Description
When calling screenProvider.login() with a fully qualified E.164 phone number (including country code), the provided country code is ignored. The backend instead substitutes the country prefix derived from the client's IP address via GeoIP lookup.
Reproduction
Setup:
- Auth0 tenant configured with passwordless SMS login via Universal Login
- Client IP address is in a different country than the phone number's country (e.g., VPN set to Austria while using a US
+1 number)
await screenProvider.login({
username: "9195551234",
email: "user@example.com",
phone: "+19195551234",
});Expected result: SMS sent to +19195551234
Actual result: SMS sent to +439195551234 (country code replaced with GeoIP-derived +43)
Note: The correct E.164 number is submitted in the request body (e.g., phone=%2B19195551234), but the backend overrides the country code. This is consistently reproducible whenever the client IP's geolocation differs from the phone number's country.
Environment
- Version of this library used:
@auth0/auth0-acul-js@1.0.0
- Version of the platform or framework used, if applicable: React
- Other relevant versions (language, server software, OS, browser): N/A
- Other modules/plugins/libraries that might be involved: N/A
Description
When calling
screenProvider.login()with a fully qualified E.164 phone number (including country code), the provided country code is ignored. The backend instead substitutes the country prefix derived from the client's IP address via GeoIP lookup.Reproduction
Setup:
+1number)Expected result: SMS sent to
+19195551234Actual result: SMS sent to
+439195551234(country code replaced with GeoIP-derived+43)Note: The correct E.164 number is submitted in the request body (e.g.,
phone=%2B19195551234), but the backend overrides the country code. This is consistently reproducible whenever the client IP's geolocation differs from the phone number's country.Environment
@auth0/auth0-acul-js@1.0.0