From 55a124b519d5cb6e9b4cdecc6d00261c62c79802 Mon Sep 17 00:00:00 2001
From: dswbx <dennis.senn@gmx.ch>
Date: Fri, 9 Jan 2026 13:46:01 +0100
Subject: [PATCH] feat(plugin/email-otp): preserve additional payload data
 during user creation

Replaced `s.object` with `s.strictObject` to enforce schema validation. Updated logic to include unprocessed JSON properties (`...rest`) when creating a user, ensuring additional payload data is preserved.
---
 app/src/plugins/auth/email-otp.plugin.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/src/plugins/auth/email-otp.plugin.ts b/app/src/plugins/auth/email-otp.plugin.ts
index db00012..e4d5360 100644
--- a/app/src/plugins/auth/email-otp.plugin.ts
+++ b/app/src/plugins/auth/email-otp.plugin.ts
@@ -153,7 +153,7 @@ export function emailOTP({
                   "/login",
                   jsc(
                      "json",
-                     s.object({
+                     s.strictObject({
                         email: s.string({ format: "email" }),
                         code: s.string({ minLength: 1 }).optional(),
                      }),
@@ -213,7 +213,7 @@ export function emailOTP({
                   ),
                   jsc("query", s.object({ redirect: s.string().optional() })),
                   async (c) => {
-                     const { email, code } = c.req.valid("json");
+                     const { email, code, ...rest } = c.req.valid("json");
                      const { redirect } = c.req.valid("query");
 
                      // throw if user exists
@@ -232,6 +232,7 @@ export function emailOTP({
                         await em.mutator(entityName).updateOne(otpData.id, { used_at: new Date() });
 
                         const user = await app.createUser({
+                           ...rest,
                            email,
                            password: randomString(32, true),
                         });