Description
When using screenProvider.login() with a fully qualified E.164 phone number (including country code), it ignores the provided country code and instead substitutes the country prefix derived from the user's IP address via GeoIP lookup.
Reproduction
- Configure an Auth0 tenant with passwordless SMS login via Universal Login
- Connect from an IP address outside the user's phone number's country (e.g., use a VPN set to another country, or physically be in another country, while using a US +1 phone number)
- Call screenProvider.login() with a full E.164 phone number including the correct country code
Calling:
await screenProvider.login({
username: "9195551234",
email: "user@example.com",
phone: "+9195551234",
});
from a client with an Austrian IP address results in the SMS being sent to +439195551234 instead of the explicitly provided +9195551234.
Note that phone=%2B13365543542 (URL-decoded: +13365543542) is correctly submitted in the request, but the backend overrides the +1 with +43.
This issue is consistently reproducible whenever the client IP's geolocation differs from the phone number's country code.
Environment
- Version of this library used: 1.0.0
Description
When using screenProvider.login() with a fully qualified E.164 phone number (including country code), it ignores the provided country code and instead substitutes the country prefix derived from the user's IP address via GeoIP lookup.
Reproduction
Calling:
from a client with an Austrian IP address results in the SMS being sent to +439195551234 instead of the explicitly provided +9195551234.
Note that phone=%2B13365543542 (URL-decoded: +13365543542) is correctly submitted in the request, but the backend overrides the +1 with +43.
This issue is consistently reproducible whenever the client IP's geolocation differs from the phone number's country code.
Environment