Password Verification Hook
Your company wishes to increase security beyond the requirements of the default password implementation in order to fulfill security or compliance requirements. You plan to track the status of a password sign-in attempt and take action via an email or a restriction on logins where necessary.
As this hook runs on unauthenticated requests, malicious users can abuse the hook by calling it multiple times. Pay extra care when using the hook as you can unintentionally block legitimate users from accessing your application.
Check if a password is valid prior to taking any additional action to ensure the user is legitimate. Where possible, send an email or notification instead of blocking the user.
Inputs
Field | Type | Description |
---|---|---|
user_id | string | Unique identifier for the user attempting to sign in. Correlate this to the auth.users table. |
valid | boolean | Whether the password verification attempt was valid. |
_10{_10 "user_id": "3919cb6e-4215-4478-a960-6d3454326cec",_10 "valid": true_10}
Outputs
Return these only if your hook processed the input without errors.
Field | Type | Description |
---|---|---|
decision | string | The decision on whether to allow authentication to move forward. Use reject to deny the verification attempt and log the user out of all active sessions. Use continue to use the default Supabase Auth behavior. |
message | string | The message to show the user if the decision was reject . |
should_logout_user | boolean | Whether to log out the user if a reject decision is issued. Has no effect when a continue decision is issued. |
_10{_10 "decision": "reject",_10 "message": "You have exceeded maximum number of password sign-in attempts.",_10 "should_logout_user": "false"_10}
As part of new security measures within the company, users can only input an incorrect password every 10 seconds and not more than that. You want to write a hook to enforce this.
Create a table to record each user's last incorrect password verification attempt.
_10create table public.password_failed_verification_attempts (_10 user_id uuid not null,_10 last_failed_at timestamp not null default now(),_10 primary key (user_id)_10);
Create a hook to read and write information to this table. For example:
_54create function public.hook_password_verification_attempt(event jsonb)_54returns jsonb_54language plpgsql_54as $$_54 declare_54 last_failed_at timestamp;_54 begin_54 if event->'valid' is true then_54 -- password is valid, accept it_54 return jsonb_build_object('decision', 'continue');_54 end if;_54_54 select last_failed_at into last_failed_at_54 from public.password_failed_verification_attempts_54 where_54 user_id = event->'user_id';_54_54 if last_failed_at is not null and now() - last_failed_at < interval '10 seconds' then_54 -- last attempt was done too quickly_54 return jsonb_build_object(_54 'error', jsonb_build_object(_54 'http_code', 429,_54 'message', 'Please wait a moment before trying again.'_54 )_54 );_54 end if;_54_54 -- record this failed attempt_54 insert into public.password_failed_verification_attempts_54 (_54 user_id,_54 last_failed_at_54 )_54 values_54 (_54 event->'user_id',_54 now()_54 )_54 on conflict do update_54 set last_failed_at = now();_54_54 -- finally let Supabase Auth do the default behavior for a failed attempt_54 return jsonb_build_object('decision', 'continue');_54 end;_54$$;_54_54-- Assign appropriate permissions_54grant all_54 on table public.password_failed_verification_attempts_54 to supabase_auth_admin;_54_54revoke all_54 on table public.password_failed_verification_attempts_54 from authenticated, anon, public;