Skip to content

"AuthMFAEnrollResponse" Schema Validation Fails for SMS-Based MFA Due to Missing "totp" Field #711

New issue
New issue
Open
Open
"AuthMFAEnrollResponse" Schema Validation Fails for SMS-Based MFA Due to Missing "totp" Field#711
Labels
bugSomething isn't workingpythonPull requests that update Python code
@JainilCitrusbug

Description

@JainilCitrusbug
JainilCitrusbug
opened on May 28, 2025

Bug report

Describe the bug

When enrolling a user in MFA using the phone factor type (SMS-based MFA), the Supabase Python SDK encounters a schema validation error. This is due to the AuthMFAEnrollResponse expecting a totp field in the response, which is not returned by the API for phone-based MFA.

The current Pydantic schema marks totp as required, causing validation to fail even though it's irrelevant for the sms factor type.

To Reproduce

Steps to reproduce the behavior:

  1. Enable MFA with sms (phone factor type) in Supabase.
  2. Enroll a user using the Python SDK.
  3. Observe a validation error due to missing totp field in the response.

SDK schema:

class AuthMFAEnrollResponseTotp(BaseModel):
    qr_code: str
    """
    Contains a QR code encoding the authenticator URI. You can
    convert it to a URL by prepending `data:image/svg+xml;utf-8,` to
    the value. Avoid logging this value to the console.
    """
    secret: str
    """
    The TOTP secret (also encoded in the QR code). Show this secret
    in a password-style field to the user, in case they are unable to
    scan the QR code. Avoid logging this value to the console.
    """
    uri: str
    """
    The authenticator URI encoded within the QR code, should you need
    to use it. Avoid loggin this value to the console.
    """

class AuthMFAEnrollResponse(BaseModel):
    id: str
    """
    ID of the factor that was just enrolled (in an unverified state).
    """
    type: Literal["totp", "phone"]
    """
    Type of MFA factor. Only `totp` supported for now.
    """
    totp: AuthMFAEnrollResponseTotp
    """
    TOTP enrollment information.
    """
    model_config = ConfigDict(arbitrary_types_allowed=True)
    friendly_name: str
    """
    Friendly name of the factor, useful for distinguishing between factors
    """
    phone: Optional[str] = None
    """
    Phone number of the MFA factor in E.164 format. Used to send messages
    """

Expected behavior

The totp field should be optional in the response schema, as it's only returned when the MFA factor type is totp. For sms, it should not be required.

Proposed fix:

class AuthMFAEnrollResponse(BaseModel):
    id: str
    """
    ID of the factor that was just enrolled (in an unverified state).
    """
    type: Literal["totp", "phone"]
    """
    Type of MFA factor. Only `totp` supported for now.
    """
    totp: Optional[AuthMFAEnrollResponseTotp] = None
    """
    TOTP enrollment information.
    """
    model_config = ConfigDict(arbitrary_types_allowed=True)
    friendly_name: str
    """
    Friendly name of the factor, useful for distinguishing between factors
    """
    phone: Optional[str] = None
    """
    Phone number of the MFA factor in E.164 format. Used to send messages
    """

Screenshots

Not applicable.

System information

  • OS: macOS
  • Browser (if applies): N/A
  • Version of supabase: 2.15.1
  • Version of Python: 3.13.2

Additional context

This issue occurs specifically with the sms MFA enrollment flow. It would be helpful for the SDK schema to handle conditional fields depending on the factor_type.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingpythonPull requests that update Python code

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions