Refactor login to email-only, remove phone/SMS auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-06-09 17:40:37 -04:00
parent 0719269bce
commit 780a214c7d
2 changed files with 12 additions and 98 deletions
+9 -91
View File
@@ -11,7 +11,6 @@ import (
"log"
"math/big"
"net/http"
"net/url"
"os"
"strings"
"time"
@@ -94,18 +93,10 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
return
}
var identifier string
var method string // "email" or "phone"
if isEmail(raw) {
identifier = strings.ToLower(raw)
method = "email"
} else {
identifier = normalizePhone(raw)
method = "phone"
if identifier == "" {
http.Redirect(w, r, "/login", http.StatusSeeOther)
return
}
identifier := strings.ToLower(raw)
if !isEmail(identifier) {
http.Redirect(w, r, "/login", http.StatusSeeOther)
return
}
code := generateCode()
@@ -116,32 +107,19 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
ExpiresAt: expiresAt,
})
if method == "email" {
if err := sendVerificationEmail(identifier, code); err != nil {
log.Printf("failed to send verification email to %s: %v", identifier, err)
}
} else {
s.q.CreateSmsConsent(r.Context(), db.CreateSmsConsentParams{
Phone: identifier,
IpAddress: r.RemoteAddr,
UserAgent: r.UserAgent(),
})
if err := sendVerificationSMS(identifier, code); err != nil {
log.Printf("failed to send verification SMS to %s: %v", identifier, err)
}
if err := sendVerificationEmail(identifier, code); err != nil {
log.Printf("failed to send verification email to %s: %v", identifier, err)
}
pageTmpl["login"].ExecuteTemplate(w, "layout", map[string]any{
"Step": "code",
"Identifier": identifier,
"Method": method,
"AuthEnabled": true,
})
}
func (s *Server) handleVerifyCode(w http.ResponseWriter, r *http.Request) {
identifier := strings.TrimSpace(r.FormValue("identifier"))
method := r.FormValue("method")
code := strings.TrimSpace(r.FormValue("code"))
vc, err := s.q.GetVerificationCode(r.Context(), db.GetVerificationCodeParams{
@@ -152,7 +130,6 @@ func (s *Server) handleVerifyCode(w http.ResponseWriter, r *http.Request) {
pageTmpl["login"].ExecuteTemplate(w, "layout", map[string]any{
"Step": "code",
"Identifier": identifier,
"Method": method,
"Error": "Invalid or expired code. Try again.",
"AuthEnabled": true,
})
@@ -163,16 +140,9 @@ func (s *Server) handleVerifyCode(w http.ResponseWriter, r *http.Request) {
// Get or create user
var user db.User
if method == "email" {
user, err = s.q.GetUserByEmail(r.Context(), sql.NullString{String: identifier, Valid: true})
if err == sql.ErrNoRows {
user, err = s.q.CreateUserByEmail(r.Context(), sql.NullString{String: identifier, Valid: true})
}
} else {
user, err = s.q.GetUserByPhone(r.Context(), sql.NullString{String: identifier, Valid: true})
if err == sql.ErrNoRows {
user, err = s.q.CreateUserByPhone(r.Context(), sql.NullString{String: identifier, Valid: true})
}
user, err = s.q.GetUserByEmail(r.Context(), sql.NullString{String: identifier, Valid: true})
if err == sql.ErrNoRows {
user, err = s.q.CreateUserByEmail(r.Context(), sql.NullString{String: identifier, Valid: true})
}
if err != nil {
log.Printf("user lookup/create: %v", err)
@@ -270,58 +240,6 @@ func generateSessionToken() string {
return hex.EncodeToString(b)
}
// normalizePhone strips non-digit chars and prepends +1 if no country code.
func normalizePhone(raw string) string {
var digits strings.Builder
for _, c := range strings.TrimSpace(raw) {
if c >= '0' && c <= '9' {
digits.WriteRune(c)
}
}
d := digits.String()
if d == "" {
return ""
}
// If 10 digits, assume US and prepend 1
if len(d) == 10 {
d = "1" + d
}
return "+" + d
}
func sendVerificationSMS(to, code string) error {
sid := os.Getenv("TWILIO_ACCOUNT_SID")
token := os.Getenv("TWILIO_AUTH_TOKEN")
from := os.Getenv("TWILIO_FROM_NUMBER")
if sid == "" || token == "" || from == "" {
log.Printf("Twilio not configured — code for %s is: %s", to, code)
return nil
}
body := fmt.Sprintf("Your bbq login code: %s", code)
apiURL := fmt.Sprintf("https://api.twilio.com/2010-04-01/Accounts/%s/Messages.json", sid)
data := url.Values{}
data.Set("To", to)
data.Set("From", from)
data.Set("Body", body)
req, _ := http.NewRequest("POST", apiURL, strings.NewReader(data.Encode()))
req.SetBasicAuth(sid, token)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
resp, err := http.DefaultClient.Do(req)
if err != nil {
return err
}
defer resp.Body.Close()
if resp.StatusCode >= 400 {
return fmt.Errorf("twilio API returned %d", resp.StatusCode)
}
return nil
}
func sendVerificationEmail(to, code string) error {
apiKey := os.Getenv("RESEND_API_KEY")
if apiKey == "" {
+3 -7
View File
@@ -7,7 +7,7 @@
<div class="event-tag">Account</div>
<h1 class="event-title">Log in</h1>
<p style="font-family:'DM Mono',monospace;font-size:0.8rem;color:#555;margin-top:8px;">
Enter your email or phone number to receive a login code.
Enter your email to receive a login code.
</p>
</div>
@@ -15,18 +15,14 @@
{{if eq .Step "identify"}}
<form method="POST" action="/login">
<div class="form-row">
<label>Email or phone</label>
<input type="text" name="identifier" placeholder="you@example.com or (555) 123-4567" required autofocus>
<label>Email</label>
<input type="email" name="identifier" placeholder="you@example.com" required autofocus>
</div>
<p style="font-family:'DM Mono',monospace;font-size:0.7rem;color:#777;margin-top:12px;line-height:1.5;">
By entering a phone number, you consent to receive a one-time verification code via SMS. Msg &amp; data rates may apply. No marketing messages will be sent.
</p>
<button class="btn-submit" type="submit">Send code &#8599;</button>
</form>
{{else}}
<form method="POST" action="/login/verify">
<input type="hidden" name="identifier" value="{{.Identifier}}">
<input type="hidden" name="method" value="{{.Method}}">
<p style="font-family:'DM Mono',monospace;font-size:0.78rem;color:#555;margin-bottom:16px;">
Code sent to <strong>{{.Identifier}}</strong>
</p>