Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 | 1x 10x 10x 10x 9x 9x 9x 9x 10x 1x 1x 8x 8x 10x 1x 1x 7x 10x 1x 1x 10x 1x 1x 5x 5x 5x 5x 10x 10x 1x 1x 1x 1x 1x 4x 4x 10x 4x 4x 4x 4x 4x 10x 1x 1x 1x 1x 1x 10x 2x 2x 2x 2x 2x 2x 2x 2x 2x 2x 2x 2x 2x 2x 1x 1x 1x 1x 10x 1x 1x 1x 1x 1x 1x 1x 1x 1x 1x 1x 1x 1x 1x 10x | import { NextRequest, NextResponse } from 'next/server';
import { createClient } from '@/lib/supabase/server';
import { getAdminClient } from '@/lib/supabase/admin';
import { formatPhoneNumber, validatePhoneNumber } from '@/lib/auth/otp';
import { checkRateLimit, incrementRateLimit } from '@/lib/auth/rate-limit';
import { getClientInfo, hashIP } from '@/lib/auth/login-events';
import { verifyCaptcha, isCaptchaEnabled } from '@/lib/auth/captcha';
import { sendVerificationCode, isTwilioConfigured } from '@/lib/twilio/verify';
/**
* Update phone number for authenticated users
* Step 1: Request phone update (sends OTP to new number)
*/
export async function POST(request: NextRequest) {
try {
const supabase = await createClient();
// Get current user
const {
data: { user },
error: userError,
} = await supabase.auth.getUser();
if (userError || !user) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 });
}
const body = await request.json();
const { phone, countryCode = '+91', captchaToken } = body;
if (!phone) {
return NextResponse.json({ error: 'Phone number is required' }, { status: 400 });
}
const formattedPhone = formatPhoneNumber(phone, countryCode);
if (!validatePhoneNumber(formattedPhone)) {
return NextResponse.json({ error: 'Invalid phone number format' }, { status: 400 });
}
// Check if phone is same as current
if (user.phone === formattedPhone) {
return NextResponse.json({ error: 'This is already your phone number' }, { status: 400 });
}
// CRITICAL: Check if this phone is already verified by another user
// Use admin client to bypass RLS and query auth.users
const adminClient = getAdminClient();
const { data: existingUserId, error: checkError } = await adminClient.rpc('get_user_by_phone', {
phone_number: formattedPhone,
});
if (checkError) {
console.error('Error checking phone existence:', checkError);
// Don't block on error, let Twilio/Supabase handle duplicates
} else if (existingUserId && existingUserId !== user.id) {
return NextResponse.json(
{ error: 'This phone number is already verified by another user' },
{ status: 409 }
);
}
// Verify CAPTCHA (skip for resends - rate limiting already protects against abuse)
const { ipAddress } = getClientInfo(request.headers);
const isResend = body.isResend === true;
if (isCaptchaEnabled() && !isResend) {
if (!captchaToken) {
return NextResponse.json(
{ error: 'CAPTCHA verification required', captchaRequired: true },
{ status: 400 }
);
}
const captchaResult = await verifyCaptcha(captchaToken, ipAddress);
if (!captchaResult.success) {
return NextResponse.json(
{ error: captchaResult.error || 'CAPTCHA verification failed', captchaRequired: true },
{ status: 400 }
);
}
}
// Check rate limit
const ipHash = hashIP(ipAddress);
const [phoneLimit, ipLimit] = await Promise.all([
checkRateLimit(formattedPhone, 'phone', 'otp_send'),
checkRateLimit(ipHash, 'ip', 'otp_send'),
]);
if (!phoneLimit.allowed || !ipLimit.allowed) {
return NextResponse.json(
{ error: 'Too many requests. Please try again later.' },
{ status: 429 }
);
}
// Use direct Twilio Verify if configured
if (isTwilioConfigured()) {
console.log('Using Twilio Verify for phone update:', formattedPhone);
const result = await sendVerificationCode(formattedPhone);
if (!result.success) {
await incrementRateLimit(formattedPhone, 'phone');
return NextResponse.json({ error: result.error || 'Failed to send OTP' }, { status: 500 });
}
await Promise.all([
incrementRateLimit(formattedPhone, 'phone'),
incrementRateLimit(ipHash, 'ip'),
]);
return NextResponse.json({
success: true,
message: 'OTP sent to new phone number',
phone_masked: formattedPhone.slice(0, 4) + '****' + formattedPhone.slice(-2),
provider: 'twilio_verify',
});
}
// Fallback: Use Supabase updateUser (sends OTP via Supabase)
console.log('Using Supabase for phone update:', formattedPhone);
const { error: updateError } = await supabase.auth.updateUser({
phone: formattedPhone,
});
if (updateError) {
console.error('Phone update error:', updateError);
await incrementRateLimit(formattedPhone, 'phone');
return NextResponse.json(
{ error: updateError.message || 'Failed to send OTP' },
{ status: 500 }
);
}
await Promise.all([
incrementRateLimit(formattedPhone, 'phone'),
incrementRateLimit(ipHash, 'ip'),
]);
return NextResponse.json({
success: true,
message: 'OTP sent to new phone number',
phone_masked: formattedPhone.slice(0, 4) + '****' + formattedPhone.slice(-2),
provider: 'supabase',
});
} catch (error) {
console.error('Phone update API error:', error);
return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
}
}
|