fix: custom SMS does not work with Twilio Verify (supabase#1733)

Custom SMS verification did not work if Twilio Verify was enabled. Furthermore, test OTP flow was misplaced.
uxodb · Aug 21, 2024 · dc2391d · dc2391d
1 parent a9ff361
commit dc2391d
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/internal/api/verify.go b/internal/api/verify.go
@@ -688,6 +688,12 @@ func (a *API) verifyUserAndToken(conn *storage.Connection, params *VerifyParams,
 		isValid = isOtpValid(tokenHash, user.EmailChangeTokenCurrent, user.EmailChangeSentAt, config.Mailer.OtpExp) ||
 			isOtpValid(tokenHash, user.EmailChangeTokenNew, user.EmailChangeSentAt, config.Mailer.OtpExp)
 	case phoneChangeVerification, smsVerification:
+		if testOTP, ok := config.Sms.GetTestOTP(params.Phone, time.Now()); ok {
+			if params.Token == testOTP {
+				return user, nil
+			}
+		}
+
 		phone := params.Phone
 		sentAt := user.ConfirmationSentAt
 		expectedToken := user.ConfirmationToken
@@ -696,12 +702,8 @@ func (a *API) verifyUserAndToken(conn *storage.Connection, params *VerifyParams,
 			sentAt = user.PhoneChangeSentAt
 			expectedToken = user.PhoneChangeToken
 		}
-		if config.Sms.IsTwilioVerifyProvider() {
-			if testOTP, ok := config.Sms.GetTestOTP(params.Phone, time.Now()); ok {
-				if params.Token == testOTP {
-					return user, nil
-				}
-			}
+
+		if !config.Hook.SendSMS.Enabled && config.Sms.IsTwilioVerifyProvider() {
 			if err := smsProvider.(*sms_provider.TwilioVerifyProvider).VerifyOTP(phone, params.Token); err != nil {
 				return nil, forbiddenError(ErrorCodeOTPExpired, "Token has expired or is invalid").WithInternalError(err)
 			}