 		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
 	}
-
-	verificationRequest, err := db.Provider.GetVerificationRequestByToken(ctx, params.Token)
-	if err != nil {
-		log.Debug("Failed to get verification request: ", err)
-		return res, fmt.Errorf(`invalid token`)
+	if isOtpVerification && isMobileBasicAuthDisabled {
+		log.Debug("Mobile basic authentication is disabled")
+		return res, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
 	}
+	email := ""
+	phoneNumber := refs.StringValue(params.PhoneNumber)
+	var user *models.User
+	var verificationRequest *models.VerificationRequest
+	var otpRequest *models.OTP
+	if isTokenVerification {
+		verificationRequest, err = db.Provider.GetVerificationRequestByToken(ctx, verifyingToken)
+		if err != nil {
+			log.Debug("Failed to get verification request: ", err)
+			return res, fmt.Errorf(`invalid token`)
+		}
+		// verify if token exists in db
+		hostname := parsers.GetHost(gc)
+		claim, err := token.ParseJWTToken(verifyingToken)
+		if err != nil {
+			log.Debug("Failed to parse token: ", err)
+			return res, fmt.Errorf(`invalid token`)
+		}
 
+		if ok, err := token.ValidateJWTClaims(claim, hostname, verificationRequest.Nonce, verificationRequest.Email); !ok || err != nil {
+			log.Debug("Failed to validate jwt claims: ", err)
+			return res, fmt.Errorf(`invalid token`)
+		}
+		email = claim["sub"].(string)
+		user, err = db.Provider.GetUserByEmail(ctx, email)
+		if err != nil {
+			log.Debug("Failed to get user: ", err)
+			return res, err
+		}
+	}
+	if isOtpVerification {
+		mfaSession, err := cookie.GetMfaSession(gc)
+		if err != nil {
+			log.Debug("Failed to get otp request by email: ", err)
+			return res, fmt.Errorf(`invalid session: %s`, err.Error())
+		}
+		// Get user by phone number
+		user, err = db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+		if err != nil {
+			log.Debug("Failed to get user by phone number: ", err)
+			return res, fmt.Errorf(`user not found`)
+		}
+		if _, err := memorystore.Provider.GetMfaSession(user.ID, mfaSession); err != nil {
+			log.Debug("Failed to get mfa session: ", err)
+			return res, fmt.Errorf(`invalid session: %s`, err.Error())
+		}
+		otpRequest, err = db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)
+		if err != nil {
+			log.Debug("Failed to get otp request by phone number: ", err)
+			return res, fmt.Errorf(`invalid otp`)
+		}
+		if otpRequest.Otp != otp {
+			log.Debug("Failed to verify otp request: Incorrect value")
+			return res, fmt.Errorf(`invalid otp`)
+		}
+	}
 	if params.Password != params.ConfirmPassword {
 		log.Debug("Passwords do not match")
 		return res, fmt.Errorf(`passwords don't match`)
 	}
-
 	if err := validators.IsValidPassword(params.Password); err != nil {
 		log.Debug("Invalid password")
 		return res, err
 	}
-
-	// verify if token exists in db
-	hostname := parsers.GetHost(gc)
-	claim, err := token.ParseJWTToken(params.Token)
-	if err != nil {
-		log.Debug("Failed to parse token: ", err)
-		return res, fmt.Errorf(`invalid token`)
-	}
-
-	if ok, err := token.ValidateJWTClaims(claim, hostname, verificationRequest.Nonce, verificationRequest.Email); !ok || err != nil {
-		log.Debug("Failed to validate jwt claims: ", err)
-		return res, fmt.Errorf(`invalid token`)
-	}
-
-	email := claim["sub"].(string)
 	log := log.WithFields(log.Fields{
 		"email": email,
+		"phone": phoneNumber,
 	})
-	user, err := db.Provider.GetUserByEmail(ctx, email)
-	if err != nil {
-		log.Debug("Failed to get user: ", err)
-		return res, err
-	}
-
 	password, _ := crypto.EncryptPassword(params.Password)
 	user.Password = &password
-
 	signupMethod := user.SignupMethods
-	if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) {
+	if !strings.Contains(signupMethod, constants.AuthRecipeMethodBasicAuth) && isTokenVerification {
 		signupMethod = signupMethod + "," + constants.AuthRecipeMethodBasicAuth
-
-		isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
-		if err != nil {
-			log.Debug("MFA service not enabled: ", err)
-			isMFAEnforced = false
+		// helpful if user has not signed up with basic auth
+		if user.EmailVerifiedAt == nil {
+			now := time.Now().Unix()
+			user.EmailVerifiedAt = &now
 		}
-
-		if isMFAEnforced {
-			user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
+	}
+	if !strings.Contains(signupMethod, constants.AuthRecipeMethodMobileOTP) && isOtpVerification {
+		signupMethod = signupMethod + "," + constants.AuthRecipeMethodMobileOTP
+		// helpful if user has not signed up with basic auth
+		if user.PhoneNumberVerifiedAt == nil {
+			now := time.Now().Unix()
+			user.PhoneNumberVerifiedAt = &now
 		}
 	}
 	user.SignupMethods = signupMethod
-
-	// helpful if user has not signed up with basic auth
-	if user.EmailVerifiedAt == nil {
-		now := time.Now().Unix()
-		user.EmailVerifiedAt = &now
-	}
-
-	// delete from verification table
-	err = db.Provider.DeleteVerificationRequest(ctx, verificationRequest)
+	isMFAEnforced, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyEnforceMultiFactorAuthentication)
 	if err != nil {
-		log.Debug("Failed to delete verification request: ", err)
-		return res, err
+		log.Debug("MFA service not enabled: ", err)
+		isMFAEnforced = false
+	}
+	if isMFAEnforced {
+		user.IsMultiFactorAuthEnabled = refs.NewBoolRef(true)
 	}
-
 	_, err = db.Provider.UpdateUser(ctx, user)
 	if err != nil {
 		log.Debug("Failed to update user: ", err)
 		return res, err
 	}
-
+	if isTokenVerification {
+		// delete from verification table
+		err = db.Provider.DeleteVerificationRequest(ctx, verificationRequest)
+		if err != nil {
+			log.Debug("Failed to delete verification request: ", err)
+			return res, err
+		}
+	}
+	if isOtpVerification {
+		// delete from otp table
+		err = db.Provider.DeleteOTP(ctx, otpRequest)
+		if err != nil {
+			log.Debug("Failed to delete otp request: ", err)
+			return res, err
+		}
+	}
 	res = &model.Response{
 		Message: `Password updated successfully.`,
 	}
-
 	return res, nil
 }

server/resolvers/session.go

@@ -38,7 +38,7 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 	// get session from cookie
 	claims, err := token.ValidateBrowserSession(gc, sessionToken)
 	if err != nil {
-		log.Debug("Failed to validate session token", err)
+		log.Debug("Failed to validate session token: ", err)
 		return res, errors.New("unauthorized")
 	}
 	userID := claims.Subject
@@ -90,6 +90,12 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 		expiresIn = 1
 	}
 
+    appData, err := memorystore.Provider.GetUserAppDataFromRedis(user.ID)
+    if err == nil {
+        // Assign the combined data to the provided pointer
+        user.AppData = &appData
+    }
+    
 	res = &model.AuthResponse{
 		Message:     `Session token refreshed`,
 		AccessToken: &authToken.AccessToken.Token,
@@ -102,6 +108,7 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
 	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)
 
+
 	if authToken.RefreshToken != nil {
 		res.RefreshToken = &authToken.RefreshToken.Token
 		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)

server/resolvers/signup.go

@@ -16,11 +16,12 @@ import (
 	"github.com/authorizerdev/authorizer/server/crypto"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/db/models"
-	"github.com/authorizerdev/authorizer/server/email"
+	emailService "github.com/authorizerdev/authorizer/server/email"
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
 	"github.com/authorizerdev/authorizer/server/refs"
+	"github.com/authorizerdev/authorizer/server/smsproviders"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
@@ -51,46 +52,77 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		log.Debug("Error getting basic auth disabled: ", err)
 		isBasicAuthDisabled = true
 	}
-
-	if isBasicAuthDisabled {
-		log.Debug("Basic authentication is disabled")
-		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
+	isMobileBasicAuthDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableMobileBasicAuthentication)
+	if err != nil {
+		log.Debug("Error getting mobile basic auth disabled: ", err)
+		isMobileBasicAuthDisabled = true
 	}
-
 	if params.ConfirmPassword != params.Password {
 		log.Debug("Passwords do not match")
 		return res, fmt.Errorf(`password and confirm password does not match`)
 	}
-
 	if err := validators.IsValidPassword(params.Password); err != nil {
 		log.Debug("Invalid password")
 		return res, err
 	}
-
-	params.Email = strings.ToLower(params.Email)
-
-	if !validators.IsValidEmail(params.Email) {
+	email := strings.TrimSpace(refs.StringValue(params.Email))
+	phoneNumber := strings.TrimSpace(refs.StringValue(params.PhoneNumber))
+	if email == "" && phoneNumber == "" {
+		log.Debug("Email or phone number is required")
+		return res, fmt.Errorf(`email or phone number is required`)
+	}
+	isEmailSignup := email != ""
+	isMobileSignup := phoneNumber != ""
+	if isBasicAuthDisabled && isEmailSignup {
+		log.Debug("Basic authentication is disabled")
+		return res, fmt.Errorf(`basic authentication is disabled for this instance`)
+	}
+	if isMobileBasicAuthDisabled && isMobileSignup {
+		log.Debug("Mobile basic authentication is disabled")
+		return res, fmt.Errorf(`mobile basic authentication is disabled for this instance`)
+	}
+	if isEmailSignup && !validators.IsValidEmail(email) {
 		log.Debug("Invalid email: ", params.Email)
 		return res, fmt.Errorf(`invalid email address`)
 	}
-
-	log := log.WithFields(log.Fields{
-		"email": params.Email,
-	})
-	// find user with email
-	existingUser, err := db.Provider.GetUserByEmail(ctx, params.Email)
-	if err != nil {
-		log.Debug("Failed to get user by email: ", err)
+	if isMobileSignup && (phoneNumber == "" || len(phoneNumber) < 10) {
+		log.Debug("Invalid phone number: ", phoneNumber)
+		return res, fmt.Errorf(`invalid phone number`)
 	}
-
-	if existingUser != nil {
-		if existingUser.EmailVerifiedAt != nil {
-			// email is verified
-			log.Debug("Email is already verified and signed up.")
-			return res, fmt.Errorf(`%s has already signed up`, params.Email)
-		} else if existingUser.ID != "" && existingUser.EmailVerifiedAt == nil {
-			log.Debug("Email is already signed up. Verification pending...")
-			return res, fmt.Errorf("%s has already signed up. please complete the email verification process or reset the password", params.Email)
+	log := log.WithFields(log.Fields{
+		"email":        email,
+		"phone_number": phoneNumber,
+	})
+	// find user with email / phone number
+	if isEmailSignup {
+		existingUser, err := db.Provider.GetUserByEmail(ctx, email)
+		if err != nil {
+			log.Debug("Failed to get user by email: ", err)
+		}
+		if existingUser != nil {
+			if existingUser.EmailVerifiedAt != nil {
+				// email is verified
+				log.Debug("Email is already verified and signed up.")
+				return res, fmt.Errorf(`%s has already signed up`, email)
+			} else if existingUser.ID != "" && existingUser.EmailVerifiedAt == nil {
+				log.Debug("Email is already signed up. Verification pending...")
+				return res, fmt.Errorf("%s has already signed up. please complete the email verification process or reset the password", email)
+			}
+		}
+	} else {
+		existingUser, err := db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+		if err != nil {
+			log.Debug("Failed to get user by phone number: ", err)
+		}
+		if existingUser != nil {
+			if existingUser.PhoneNumberVerifiedAt != nil {
+				// email is verified
+				log.Debug("Phone number is already verified and signed up.")
+				return res, fmt.Errorf(`%s has already signed up`, phoneNumber)
+			} else if existingUser.ID != "" && existingUser.PhoneNumberVerifiedAt == nil {
+				log.Debug("Phone number is already signed up. Verification pending...")
+				return res, fmt.Errorf("%s has already signed up. please complete the phone number verification process or reset the password", phoneNumber)
+			}
 		}
 	}
 
@@ -120,13 +152,14 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 			inputRoles = strings.Split(inputRolesString, ",")
 		}
 	}
-	user := &models.User{
-		Email: params.Email,
-	}
+	user := &models.User{}
 	user.Roles = strings.Join(inputRoles, ",")
 	password, _ := crypto.EncryptPassword(params.Password)
 	user.Password = &password
-
+	if email != "" {
+		user.SignupMethods = constants.AuthRecipeMethodBasicAuth
+		user.Email = &email
+	}
 	if params.GivenName != nil {
 		user.GivenName = params.GivenName
 	}
@@ -151,8 +184,9 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		user.Birthdate = params.Birthdate
 	}
 
-	if params.PhoneNumber != nil {
-		user.PhoneNumber = params.PhoneNumber
+	if phoneNumber != "" {
+		user.SignupMethods = constants.AuthRecipeMethodMobileBasicAuth
+		user.PhoneNumber = refs.NewStringRef(phoneNumber)
 	}
 
 	if params.Picture != nil {
@@ -183,17 +217,24 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		appDataString = string(appDataBytes)
 		user.AppData = &appDataString
 	}
-
-	user.SignupMethods = constants.AuthRecipeMethodBasicAuth
 	isEmailVerificationDisabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisableEmailVerification)
 	if err != nil {
 		log.Debug("Error getting email verification disabled: ", err)
 		isEmailVerificationDisabled = true
 	}
-	if isEmailVerificationDisabled {
+	if isEmailVerificationDisabled && isEmailSignup {
 		now := time.Now().Unix()
 		user.EmailVerifiedAt = &now
 	}
+	disablePhoneVerification, _ := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyDisablePhoneVerification)
+	if disablePhoneVerification && isMobileSignup {
+		now := time.Now().Unix()
+		user.PhoneNumberVerifiedAt = &now
+	}
+	isSMSServiceEnabled, err := memorystore.Provider.GetBoolStoreEnvVariable(constants.EnvKeyIsSMSServiceEnabled)
+	if err != nil || !isSMSServiceEnabled {
+		log.Debug("SMS service not enabled: ", err)
+	}
 	user, err = db.Provider.AddUser(ctx, user)
 	if err != nil {
 		log.Debug("Failed to add user: ", err)
@@ -201,9 +242,8 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 	}
 	roles := strings.Split(user.Roles, ",")
 	userToReturn := user.AsAPIUser()
-
 	hostname := parsers.GetHost(gc)
-	if !isEmailVerificationDisabled {
+	if !isEmailVerificationDisabled && isEmailSignup {
 		// insert verification request
 		_, nonceHash, err := utils.GenerateNonce()
 		if err != nil {
@@ -215,7 +255,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 		if params.RedirectURI != nil {
 			redirectURL = *params.RedirectURI
 		}
-		verificationToken, err := token.CreateVerificationToken(params.Email, verificationType, hostname, nonceHash, redirectURL)
+		verificationToken, err := token.CreateVerificationToken(email, verificationType, hostname, nonceHash, redirectURL)
 		if err != nil {
 			log.Debug("Failed to create verification token: ", err)
 			return res, err
@@ -224,7 +264,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 			Token:       verificationToken,
 			Identifier:  verificationType,
 			ExpiresAt:   time.Now().Add(time.Minute * 30).Unix(),
-			Email:       params.Email,
+			Email:       email,
 			Nonce:       nonceHash,
 			RedirectURI: redirectURL,
 		})
@@ -232,11 +272,10 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 			log.Debug("Failed to add verification request: ", err)
 			return res, err
 		}
-
 		// exec it as go routine so that we can reduce the api latency
 		go func() {
 			// exec it as go routine so that we can reduce the api latency
-			email.SendEmail([]string{params.Email}, constants.VerificationTypeBasicAuthSignup, map[string]interface{}{
+			emailService.SendEmail([]string{email}, constants.VerificationTypeBasicAuthSignup, map[string]interface{}{
 				"user":             user.ToMap(),
 				"organization":     utils.GetOrganization(),
 				"verification_url": utils.GetEmailVerificationURL(verificationToken, hostname, redirectURL),
@@ -244,86 +283,120 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 			utils.RegisterEvent(ctx, constants.UserCreatedWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
 		}()
 
-		res = &model.AuthResponse{
+		return &model.AuthResponse{
 			Message: `Verification email has been sent. Please check your inbox`,
 			User:    userToReturn,
-		}
-	} else {
-		scope := []string{"openid", "email", "profile"}
-		if params.Scope != nil && len(scope) > 0 {
-			scope = params.Scope
-		}
+		}, nil
+	} else if !disablePhoneVerification && isSMSServiceEnabled && isMobileSignup {
+		duration, _ := time.ParseDuration("10m")
+		smsCode := utils.GenerateOTP()
 
-		code := ""
-		codeChallenge := ""
-		nonce := ""
-		if params.State != nil {
-			// Get state from store
-			authorizeState, _ := memorystore.Provider.GetState(refs.StringValue(params.State))
-			if authorizeState != "" {
-				authorizeStateSplit := strings.Split(authorizeState, "@@")
-				if len(authorizeStateSplit) > 1 {
-					code = authorizeStateSplit[0]
-					codeChallenge = authorizeStateSplit[1]
-				} else {
-					nonce = authorizeState
-				}
-				go memorystore.Provider.RemoveState(refs.StringValue(params.State))
-			}
-		}
+		smsBody := strings.Builder{}
+		smsBody.WriteString("Your verification code is: ")
+		smsBody.WriteString(smsCode)
 
-		if nonce == "" {
-			nonce = uuid.New().String()
-		}
-
-		authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
+		// TODO: For those who enabled the webhook to call their sms vendor separately - sending the otp to their api
 		if err != nil {
-			log.Debug("Failed to create auth token: ", err)
+			log.Debug("error while upserting user: ", err.Error())
+			return nil, err
+		}
+		_, err = db.Provider.UpsertOTP(ctx, &models.OTP{
+			PhoneNumber: phoneNumber,
+			Otp:         smsCode,
+			ExpiresAt:   time.Now().Add(duration).Unix(),
+		})
+		if err != nil {
+			log.Debug("error while upserting OTP: ", err.Error())
+			return nil, err
+		}
+		go func() {
+			smsproviders.SendSMS(phoneNumber, smsBody.String())
+			utils.RegisterEvent(ctx, constants.UserCreatedWebhookEvent, constants.AuthRecipeMethodMobileBasicAuth, user)
+		}()
+		return &model.AuthResponse{
+			Message:                   "Please check the OTP in your inbox",
+			ShouldShowMobileOtpScreen: refs.NewBoolRef(true),
+		}, nil
+	}
+	scope := []string{"openid", "email", "profile"}
+	if params.Scope != nil && len(scope) > 0 {
+		scope = params.Scope
+	}
+
+	code := ""
+	codeChallenge := ""
+	nonce := ""
+	if params.State != nil {
+		// Get state from store
+		authorizeState, _ := memorystore.Provider.GetState(refs.StringValue(params.State))
+		if authorizeState != "" {
+			authorizeStateSplit := strings.Split(authorizeState, "@@")
+			if len(authorizeStateSplit) > 1 {
+				code = authorizeStateSplit[0]
+				codeChallenge = authorizeStateSplit[1]
+			} else {
+				nonce = authorizeState
+			}
+			go memorystore.Provider.RemoveState(refs.StringValue(params.State))
+		}
+	}
+
+	if nonce == "" {
+		nonce = uuid.New().String()
+	}
+
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
+	if err != nil {
+		log.Debug("Failed to create auth token: ", err)
+		return res, err
+	}
+
+	// Code challenge could be optional if PKCE flow is not used
+	if code != "" {
+		if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {
+			log.Debug("SetState failed: ", err)
 			return res, err
 		}
-
-		// Code challenge could be optional if PKCE flow is not used
-		if code != "" {
-			if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {
-				log.Debug("SetState failed: ", err)
-				return res, err
-			}
-		}
-
-		expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
-		if expiresIn <= 0 {
-			expiresIn = 1
-		}
-
-		res = &model.AuthResponse{
-			Message:     `Signed up successfully.`,
-			AccessToken: &authToken.AccessToken.Token,
-			ExpiresIn:   &expiresIn,
-			User:        userToReturn,
-		}
-
-		sessionKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
-		cookie.SetSession(gc, authToken.FingerPrintHash)
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
-		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)
-
-		if authToken.RefreshToken != nil {
-			res.RefreshToken = &authToken.RefreshToken.Token
-			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
-		}
-
-		go func() {
-			utils.RegisterEvent(ctx, constants.UserCreatedWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
-			utils.RegisterEvent(ctx, constants.UserSignUpWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
-			// User is also logged in with signup
-			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
-			db.Provider.AddSession(ctx, &models.Session{
-				UserID:    user.ID,
-				UserAgent: utils.GetUserAgent(gc.Request),
-				IP:        utils.GetIP(gc.Request),
-			})
-		}()
 	}
 
+	expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
+	if expiresIn <= 0 {
+		expiresIn = 1
+	}
+
+	res = &model.AuthResponse{
+		Message:     `Signed up successfully.`,
+		AccessToken: &authToken.AccessToken.Token,
+		ExpiresIn:   &expiresIn,
+		User:        userToReturn,
+	}
+
+	sessionKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
+	cookie.SetSession(gc, authToken.FingerPrintHash)
+	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
+	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)
+
+	if authToken.RefreshToken != nil {
+		res.RefreshToken = &authToken.RefreshToken.Token
+		memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
+	}
+
+	go func() {
+		utils.RegisterEvent(ctx, constants.UserCreatedWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
+		if isEmailSignup {
+			utils.RegisterEvent(ctx, constants.UserSignUpWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
+			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodBasicAuth, user)
+		} else {
+			utils.RegisterEvent(ctx, constants.UserSignUpWebhookEvent, constants.AuthRecipeMethodMobileBasicAuth, user)
+			utils.RegisterEvent(ctx, constants.UserLoginWebhookEvent, constants.AuthRecipeMethodMobileBasicAuth, user)
+		}
+
+		db.Provider.AddSession(ctx, &models.Session{
+			UserID:    user.ID,
+			UserAgent: utils.GetUserAgent(gc.Request),
+			IP:        utils.GetIP(gc.Request),
+		})
+	}()
+
 	return res, nil
 }

server/resolvers/test_endpoint.go

@@ -39,7 +39,7 @@ func TestEndpointResolver(ctx context.Context, params model.TestEndpointRequest)
 
 	user := model.User{
 		ID:            uuid.NewString(),
-		Email:         "test_endpoint@foo.com",
+		Email:         refs.NewStringRef("test_endpoint@authorizer.dev"),
 		EmailVerified: true,
 		SignupMethods: constants.AuthRecipeMethodMagicLinkLogin,
 		GivenName:     refs.NewStringRef("Foo"),

server/resolvers/update_env.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"reflect"
 	"strings"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 
@@ -34,6 +35,7 @@ func clearSessionIfRequired(currentData, updatedData map[string]interface{}) {
 	isCurrentLinkedInLoginEnabled := currentData[constants.EnvKeyLinkedInClientID] != nil && currentData[constants.EnvKeyLinkedInClientSecret] != nil && currentData[constants.EnvKeyLinkedInClientID].(string) != "" && currentData[constants.EnvKeyLinkedInClientSecret].(string) != ""
 	isCurrentTwitterLoginEnabled := currentData[constants.EnvKeyTwitterClientID] != nil && currentData[constants.EnvKeyTwitterClientSecret] != nil && currentData[constants.EnvKeyTwitterClientID].(string) != "" && currentData[constants.EnvKeyTwitterClientSecret].(string) != ""
 	isCurrentMicrosoftLoginEnabled := currentData[constants.EnvKeyMicrosoftClientID] != nil && currentData[constants.EnvKeyMicrosoftClientSecret] != nil && currentData[constants.EnvKeyMicrosoftClientID].(string) != "" && currentData[constants.EnvKeyMicrosoftClientSecret].(string) != ""
+	isCurrentTwitchLoginEnabled := currentData[constants.EnvKeyTwitchClientID] != nil && currentData[constants.EnvKeyTwitchClientSecret] != nil && currentData[constants.EnvKeyTwitchClientID].(string) != "" && currentData[constants.EnvKeyTwitchClientSecret].(string) != ""
 
 	isUpdatedBasicAuthEnabled := !updatedData[constants.EnvKeyDisableBasicAuthentication].(bool)
 	isUpdatedMobileBasicAuthEnabled := !updatedData[constants.EnvKeyDisableMobileBasicAuthentication].(bool)
@@ -45,6 +47,7 @@ func clearSessionIfRequired(currentData, updatedData map[string]interface{}) {
 	isUpdatedLinkedInLoginEnabled := updatedData[constants.EnvKeyLinkedInClientID] != nil && updatedData[constants.EnvKeyLinkedInClientSecret] != nil && updatedData[constants.EnvKeyLinkedInClientID].(string) != "" && updatedData[constants.EnvKeyLinkedInClientSecret].(string) != ""
 	isUpdatedTwitterLoginEnabled := updatedData[constants.EnvKeyTwitterClientID] != nil && updatedData[constants.EnvKeyTwitterClientSecret] != nil && updatedData[constants.EnvKeyTwitterClientID].(string) != "" && updatedData[constants.EnvKeyTwitterClientSecret].(string) != ""
 	isUpdatedMicrosoftLoginEnabled := updatedData[constants.EnvKeyMicrosoftClientID] != nil && updatedData[constants.EnvKeyMicrosoftClientSecret] != nil && updatedData[constants.EnvKeyMicrosoftClientID].(string) != "" && updatedData[constants.EnvKeyMicrosoftClientSecret].(string) != ""
+	isUpdatedTwitchLoginEnabled := updatedData[constants.EnvKeyTwitchClientID] != nil && updatedData[constants.EnvKeyTwitchClientSecret] != nil && updatedData[constants.EnvKeyTwitchClientID].(string) != "" && updatedData[constants.EnvKeyTwitchClientSecret].(string) != ""
 
 	if isCurrentBasicAuthEnabled && !isUpdatedBasicAuthEnabled {
 		memorystore.Provider.DeleteSessionForNamespace(constants.AuthRecipeMethodBasicAuth)
@@ -85,6 +88,57 @@ func clearSessionIfRequired(currentData, updatedData map[string]interface{}) {
 	if isCurrentMicrosoftLoginEnabled && !isUpdatedMicrosoftLoginEnabled {
 		memorystore.Provider.DeleteSessionForNamespace(constants.AuthRecipeMethodMicrosoft)
 	}
+
+	if isCurrentTwitchLoginEnabled && !isUpdatedTwitchLoginEnabled {
+		memorystore.Provider.DeleteSessionForNamespace(constants.AuthRecipeMethodTwitch)
+	}
+}
+
+// updateRoles will update DB for user roles, if a role is deleted by admin
+// then this function will those roles from user roles if exists
+func updateRoles(ctx context.Context, deletedRoles []string) error {
+	data, err := db.Provider.ListUsers(ctx, &model.Pagination{
+		Limit:  1,
+		Offset: 1,
+	})
+	if err != nil {
+		return err
+	}
+
+	allData, err := db.Provider.ListUsers(ctx, &model.Pagination{
+		Limit: data.Pagination.Total,
+	})
+	if err != nil {
+		return err
+	}
+
+	chunkSize := 1000
+	totalUsers := len(allData.Users)
+
+	for start := 0; start < totalUsers; start += chunkSize {
+		end := start + chunkSize
+		if end > totalUsers {
+			end = totalUsers
+		}
+
+		chunkUsers := allData.Users[start:end]
+
+		for i := range chunkUsers {
+			roles := utils.DeleteFromArray(chunkUsers[i].Roles, deletedRoles)
+			if len(chunkUsers[i].Roles) != len(roles) {
+				updatedValues := map[string]interface{}{
+					"roles":      strings.Join(roles, ","),
+					"updated_at": time.Now().Unix(),
+				}
+				id := []string{chunkUsers[i].ID}
+				err = db.Provider.UpdateUsers(ctx, updatedValues, id)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+	return nil
 }
 
 // UpdateEnvResolver is a resolver for update config mutation
@@ -253,13 +307,14 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 	// in case SMTP is off but env is set to true
 	if updatedData[constants.EnvKeySmtpHost] == "" || updatedData[constants.EnvKeySmtpUsername] == "" || updatedData[constants.EnvKeySmtpPassword] == "" || updatedData[constants.EnvKeySenderEmail] == "" && updatedData[constants.EnvKeySmtpPort] == "" {
 		updatedData[constants.EnvKeyIsEmailServiceEnabled] = false
-		updatedData[constants.EnvKeyDisableMultiFactorAuthentication] = true
 		if !updatedData[constants.EnvKeyDisableEmailVerification].(bool) {
 			updatedData[constants.EnvKeyDisableEmailVerification] = true
 		}
-
+		if !updatedData[constants.EnvKeyDisableMailOTPLogin].(bool) {
+			updatedData[constants.EnvKeyDisableMailOTPLogin] = true
+		}
 		if !updatedData[constants.EnvKeyDisableMagicLinkLogin].(bool) {
-			updatedData[constants.EnvKeyDisableMagicLinkLogin] = true
+			updatedData[constants.EnvKeyDisableMailOTPLogin] = true
 		}
 	}
 
@@ -274,34 +329,51 @@ func UpdateEnvResolver(ctx context.Context, params model.UpdateEnvInput) (*model
 		}
 	}
 
+	if updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyIsEmailServiceEnabled].(bool) {
+		updatedData[constants.EnvKeyDisableMailOTPLogin] = true
+	}
+
 	if !currentData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && updatedData[constants.EnvKeyEnforceMultiFactorAuthentication].(bool) && !updatedData[constants.EnvKeyDisableMultiFactorAuthentication].(bool) {
 		go db.Provider.UpdateUsers(ctx, map[string]interface{}{
 			"is_multi_factor_auth_enabled": true,
 		}, nil)
 	}
 
+	previousRoles := strings.Split(currentData[constants.EnvKeyRoles].(string), ",")
+	previousProtectedRoles := strings.Split(currentData[constants.EnvKeyProtectedRoles].(string), ",")
+	updatedRoles := strings.Split(updatedData[constants.EnvKeyRoles].(string), ",")
+	updatedDefaultRoles := strings.Split(updatedData[constants.EnvKeyDefaultRoles].(string), ",")
+	updatedProtectedRoles := strings.Split(updatedData[constants.EnvKeyProtectedRoles].(string), ",")
 	// check the roles change
-	if len(params.Roles) > 0 {
-		if len(params.DefaultRoles) > 0 {
-			// should be subset of roles
-			for _, role := range params.DefaultRoles {
-				if !utils.StringSliceContains(params.Roles, role) {
-					log.Debug("Default roles should be subset of roles")
-					return res, fmt.Errorf("default role %s is not in roles", role)
-				}
+	if len(updatedRoles) > 0 && len(updatedDefaultRoles) > 0 {
+		// should be subset of roles
+		for _, role := range updatedDefaultRoles {
+			if !utils.StringSliceContains(updatedRoles, role) {
+				log.Debug("Default roles should be subset of roles")
+				return res, fmt.Errorf("default role %s is not in roles", role)
 			}
 		}
 	}
 
-	if len(params.ProtectedRoles) > 0 {
-		for _, role := range params.ProtectedRoles {
-			if utils.StringSliceContains(params.Roles, role) || utils.StringSliceContains(params.DefaultRoles, role) {
+	if len(updatedProtectedRoles) > 0 {
+		for _, role := range updatedProtectedRoles {
+			if utils.StringSliceContains(updatedRoles, role) || utils.StringSliceContains(updatedDefaultRoles, role) {
 				log.Debug("Protected roles should not be in roles or default roles")
 				return res, fmt.Errorf("protected role %s found roles or default roles", role)
 			}
 		}
 	}
 
+	deletedRoles := utils.FindDeletedValues(previousRoles, updatedRoles)
+	if len(deletedRoles) > 0 {
+		go updateRoles(ctx, deletedRoles)
+	}
+
+	deletedProtectedRoles := utils.FindDeletedValues(previousProtectedRoles, updatedProtectedRoles)
+	if len(deletedProtectedRoles) > 0 {
+		go updateRoles(ctx, deletedProtectedRoles)
+	}
+
 	// Update local store
 	memorystore.Provider.UpdateEnvStore(updatedData)
 	jwk, err := crypto.GenerateJWKBasedOnEnv()