fix(verification): fixed OTP verification

Author: waleedlatif1

apps/sim/app/(auth)/signup/signup-form.tsx

@@ -327,27 +327,24 @@ function SignupFormContent({
         return
       }
 
-      // Handle invitation flow redirect
-      if (isInviteFlow && redirectUrl) {
-        router.push(redirectUrl)
-        return
-      }
-
-      try {
-        await client.emailOtp.sendVerificationOtp({
-          email: emailValue,
-          type: 'email-verification',
-        })
-      } catch (err) {
-        console.error('Failed to send verification OTP:', err)
-      }
-
+      // For new signups, always require verification to prevent bypass
+      // sendVerificationOnSignUp: true will automatically send the OTP
       if (typeof window !== 'undefined') {
         sessionStorage.setItem('verificationEmail', emailValue)
         localStorage.setItem('has_logged_in_before', 'true')
-        document.cookie = 'has_logged_in_before=true; path=/; max-age=31536000; SameSite=Lax' // 1 year expiry
+
+        // Set cookie flag for middleware check (prevents bypass)
+        document.cookie = 'requiresEmailVerification=true; path=/; max-age=900; SameSite=Lax' // 15 min expiry
+        document.cookie = 'has_logged_in_before=true; path=/; max-age=31536000; SameSite=Lax'
+
+        // Store invitation flow state if applicable
+        if (isInviteFlow && redirectUrl) {
+          sessionStorage.setItem('inviteRedirectUrl', redirectUrl)
+          sessionStorage.setItem('isInviteFlow', 'true')
+        }
       }
 
+      // Always redirect to verification for new signups
       router.push('/verify?fromSignup=true')
     } catch (error) {
       console.error('Signup error:', error)

apps/sim/app/(auth)/verify/use-verification.ts

@@ -121,10 +121,14 @@ export function useVerification({
       if (response && !response.error) {
         setIsVerified(true)
 
-        // Clear email from sessionStorage after successful verification
+        // Clear verification requirements and session storage
         if (typeof window !== 'undefined') {
           sessionStorage.removeItem('verificationEmail')
 
+          // Clear the verification requirement flag - this prevents the bypass
+          document.cookie =
+            'requiresEmailVerification=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT'
+
           // Also clear invite-related items
           if (isInviteFlow) {
             sessionStorage.removeItem('inviteRedirectUrl')
@@ -223,6 +227,11 @@ export function useVerification({
       // Auto-verify and redirect in development/docker environments
       if (isDevOrDocker || !hasResendKey) {
         setIsVerified(true)
+
+        // Clear verification requirement cookie (same as manual verification)
+        document.cookie =
+          'requiresEmailVerification=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT'
+
         const timeoutId = setTimeout(() => {
           router.push('/workspace')
         }, 1000)

apps/sim/lib/auth.ts

@@ -156,8 +156,8 @@ export const auth = betterAuth({
   },
   emailAndPassword: {
     enabled: true,
-    requireEmailVerification: false,
-    sendVerificationOnSignUp: false,
+    requireEmailVerification: false, // Keep false - don't break existing users
+    sendVerificationOnSignUp: true, // Auto-send verification emails
     throwOnMissingCredentials: true,
     throwOnInvalidCredentials: true,
     sendResetPassword: async ({ user, url, token }, request) => {

apps/sim/middleware.ts

@@ -93,6 +93,13 @@ export async function middleware(request: NextRequest) {
     if (!hasActiveSession) {
       return NextResponse.redirect(new URL('/login', request.url))
     }
+
+    // Check if user needs email verification (prevents the bypass vulnerability)
+    const requiresVerification = request.cookies.get('requiresEmailVerification')
+    if (requiresVerification?.value === 'true') {
+      return NextResponse.redirect(new URL('/verify', request.url))
+    }
+
     return NextResponse.next()
   }