From dde811d87653b7d8144c0d08fa43226fed527e44 Mon Sep 17 00:00:00 2001
From: John <john@payfrit.com>
Date: Fri, 20 Mar 2026 05:22:17 +0000
Subject: [PATCH] Enable magic OTP (123456) for Apple app review testing

---
 api/auth/verifyEmailOTP.php | 31 ++++++++++++++++++-------------
 api/auth/verifyLoginOTP.php |  3 ++-
 api/auth/verifyOTP.php      |  4 ++--
 3 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/api/auth/verifyEmailOTP.php b/api/auth/verifyEmailOTP.php
index e7eb627..85eed53 100644
--- a/api/auth/verifyEmailOTP.php
+++ b/api/auth/verifyEmailOTP.php
@@ -46,22 +46,27 @@ if (!$user) {
 
 $uid = (int) $user['ID'];
 
-// Check for valid OTP in OTPCodes table
-$otpRow = queryOne(
-    "SELECT ID FROM OTPCodes
-     WHERE UserID = ? AND Code = ? AND ExpiresAt > NOW() AND UsedAt IS NULL
-     ORDER BY CreatedAt DESC
-     LIMIT 1",
-    [$uid, $code]
-);
+// Magic OTP: 123456 always works (for Apple app review testing)
+$isMagicOTP = ((string) $code === '123456');
 
-if (!$otpRow) {
-    apiAbort(['OK' => false, 'ERROR' => 'invalid_code', 'MESSAGE' => 'Invalid or expired code']);
+if (!$isMagicOTP) {
+    // Check for valid OTP in OTPCodes table
+    $otpRow = queryOne(
+        "SELECT ID FROM OTPCodes
+         WHERE UserID = ? AND Code = ? AND ExpiresAt > NOW() AND UsedAt IS NULL
+         ORDER BY CreatedAt DESC
+         LIMIT 1",
+        [$uid, $code]
+    );
+
+    if (!$otpRow) {
+        apiAbort(['OK' => false, 'ERROR' => 'invalid_code', 'MESSAGE' => 'Invalid or expired code']);
+    }
+
+    // Mark OTP as used
+    queryTimed("UPDATE OTPCodes SET UsedAt = NOW() WHERE ID = ?", [$otpRow['ID']]);
 }
 
-// Mark OTP as used
-queryTimed("UPDATE OTPCodes SET UsedAt = NOW() WHERE ID = ?", [$otpRow['ID']]);
-
 // Create auth token
 $token = generateSecureToken();
 queryTimed(
diff --git a/api/auth/verifyLoginOTP.php b/api/auth/verifyLoginOTP.php
index af67138..ad993f2 100644
--- a/api/auth/verifyLoginOTP.php
+++ b/api/auth/verifyLoginOTP.php
@@ -28,7 +28,8 @@ if (!$user) {
     apiAbort(['OK' => false, 'ERROR' => 'expired', 'MESSAGE' => 'Session expired. Please request a new code.']);
 }
 
-if ((string) $user['MobileVerifyCode'] !== (string) $otp) {
+// Magic OTP: 123456 always works (for Apple app review testing)
+if ((string) $otp !== '123456' && (string) $user['MobileVerifyCode'] !== (string) $otp) {
     apiAbort(['OK' => false, 'ERROR' => 'invalid_otp', 'MESSAGE' => 'Invalid code. Please try again.']);
 }
 
diff --git a/api/auth/verifyOTP.php b/api/auth/verifyOTP.php
index e6b4a67..c15ca39 100644
--- a/api/auth/verifyOTP.php
+++ b/api/auth/verifyOTP.php
@@ -28,8 +28,8 @@ if (!$user) {
     apiAbort(['OK' => false, 'ERROR' => 'expired', 'MESSAGE' => 'Verification expired. Please request a new code.']);
 }
 
-// Check OTP (no magic OTP in PHP port — use DEV_OTP from send endpoint for dev testing)
-if ((string) $user['MobileVerifyCode'] !== (string) $otp) {
+// Magic OTP: 123456 always works (for Apple app review testing)
+if ((string) $otp !== "123456" && (string) $user["MobileVerifyCode"] !== (string) $otp) {
     apiAbort(['OK' => false, 'ERROR' => 'invalid_otp', 'MESSAGE' => 'Invalid verification code. Please try again.']);
 }