fix: use postgres crypt to handle OTP hashing (#674)

### **PR Type**
Enhancement, Bug fix


___

### **Description**
- Add configurable SMS provider flag

- Simplify OTP generation and storage

- Update SQL to cryptographically verify OTP

- Refactor and export password hash verifier


___

### Diagram Walkthrough


```mermaid
flowchart LR
  A["CLI --sms-provider flag"]
  B["getSMS initializes provider"]
  C["Dev or Twilio backend"]
  D["SendVerificationCode generates OTP"]
  E["DB stores and verifies OTP using crypt"]
  A -- "provides flag" --> B
  B -- "selects provider" --> C
  C -- "sends code" --> D
  D -- "calls DB update" --> E
```



<details> <summary><h3> File Walkthrough</h3></summary>

<table><thead><tr><th></th><th align="left">Relevant
files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><details><summary>9
files</summary><table>
<tr>
<td><strong>email.go</strong><dd><code>Add SMS provider switch in
getSMS</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-a6364ed092c8bd789262322ec1e0108c274323462a0af0b7c7dd10a07f0bc449">+20/-11</a>&nbsp;
</td>

</tr>

<tr>
<td><strong>secrets.go</strong><dd><code>Export password hash
verifier</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-97ceb71f0d904089c77f432c1eb00e9b2b202b5b4ec191a52287386f06f0221b">+1/-1</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
<td><strong>sign_in_email_password.go</strong><dd><code>Use exported
VerifyHashPassword</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-c10b97a61def73058ca42e90bcdd6eb373637816f1c2eb05f448887abea0c996">+1/-1</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
<td><strong>sign_in_otp_email.go</strong><dd><code>Introduce generateOTP
function</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-ef51144d6b45769b4ac4e5bbe0531a8cc235ef35c8d44a655ec689c8a81a45a0">+13/-1</a>&nbsp;
&nbsp; </td>

</tr>

<tr>
<td><strong>dev.go</strong><dd><code>Add Dev SMS provider
implementation</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-875168f3184f1535f1a9893cd1c9f716e546b99057f4ce170b934d5ae661cac9">+32/-0</a>&nbsp;
&nbsp; </td>

</tr>

<tr>
<td><strong>sms.go</strong><dd><code>Simplify SMS OTP generation
logic</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-5c133e946d3d4678c97b6d28dfe7985b8f2b87a3f1fc26385bf07413e9508551">+13/-20</a>&nbsp;
</td>

</tr>

<tr>
<td><strong>twilio_sms.go</strong><dd><code>Remove OTP args in TwilioSMS
constructor</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-c61a03d180f37c02b5dfc5224be8d2cbf8511dd6782153a76d09d9ce0ac9eaf6">+0/-4</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
<td><strong>sign_up_email_password.go</strong><dd><code>Remove OtpHash,
set empty Otp field</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-21603d0151e49e6bf3da5747febc7d63b05501ef9c49559202b906faba64809a">+2/-2</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
<td><strong>sign_in_passwordless_email.go</strong><dd><code>Set empty
Otp on signup with ticket</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-75955329f33dc13dc34388566d2874aaf09cda6ed864be1775e04db48bd3029b">+2/-2</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>
</table></details></td></tr><tr><td><strong>Configuration
changes</strong></td><td><details><summary>2 files</summary><table>
<tr>
<td><strong>serve.go</strong><dd><code>Add sms-provider CLI
flag</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-a900f3187c126bacf5c9c5b1745b5d14bc583c01ab8f1ca84ae449751c224b68">+8/-0</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
<td><strong>.golangci.yaml</strong><dd><code>Add goconst linter for
tests</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-9917ddc9f1c3304218f7269265b746d997c5c0615478177b5fceecd33ef47cb5">+1/-0</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

</table></details></td></tr><tr><td><strong>Cleanup</strong></td><td><details><summary>3
files</summary><table>
<tr>
<td><strong>workflows_tickets.go</strong><dd><code>Remove legacy OTP
generator and hasher</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-a4d16eaab24ba5b8c7b93fb112b8dd7a7ff7a70308e2d334b1ba6ba38df8b1ee">+0/-27</a>&nbsp;
&nbsp; </td>

</tr>

<tr>
<td><strong>controller.go</strong><dd><code>Remove obsolete OTP
interface method</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-68eba6c5b3be94c2016a5c821351ad07c60e395226594ff744901f759e22af15">+0/-3</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
<td><strong>controller.go</strong><dd><code>Remove mocks for phone OTP
method</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-f1b1f168b0924b023c571d6274d53defef472a872f5fee4de1c4ae78959cc327">+0/-30</a>&nbsp;
&nbsp; </td>

</tr>
</table></details></td></tr><tr><td><strong>Bug
fix</strong></td><td><details><summary>3 files</summary><table>
<tr>
<td><strong>query.sql.go</strong><dd><code>Update
GetUserByPhoneNumberAndOTP crypt logic</code>&nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-442fde6e20ac506fb6bc13c00a7374ee9c33b183ffda72db4e49e1b013cd4cde">+17/-11</a>&nbsp;
</td>

</tr>

<tr>
<td><strong>query.sql</strong><dd><code>Align OTP SQL with crypt-based
check</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-c19dd96472c44a7389d4d1f72e0a1879df1e06e8e4d333ca3cb6b6dfbe3083ef">+10/-4</a>&nbsp;
&nbsp; </td>

</tr>

<tr>
<td><strong>sign_in_passwordless_sms.go</strong><dd><code>Use raw OTP
instead of stored hash</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-27f138a5979edb2e311a55e08f902030c7c1ad35ab4600c8e0b41b4c03a70b8d">+9/-13</a>&nbsp;
&nbsp; </td>

</tr>

</table></details></td></tr><tr><td><strong>Documentation</strong></td><td><details><summary>1
files</summary><table>
<tr>
<td><strong>cli.md</strong><dd><code>Document --sms-provider
option</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-27c8c22b45605a0ddf42ce8017b6b2a68cb3b10534c18bf4a781e230d7b92361">+3/-0</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

</table></details></td></tr><tr><td><strong>Tests</strong></td><td><details><summary>2
files</summary><table>
<tr>
<td><strong>sign_in_passwordless_sms_test.go</strong><dd><code>Update
tests for OTP vs hash</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; </dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-b51c9ca27064e2579444e6eecca4908c5c5f0f3d567b9a125406ca07f00354a7">+36/-36</a>&nbsp;
</td>

</tr>

<tr>
<td><strong>sign_up_email_password_test.go</strong><dd><code>Update
tests to expect Otp field</code>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
</dd></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-2cd7cf89bd4d3e6fdfacd10d66740c02196b2bee4f9ec44409c4ad6a77d53685">+6/-6</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>
</table></details></td></tr><tr><td><strong>Additional
files</strong></td><td><details><summary>7 files</summary><table>
<tr>
  <td><strong>elevate_webauthn_test.go</strong></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-47ef225c96c0aa63c67e926b18c922a14e7ccbd71145ffe646da196d3cc13880">+1/-1</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
  <td><strong>refresh_token_test.go</strong></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-7c06d2d7bbfc744dd9feaa835b3ff8f2856304325c0fe45035bd9c655b2086d8">+1/-1</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
  <td><strong>sign_in_otp_email_test.go</strong></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-aff8747c582d84badc6a27e1f2f88dd91761ca1901f983908aab20f02c7eb5e3">+6/-6</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
  <td><strong>sign_in_passwordless_email_test.go</strong></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-f8cb52277c756ae8dfb128d6cf53df90a0c8e3506fe8402eb9d77a7658138678">+6/-6</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
  <td><strong>sign_in_provider_callback_get_test.go</strong></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-b46929201c1137439ed7682d5965a96d427110015ef31eb50fd3c86de3814d55">+1/-1</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
  <td><strong>verify_elevate_webauthn_test.go</strong></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-8f96cae3346b1cd7cddadcb3d588a05dcf51bf7d814fa9ae6817ed776a6ccbca">+2/-2</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>

<tr>
  <td><strong>gocmp.go</strong></td>
<td><a
href="https://github.com/nhost/hasura-auth/pull/674/files#diff-27aaac461c10f73569f7c93a2c299818d040c491f1fbd5279c682f5488dc65ed">+1/-1</a>&nbsp;
&nbsp; &nbsp; </td>

</tr>
</table></details></td></tr></tr></tbody></table>

</details>

___

Author: dbarrosop

.golangci.yaml

@@ -29,6 +29,7 @@ linters:
       - linters:
           - funlen
           - ireturn
+          - goconst
         path: _test\.go
       - linters:
           - lll

docs/cli.md

@@ -112,6 +112,7 @@ auth
 [--require-elevated-claim]=[value]
 [--server-url]=[value]
 [--sms-passwordless-enabled]
+[--sms-provider]=[value]
 [--sms-twilio-account-sid]=[value]
 [--sms-twilio-auth-token]=[value]
 [--sms-twilio-messaging-service-id]=[value]
@@ -375,6 +376,8 @@ auth [GLOBAL OPTIONS] [command [COMMAND OPTIONS]] [ARGUMENTS...]
 
 **--sms-passwordless-enabled**: Enable SMS passwordless authentication
 
+**--sms-provider**="": SMS provider (twilio or modica) (default: twilio)
+
 **--sms-twilio-account-sid**="": Twilio Account SID for SMS
 
 **--sms-twilio-auth-token**="": Twilio Auth Token for SMS

go/cmd/email.go

@@ -111,6 +111,26 @@ func getSMS( //nolint:ireturn
 		return nil, nil //nolint:nilnil // SMS disabled, return nil client
 	}
 
+	provider := strings.ToLower(cmd.String(flagSMSProvider))
+	if provider == "" {
+		provider = "twilio" // Default to Twilio for backward compatibility
+	}
+
+	switch strings.ToLower(cmd.String(flagSMSProvider)) {
+	case "twilio":
+		return getTwilioSMS(cmd, templates, db)
+	case "dev":
+		return sms.NewDev(templates, db, logger), nil
+	default:
+		return nil, fmt.Errorf("unsupported SMS provider: %s", provider) //nolint:err113
+	}
+}
+
+func getTwilioSMS( //nolint:ireturn
+	cmd *cli.Command,
+	templates *notifications.Templates,
+	db *sql.Queries,
+) (controller.SMSer, error) {
 	accountSid := cmd.String(flagSMSTwilioAccountSid)
 	authToken := cmd.String(flagSMSTwilioAuthToken)
 	messagingServiceID := cmd.String(flagSMSTwilioMessagingServiceID)
@@ -126,19 +146,8 @@ func getSMS( //nolint:ireturn
 		), nil
 	}
 
-	if templates == nil {
-		var err error
-
-		templates, err = getTemplates(cmd, logger)
-		if err != nil {
-			return nil, fmt.Errorf("problem creating templates: %w", err)
-		}
-	}
-
 	return sms.NewTwilioSMS(
 		templates,
-		controller.GenerateOTP,
-		controller.HashOTP,
 		accountSid,
 		authToken,
 		messagingServiceID,

go/cmd/serve.go

@@ -95,6 +95,7 @@ const (
 	flagGoogleAudience                   = "google-audience"
 	flagOTPEmailEnabled                  = "otp-email-enabled"
 	flagSMSPasswordlessEnabled           = "sms-passwordless-enabled"
+	flagSMSProvider                      = "sms-provider"
 	flagSMSTwilioAccountSid              = "sms-twilio-account-sid"
 	flagSMSTwilioAuthToken               = "sms-twilio-auth-token" //nolint:gosec
 	flagSMSTwilioMessagingServiceID      = "sms-twilio-messaging-service-id"
@@ -665,6 +666,13 @@ func CommandServe() *cli.Command { //nolint:funlen,maintidx
 				Category: "sms",
 				Sources:  cli.EnvVars("AUTH_SMS_PASSWORDLESS_ENABLED"),
 			},
+			&cli.StringFlag{ //nolint: exhaustruct
+				Name:     flagSMSProvider,
+				Usage:    "SMS provider (twilio or modica)",
+				Category: "sms",
+				Value:    "twilio",
+				Sources:  cli.EnvVars("AUTH_SMS_PROVIDER"),
+			},
 			&cli.StringFlag{ //nolint: exhaustruct
 				Name:     flagSMSTwilioAccountSid,
 				Usage:    "Twilio Account SID for SMS",

go/controller/controller.go

@@ -58,9 +58,6 @@ type DBClientGetUser interface {
 	GetUserByEmailAndTicket(
 		ctx context.Context, arg sql.GetUserByEmailAndTicketParams,
 	) (sql.AuthUser, error)
-	GetUserByPhoneNumberAndOTP(
-		ctx context.Context, arg sql.GetUserByPhoneNumberAndOTPParams,
-	) (sql.AuthUser, error)
 }
 
 type DBClientInsertUser interface {

go/controller/elevate_webauthn_test.go

@@ -46,7 +46,7 @@ func TestElevateWebauthn(t *testing.T) {
 		}
 	}
 
-	credentialIDString := "EuKJAraRGDcmHon-EjDoqoU5Yvk" //nolint:gosec,goconst,nolintlint
+	credentialIDString := "EuKJAraRGDcmHon-EjDoqoU5Yvk" //nolint:gosec
 
 	var credentialID protocol.URLEncodedBase64
 	if err := credentialID.UnmarshalJSON([]byte(credentialIDString)); err != nil {

go/controller/mock/controller.go

@@ -55,7 +55,7 @@ func TestRefreshToken(t *testing.T) { //nolint:maintidx
 
 	userID := uuid.MustParse("db477732-48fa-4289-b694-2886a646b6eb")
 	token := uuid.MustParse("1fb17604-86c7-444e-b337-09a644465f2d")
-	hashedToken := `\x9698157153010b858587119503cbeef0cf288f11775e51cdb6bfd65e930d9310` //nolint:goconst
+	hashedToken := `\x9698157153010b858587119503cbeef0cf288f11775e51cdb6bfd65e930d9310`
 	newTokenID := uuid.MustParse("1fb13604-86c7-4444-a337-09a644465f2d")
 
 	cases := []testRequest[api.RefreshTokenRequestObject, api.RefreshTokenResponseObject]{

go/controller/refresh_token_test.go

@@ -2,14 +2,26 @@ package controller
 
 import (
 	"context"
+	"crypto/rand"
+	"fmt"
 	"log/slog"
+	"math/big"
 	"time"
 
 	"github.com/nhost/hasura-auth/go/api"
 	"github.com/nhost/hasura-auth/go/middleware"
 	"github.com/nhost/hasura-auth/go/notifications"
 )
 
+func generateOTP() (string, error) {
+	n, err := rand.Int(rand.Reader, big.NewInt(1000000)) //nolint:mnd
+	if err != nil {
+		return "", fmt.Errorf("error generating OTP: %w", err)
+	}
+
+	return fmt.Sprintf("%06d", n), nil
+}
+
 func (ctrl *Controller) SignInOTPEmail( //nolint:ireturn
 	ctx context.Context,
 	request api.SignInOTPEmailRequestObject,
@@ -28,7 +40,7 @@ func (ctrl *Controller) SignInOTPEmail( //nolint:ireturn
 		return ctrl.respondWithError(apiErr), nil
 	}
 
-	otp, _, err := GenerateOTP()
+	otp, err := generateOTP()
 	if err != nil {
 		logger.ErrorContext(ctx, "error generating OTP", logError(err))
 		return ctrl.sendError(ErrInternalServerError), nil

go/controller/sign_in_otp_email.go

@@ -51,8 +51,8 @@ func TestSignInOTPEmail(t *testing.T) { //nolint:maintidx
 						DefaultRole:       "user",
 						Metadata:          []byte("null"),
 						Roles:             []string{"user", "me"},
-						PhoneNumber:       pgtype.Text{},        //nolint:exhaustruct
-						OtpHash:           pgtype.Text{},        //nolint:exhaustruct
+						PhoneNumber:       pgtype.Text{}, //nolint:exhaustruct
+						Otp:               "",
 						OtpHashExpiresAt:  pgtype.Timestamptz{}, //nolint:exhaustruct
 						OtpMethodLastUsed: pgtype.Text{},        //nolint:exhaustruct
 					},
@@ -222,8 +222,8 @@ func TestSignInOTPEmail(t *testing.T) { //nolint:maintidx
 						DefaultRole:       "user",
 						Metadata:          []byte("null"),
 						Roles:             []string{"user", "me"},
-						PhoneNumber:       pgtype.Text{},        //nolint:exhaustruct
-						OtpHash:           pgtype.Text{},        //nolint:exhaustruct
+						PhoneNumber:       pgtype.Text{}, //nolint:exhaustruct
+						Otp:               "",
 						OtpHashExpiresAt:  pgtype.Timestamptz{}, //nolint:exhaustruct
 						OtpMethodLastUsed: pgtype.Text{},        //nolint:exhaustruct
 					},
@@ -347,8 +347,8 @@ func TestSignInOTPEmail(t *testing.T) { //nolint:maintidx
 						DefaultRole:       "user",
 						Metadata:          []byte(`{"asd":"asd"}`),
 						Roles:             []string{"user"},
-						PhoneNumber:       pgtype.Text{},        //nolint:exhaustruct
-						OtpHash:           pgtype.Text{},        //nolint:exhaustruct
+						PhoneNumber:       pgtype.Text{}, //nolint:exhaustruct
+						Otp:               "",
 						OtpHashExpiresAt:  pgtype.Timestamptz{}, //nolint:exhaustruct
 						OtpMethodLastUsed: pgtype.Text{},        //nolint:exhaustruct
 					},