Overview
Passwordless
Add SMS-based passwordless login
Medusa Plugin - Passwordless Authentication
Documentation | Website
A plugin for implementing passwordless authentication in Medusa using SMS verification codes with multiple provider support
Features
- ๐ Phone number based authentication
- ๐ฑ Multiple SMS provider support (Gupshup, AWS SNS, and ValueFirst)
- ๐ Fallback provider configuration with priority settings
- ๐ข Secure verification code generation and validation
- โฑ๏ธ Rate limiting with maximum attempt controls
- โณ Code expiration management
- ๐ Easy integration with existing Medusa stores
This plugin requires:
- Medusa backend
- Medusa framework version >= 2.4.0
- At least one SMS provider account (Gupshup, AWS SNS, or ValueFirst)
Installation
- Install the plugin:
123npm install @devx-commerce/passwordless# oryarn add @devx-commerce/passwordless
- Add the plugin to your Copy to clipboard
medusa-config.js
:
1234567891011121314151617181920{resolve: "@medusajs/medusa/auth",options: {providers: [{resolve: `@devx-commerce/passwordless/providers/passwordless`,id: "passwordless",options: {// Configure SMS providers with prioritysmsProviders: [{ provider: "limechat", priority: 1 },{ provider: "valuefirst", priority: 2 },{ provider: "gupshup", priority: 3 },{ provider: "sns", priority: 4 }],limeChatOptions: {webhookUrl: process.env.LIMECHAT_WEBHOOK_URL,typeId: process.env.LIMECHAT_TYPE_ID,},
Configuration Options
SMS Providers
- Copy to clipboard
smsProviders
: Array of provider configurations with priority- Copy to clipboard
provider
: "gupshup", "sns", "valuefirst", or "limechat" - Copy to clipboard
priority
: Number (lower number = higher priority)
- Copy to clipboard
Security Settings
- Copy to clipboard
codeLength
: Length of verification code (default: 4) - Copy to clipboard
codeExpiryMinutes
: Code expiration time in minutes (default: 15) - Copy to clipboard
maxAttempts
: Maximum verification attempts (default: 3) - Copy to clipboard
smsRateLimitMinutes
: Time between SMS requests in minutes (default: 10) - Copy to clipboard
blockDurationMinutes
: Block duration after max attempts in minutes (default: 5)
Provider-Specific Configuration
Gupshup
12345gupshupOptions: {template: "Your verification code is {passCode}",accountId: "YOUR_GUPSHUP_ACCOUNT_ID",accountPassword: "YOUR_GUPSHUP_PASSWORD"}
AWS SNS
12345snsOptions: {region: "YOUR_AWS_REGION",accessKeyId: "YOUR_AWS_ACCESS_KEY_ID",secretAccessKey: "YOUR_AWS_SECRET_ACCESS_KEY"}
ValueFirst
123456valueFirstOptions: {username: "YOUR_VALUEFIRST_USERNAME",password: "YOUR_VALUEFIRST_PASSWORD",fromAddress: "MYAPP1", // 6-character sender ID for Indian numbersapiUrl: "https://api.myvfirst.com/psms/servlet/psms.JsonEservice" // Optional}
ValueFirst Features:
- Automatic token management (7-day token lifetime)
- Support for Indian and international numbers
- Sender ID compliance with TRAI guidelines
- Fallback support when combined with other providers
How It Works
- Authentication Flow:
- User provides phone number
- System generates a secure verification code
- Code is sent via SMS using configured providers
- User enters the code to complete authentication
- Provider Selection:
- Providers are tried in order of priority
- If highest priority provider fails, next provider is tried
- Process stops as soon as one provider succeeds
- Security Features:
- Rate limiting prevents abuse
- Maximum attempt controls
- Code expiration
- Secure code generation
Usage
The plugin provides two main endpoints:
- Authentication Request
1234POST /auth/customer/passwordless{"phone": "+1234567890"}
- Verification
12345POST /auth/customer/passwordless/callback{"phone": "+1234567890","code": "1234"}
Phone Number Format
Phone numbers must be in E.164 format:
- Starts with '+'
- Country code
- National number
- Example: +1234567890
Error Handling
The plugin provides clear error messages for various scenarios:
- Invalid phone number format
- Rate limit exceeded
- Maximum attempts exceeded
- Invalid or expired code
- Provider-specific errors
License
MIT