payfrit/payfrit-biz
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add phone number support to OTP login APIs

Browse source 
- sendLoginOTP.cfm: Accept Email, Phone, or Identifier field
  Sends OTP via SMS for phone, email for email addresses
- verifyEmailOTP.cfm: Accept phone numbers for verification

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
John Mizerek 2026-02-08 12:48:21 -08:00
parent 428129a93e
commit 06dd664203
2 changed files with 141 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

124
api/auth/sendLoginOTP.cfm
View file

@ -6,8 +6,8 @@
<cfscript>
/*
Send OTP Code for Portal Login
POST: { "Email": "user@example.com" }
Returns: { OK: true } always (don't reveal if email exists)
POST: { "Email": "user@example.com" } or { "Phone": "3105551234" } or { "Identifier": "email or phone" }
Returns: { OK: true } always (don't reveal if account exists)
*/
function apiAbort(required struct payload) {
@ -26,26 +26,67 @@ function readJsonBody() {
return {};
}
data = readJsonBody();
email = trim(data.Email ?: "");
function normalizePhone(phone) {
// Strip all non-digits
var digits = reReplace(phone, "[^0-9]", "", "all");
// Remove leading 1 if 11 digits (US country code)
if (len(digits) == 11 && left(digits, 1) == "1") {
digits = right(digits, 10);
}
return digits;
}
if (!len(email)) {
apiAbort({ "OK": false, "ERROR": "missing_email", "MESSAGE": "Email is required" });
function isPhoneNumber(input) {
// Check if input looks like a phone number (mostly digits, possibly formatted)
var digits = reReplace(input, "[^0-9]", "", "all");
return len(digits) >= 10 && len(digits) <= 11;
}
data = readJsonBody();
// Accept Email, Phone, or generic Identifier field
identifier = trim(data.Identifier ?: data.Email ?: data.Phone ?: "");
if (!len(identifier)) {
apiAbort({ "OK": false, "ERROR": "missing_identifier", "MESSAGE": "Email or phone is required" });
}
// Determine if this is email or phone
isPhone = isPhoneNumber(identifier);
email = "";
phone = "";
if (isPhone) {
phone = normalizePhone(identifier);
} else {
email = identifier;
}
genericResponse = { "OK": true, "MESSAGE": "If an account exists, a code has been sent." };
try {
// Look up user by email
qUser = queryTimed("
SELECT ID, FirstName
FROM Users
WHERE EmailAddress = :email
AND IsActive = 1
LIMIT 1
", {
email: { value: email, cfsqltype: "cf_sql_varchar" }
}, { datasource: "payfrit" });
// Look up user by email or phone
if (len(email)) {
qUser = queryTimed("
SELECT ID, FirstName, ContactNumber
FROM Users
WHERE EmailAddress = :email
AND IsActive = 1
LIMIT 1
", {
email: { value: email, cfsqltype: "cf_sql_varchar" }
}, { datasource: "payfrit" });
} else {
qUser = queryTimed("
SELECT ID, FirstName, ContactNumber
FROM Users
WHERE ContactNumber = :phone
AND IsActive = 1
LIMIT 1
", {
phone: { value: phone, cfsqltype: "cf_sql_varchar" }
}, { datasource: "payfrit" });
}
// Always return OK to not reveal if email exists
if (qUser.recordCount == 0) {
@ -89,29 +130,42 @@ try {
code: { value: code, cfsqltype: "cf_sql_varchar" }
}, { datasource: "payfrit" });
// Send email (skip on dev if magic OTP is enabled)
// Send OTP via email or SMS (skip on dev if magic OTP is enabled)
if (!isDev) {
try {
mailService = new mail();
mailService.setTo(email);
mailService.setFrom("admin@payfrit.com");
mailService.setSubject("Your Payfrit login code");
mailService.setType("html");
if (len(phone) && len(qUser.ContactNumber)) {
// Send via SMS
try {
if (structKeyExists(application, "twilioObj")) {
smsMessage = "Your Payfrit login code is: " & code & ". It expires in 10 minutes.";
application.twilioObj.sendSMS(to=qUser.ContactNumber, message=smsMessage);
}
} catch (any smsErr) {
writeLog(file="otp_errors", text="SMS send failed for user #userId#: #smsErr.message#");
}
} else {
// Send via email
try {
mailService = new mail();
mailService.setTo(email);
mailService.setFrom("admin@payfrit.com");
mailService.setSubject("Your Payfrit login code");
mailService.setType("html");
emailBody = "
<div style='font-family: -apple-system, BlinkMacSystemFont, sans-serif; max-width: 400px; margin: 0 auto; padding: 20px;'>
<h2 style='color: ##333; margin-bottom: 8px;'>Your login code</h2>
<p style='color: ##666; margin-bottom: 20px;'>Hi #encodeForHTML(qUser.FirstName)#, use this code to sign in to Payfrit:</p>
<div style='background: ##f5f5f5; border-radius: 8px; padding: 20px; text-align: center; margin-bottom: 20px;'>
<span style='font-size: 32px; font-weight: 700; letter-spacing: 6px; color: ##111;'>#code#</span>
emailBody = "
<div style='font-family: -apple-system, BlinkMacSystemFont, sans-serif; max-width: 400px; margin: 0 auto; padding: 20px;'>
<h2 style='color: ##333; margin-bottom: 8px;'>Your login code</h2>
<p style='color: ##666; margin-bottom: 20px;'>Hi #encodeForHTML(qUser.FirstName)#, use this code to sign in to Payfrit:</p>
<div style='background: ##f5f5f5; border-radius: 8px; padding: 20px; text-align: center; margin-bottom: 20px;'>
<span style='font-size: 32px; font-weight: 700; letter-spacing: 6px; color: ##111;'>#code#</span>
</div>
<p style='color: ##999; font-size: 13px;'>This code expires in 10 minutes. If you didn't request this, you can safely ignore it.</p>
</div>
<p style='color: ##999; font-size: 13px;'>This code expires in 10 minutes. If you didn't request this, you can safely ignore it.</p>
</div>
";
";
mailService.send(body=emailBody);
} catch (any mailErr) {
writeLog(file="otp_errors", text="Email send failed for user #userId#: #mailErr.message#");
mailService.send(body=emailBody);
} catch (any mailErr) {
writeLog(file="otp_errors", text="Email send failed for user #userId#: #mailErr.message#");
}
}
}

66
api/auth/verifyEmailOTP.cfm
View file

@ -5,8 +5,10 @@
<cfscript>
/*
Verify Email OTP Code for Portal Login
Verify OTP Code for Portal Login (supports email or phone)
POST: { "Email": "user@example.com", "Code": "123456" }
or { "Phone": "3105551234", "Code": "123456" }
or { "Identifier": "email or phone", "Code": "123456" }
Returns: { OK: true, UserID, FirstName, Token } or { OK: false, ERROR: "invalid_code" }
*/
@ -26,25 +28,61 @@ function readJsonBody() {
return {};
}
function normalizePhone(phone) {
var digits = reReplace(phone, "[^0-9]", "", "all");
if (len(digits) == 11 && left(digits, 1) == "1") {
digits = right(digits, 10);
}
return digits;
}
function isPhoneNumber(input) {
var digits = reReplace(input, "[^0-9]", "", "all");
return len(digits) >= 10 && len(digits) <= 11;
}
data = readJsonBody();
email = trim(data.Email ?: "");
identifier = trim(data.Identifier ?: data.Email ?: data.Phone ?: "");
code = trim(data.Code ?: "");
if (!len(email) || !len(code)) {
apiAbort({ "OK": false, "ERROR": "missing_fields", "MESSAGE": "Email and code are required" });
if (!len(identifier) || !len(code)) {
apiAbort({ "OK": false, "ERROR": "missing_fields", "MESSAGE": "Email/phone and code are required" });
}
// Determine if this is email or phone
isPhone = isPhoneNumber(identifier);
email = "";
phone = "";
if (isPhone) {
phone = normalizePhone(identifier);
} else {
email = identifier;
}
try {
// Look up user by email
qUser = queryTimed("
SELECT ID, FirstName
FROM Users
WHERE EmailAddress = :email
AND IsActive = 1
LIMIT 1
", {
email: { value: email, cfsqltype: "cf_sql_varchar" }
}, { datasource: "payfrit" });
// Look up user by email or phone
if (len(email)) {
qUser = queryTimed("
SELECT ID, FirstName
FROM Users
WHERE EmailAddress = :email
AND IsActive = 1
LIMIT 1
", {
email: { value: email, cfsqltype: "cf_sql_varchar" }
}, { datasource: "payfrit" });
} else {
qUser = queryTimed("
SELECT ID, FirstName
FROM Users
WHERE ContactNumber = :phone
AND IsActive = 1
LIMIT 1
", {
phone: { value: phone, cfsqltype: "cf_sql_varchar" }
}, { datasource: "payfrit" });
}
if (qUser.recordCount == 0) {
apiAbort({ "OK": false, "ERROR": "invalid_code", "MESSAGE": "Invalid or expired code" });