Feature request for Supabase Auth: Allow the usage of more than just digits (lowercase and/or uppercase letters) in the one-time passwords

[maximilian-hammerl]

Currently, Supabase Auth generates OTPs consisting only of 6 to 10 digits (function GenerateOtp in https://github.com/supabase/auth/blob/master/internal/crypto/crypto.go). While numeric OTPs are standard, adding support for alphanumeric OTPs (lowercase and/or uppercase letters) would improve security and flexibility.

Proposed feature:

Introduce a configuration option allowing specifying the character set for OTPs, such as:

• Numeric only (default, current behavior)
• Alphanumeric (uppercase + lowercase + digits)
• Alphanumeric with case control (lowercase only, uppercase only, or mixed)

Use case:

• Increased entropy for OTPs without increasing length.
• Better compatibility with security policies that require non-numeric codes.
• Customization based on application needs.

Implementation:

Add an optional setting in the Supabase Auth configuration config.Mailer.OtpCharset and forward it to an adjusted version of the GenerateOtp function.

A not yet tested and probably too simple possible implementation:

const (
	Numeric      = "numeric"
	Alphanumeric = "alphanumeric"
	Lowercase    = "lowercase"
	Uppercase    = "uppercase"
	Mixed        = "mixed"
)

 func GenerateOtp(digits int, charset string) (string, error) {
	var characterPool string

	switch charset {
	case Numeric:
		characterPool = "0123456789"
	case Alphanumeric:
		characterPool = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
	case Lowercase:
		characterPool = "abcdefghijklmnopqrstuvwxyz"
	case Uppercase:
		characterPool = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
	case Mixed:
		characterPool = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
	default:
		return "", fmt.Errorf("invalid charset: %s", charset)
	}

	poolSize := big.NewInt(int64(len(characterPool)))

	var otp strings.Builder
	for i := 0; i < digits; i++ {
		randomIndex := must(rand.Int(rand.Reader, poolSize))
		otp.WriteByte(characterPool[randomIndex.Int64()])
	}

	return otp.String(), nil
}

Impact:

This would provide better security without significant implementation complexity and would make Supabase Auth more adaptable to different authentication policies.

---

I would also volunteer to implement this feature!