Medusa plugins
P
Passwordless svaraa
Passwordless authentication for Medusa
Features
- 🔐 Phone number based authentication
- 📱 Multiple SMS provider support (Gupshup and AWS SNS)
- 🔄 Fallback provider configuration with priority settings
- 🔢 Secure verification code generation and validation
- ⏱️ Rate limiting with maximum attempt controls
- ⏳ Code expiration management
- 🔌 Easy integration with existing Medusa stores
This plugin requires:
- Medusa backend
- Medusa framework version >= 2.4.0
- At least one SMS provider account (Gupshup or AWS SNS)
Installation
- Install the plugin:
npm install @devx-commerce/passwordless# oryarn add @devx-commerce/passwordless
- Add the plugin to your :
{resolve: "@medusajs/medusa/auth",options: {providers: [{resolve: `@devx-commerce/passwordless/providers/passwordless`,id: "passwordless",options: {// Configure SMS providers with prioritysmsProviders: [{ provider: "gupshup", priority: 1 },{ provider: "sns", priority: 2 }],// Optional configurationcodeLength: 6, // Length of verification code (default: 4)codeExpiryMinutes: 10, // Code expiration time in minutes (default: 15)maxAttempts: 5, // Maximum verification attempts (default: 3)smsRateLimitMinutes: 5, // Time between SMS requests in minutes (default: 10)blockDurationMinutes: 10, // Block duration after max attempts in minutes (default: 5)// Gupshup Configuration (required if using Gupshup)gupshupOptions: {template: "Your verification code is {passCode}",accountId: "YOUR_GUPSHUP_ACCOUNT_ID",accountPassword: "YOUR_GUPSHUP_PASSWORD"},// AWS SNS Configuration (required if using SNS)snsOptions: {region: "YOUR_AWS_REGION",accessKeyId: "YOUR_AWS_ACCESS_KEY_ID",secretAccessKey: "YOUR_AWS_SECRET_ACCESS_KEY"}}}]}}
Configuration Options
SMS Providers
- : Array of provider configurations with priority
- : "gupshup" or "sns"
- : Number (lower number = higher priority)
Security Settings
- : Length of verification code (default: 4)
- : Code expiration time in minutes (default: 15)
- : Maximum verification attempts (default: 3)
- : Time between SMS requests in minutes (default: 10)
- : Block duration after max attempts in minutes (default: 5)
Provider-Specific Configuration
Gupshup
gupshupOptions: {template: "Your verification code is {passCode}",accountId: "YOUR_GUPSHUP_ACCOUNT_ID",accountPassword: "YOUR_GUPSHUP_PASSWORD"}
AWS SNS
snsOptions: {region: "YOUR_AWS_REGION",accessKeyId: "YOUR_AWS_ACCESS_KEY_ID",secretAccessKey: "YOUR_AWS_SECRET_ACCESS_KEY"}
How It Works
-
Authentication Flow:
- User provides phone number
- System generates a secure verification code
- Code is sent via SMS using configured providers
- User enters the code to complete authentication
-
Provider Selection:
- Providers are tried in order of priority
- If highest priority provider fails, next provider is tried
- Process stops as soon as one provider succeeds
-
Security Features:
- Rate limiting prevents abuse
- Maximum attempt controls
- Code expiration
- Secure code generation
Usage
The plugin provides two main endpoints:
- Authentication Request
POST /auth/customer/passwordless{"phone": "+1234567890"}
- Verification
POST /auth/customer/passwordless/callback{"phone": "+1234567890","code": "1234"}
Phone Number Format
Phone numbers must be in E.164 format:
- Starts with '+'
- Country code
- National number
- Example: +1234567890
Error Handling
The plugin provides clear error messages for various scenarios:
- Invalid phone number format
- Rate limit exceeded
- Maximum attempts exceeded
- Invalid or expired code
- Provider-specific errors
License
MIT