Add phone number support to OTP login APIs

- sendLoginOTP.cfm: Accept Email, Phone, or Identifier field
  Sends OTP via SMS for phone, email for email addresses
- verifyEmailOTP.cfm: Accept phone numbers for verification

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

api/auth/sendLoginOTP.cfm

@@ -6,8 +6,8 @@
 <cfscript>
 /*
   Send OTP Code for Portal Login
-  POST: { "Email": "user@example.com" }
+  POST: { "Email": "user@example.com" } or { "Phone": "3105551234" } or { "Identifier": "email or phone" }
-  Returns: { OK: true } always (don't reveal if email exists)
+  Returns: { OK: true } always (don't reveal if account exists)
 */
 
 function apiAbort(required struct payload) {
@@ -26,19 +26,49 @@ function readJsonBody() {
   return {};
 }
 
-data = readJsonBody();
+function normalizePhone(phone) {
-email = trim(data.Email ?: "");
+  // Strip all non-digits
+  var digits = reReplace(phone, "[^0-9]", "", "all");
+  // Remove leading 1 if 11 digits (US country code)
+  if (len(digits) == 11 && left(digits, 1) == "1") {
+    digits = right(digits, 10);
+  }
+  return digits;
+}
 
-if (!len(email)) {
+function isPhoneNumber(input) {
-  apiAbort({ "OK": false, "ERROR": "missing_email", "MESSAGE": "Email is required" });
+  // Check if input looks like a phone number (mostly digits, possibly formatted)
+  var digits = reReplace(input, "[^0-9]", "", "all");
+  return len(digits) >= 10 && len(digits) <= 11;
+}
+
+data = readJsonBody();
+
+// Accept Email, Phone, or generic Identifier field
+identifier = trim(data.Identifier ?: data.Email ?: data.Phone ?: "");
+
+if (!len(identifier)) {
+  apiAbort({ "OK": false, "ERROR": "missing_identifier", "MESSAGE": "Email or phone is required" });
+}
+
+// Determine if this is email or phone
+isPhone = isPhoneNumber(identifier);
+email = "";
+phone = "";
+
+if (isPhone) {
+  phone = normalizePhone(identifier);
+} else {
+  email = identifier;
 }
 
 genericResponse = { "OK": true, "MESSAGE": "If an account exists, a code has been sent." };
 
 try {
-  // Look up user by email
+  // Look up user by email or phone
+  if (len(email)) {
     qUser = queryTimed("
-    SELECT ID, FirstName
+      SELECT ID, FirstName, ContactNumber
       FROM Users
       WHERE EmailAddress = :email
         AND IsActive = 1
@@ -46,6 +76,17 @@ try {
     ", {
       email: { value: email, cfsqltype: "cf_sql_varchar" }
     }, { datasource: "payfrit" });
+  } else {
+    qUser = queryTimed("
+      SELECT ID, FirstName, ContactNumber
+      FROM Users
+      WHERE ContactNumber = :phone
+        AND IsActive = 1
+      LIMIT 1
+    ", {
+      phone: { value: phone, cfsqltype: "cf_sql_varchar" }
+    }, { datasource: "payfrit" });
+  }
 
   // Always return OK to not reveal if email exists
   if (qUser.recordCount == 0) {
@@ -89,8 +130,20 @@ try {
     code: { value: code, cfsqltype: "cf_sql_varchar" }
   }, { datasource: "payfrit" });
 
-  // Send email (skip on dev if magic OTP is enabled)
+  // Send OTP via email or SMS (skip on dev if magic OTP is enabled)
   if (!isDev) {
+    if (len(phone) && len(qUser.ContactNumber)) {
+      // Send via SMS
+      try {
+        if (structKeyExists(application, "twilioObj")) {
+          smsMessage = "Your Payfrit login code is: " & code & ". It expires in 10 minutes.";
+          application.twilioObj.sendSMS(to=qUser.ContactNumber, message=smsMessage);
+        }
+      } catch (any smsErr) {
+        writeLog(file="otp_errors", text="SMS send failed for user #userId#: #smsErr.message#");
+      }
+    } else {
+      // Send via email
       try {
         mailService = new mail();
         mailService.setTo(email);
@@ -114,6 +167,7 @@ try {
         writeLog(file="otp_errors", text="Email send failed for user #userId#: #mailErr.message#");
       }
     }
+  }
 
   // On dev, include the code in response for easy testing
   resp = duplicate(genericResponse);

api/auth/verifyEmailOTP.cfm

@@ -5,8 +5,10 @@
 
 <cfscript>
 /*
-  Verify Email OTP Code for Portal Login
+  Verify OTP Code for Portal Login (supports email or phone)
   POST: { "Email": "user@example.com", "Code": "123456" }
+     or { "Phone": "3105551234", "Code": "123456" }
+     or { "Identifier": "email or phone", "Code": "123456" }
   Returns: { OK: true, UserID, FirstName, Token } or { OK: false, ERROR: "invalid_code" }
 */
 
@@ -26,16 +28,41 @@ function readJsonBody() {
   return {};
 }
 
+function normalizePhone(phone) {
+  var digits = reReplace(phone, "[^0-9]", "", "all");
+  if (len(digits) == 11 && left(digits, 1) == "1") {
+    digits = right(digits, 10);
+  }
+  return digits;
+}
+
+function isPhoneNumber(input) {
+  var digits = reReplace(input, "[^0-9]", "", "all");
+  return len(digits) >= 10 && len(digits) <= 11;
+}
+
 data = readJsonBody();
-email = trim(data.Email ?: "");
+identifier = trim(data.Identifier ?: data.Email ?: data.Phone ?: "");
 code = trim(data.Code ?: "");
 
-if (!len(email) || !len(code)) {
+if (!len(identifier) || !len(code)) {
-  apiAbort({ "OK": false, "ERROR": "missing_fields", "MESSAGE": "Email and code are required" });
+  apiAbort({ "OK": false, "ERROR": "missing_fields", "MESSAGE": "Email/phone and code are required" });
+}
+
+// Determine if this is email or phone
+isPhone = isPhoneNumber(identifier);
+email = "";
+phone = "";
+
+if (isPhone) {
+  phone = normalizePhone(identifier);
+} else {
+  email = identifier;
 }
 
 try {
-  // Look up user by email
+  // Look up user by email or phone
+  if (len(email)) {
     qUser = queryTimed("
       SELECT ID, FirstName
       FROM Users
@@ -45,6 +72,17 @@ try {
     ", {
       email: { value: email, cfsqltype: "cf_sql_varchar" }
     }, { datasource: "payfrit" });
+  } else {
+    qUser = queryTimed("
+      SELECT ID, FirstName
+      FROM Users
+      WHERE ContactNumber = :phone
+        AND IsActive = 1
+      LIMIT 1
+    ", {
+      phone: { value: phone, cfsqltype: "cf_sql_varchar" }
+    }, { datasource: "payfrit" });
+  }
 
   if (qUser.recordCount == 0) {
     apiAbort({ "OK": false, "ERROR": "invalid_code", "MESSAGE": "Invalid or expired code" });