payfrit-api/api/auth/loginOTP.php

<?php
require_once __DIR__ . '/../helpers.php';
runAuth();

/*
  Send OTP to phone for LOGIN (existing verified accounts only)
  POST: { "phone": "5551234567" }
  Returns: { OK: true, UUID: "..." }
*/

$data = readJsonBody();
$phone = normalizePhone($data['Phone'] ?? $data['phone'] ?? '');

if (strlen($phone) !== 10) {
    apiAbort(['OK' => false, 'ERROR' => 'invalid_phone', 'MESSAGE' => 'Please enter a valid 10-digit phone number']);
}

$user = queryOne(
    "SELECT ID, UUID
     FROM Users
     WHERE ContactNumber = ? AND IsContactVerified = 1
     LIMIT 1",
    [$phone]
);

if (!$user) {
    apiAbort(['OK' => false, 'ERROR' => 'no_account', 'MESSAGE' => "We couldn't find an account with this number. Try signing up instead!"]);
}

$userUUID = $user['UUID'] ?? '';
if (empty(trim($userUUID))) {
    $userUUID = generateUUID();
    queryTimed("UPDATE Users SET UUID = ? WHERE ID = ?", [$userUUID, $user['ID']]);
}

$otp = random_int(100000, 999999);
queryTimed("UPDATE Users SET MobileVerifyCode = ? WHERE ID = ?", [$otp, $user['ID']]);

// Send OTP via Twilio (skip on dev)
$dev = isDev();
$smsResult = sendSMS("+1{$phone}", "Your Payfrit code is: {$otp}");
$smsMessage = $smsResult['success'] ? 'Login code sent' : ('SMS failed - ' . $smsResult['message']);

$resp = [
    'OK'      => true,
    'UUID'    => $userUUID,
    'MESSAGE' => $smsMessage,
];
if ($dev) {
    $resp['DEV_OTP'] = $otp;
}
jsonResponse($resp);