feat(plugin/email-otp): preserve additional payload data during user creation

Replaced `s.object` with `s.strictObject` to enforce schema validation. Updated logic to include unprocessed JSON properties (`...rest`) when creating a user, ensuring additional payload data is preserved.
2026-03-15 20:17:22 +00:00 · 2026-01-09 13:46:01 +01:00
parent 19f1941544
commit 55a124b519
1 changed files with 3 additions and 2 deletions
--- a/app/src/plugins/auth/email-otp.plugin.ts
+++ b/app/src/plugins/auth/email-otp.plugin.ts
@@ -153,7 +153,7 @@ export function emailOTP({
                  "/login",
                  jsc(
                     "json",
-                     s.object({
+                     s.strictObject({
                        email: s.string({ format: "email" }),
                        code: s.string({ minLength: 1 }).optional(),
                     }),
@@ -213,7 +213,7 @@ export function emailOTP({
                  ),
                  jsc("query", s.object({ redirect: s.string().optional() })),
                  async (c) => {
-                     const { email, code } = c.req.valid("json");
+                     const { email, code, ...rest } = c.req.valid("json");
                     const { redirect } = c.req.valid("query");

                     // throw if user exists
@@ -232,6 +232,7 @@ export function emailOTP({
                        await em.mutator(entityName).updateOne(otpData.id, { used_at: new Date() });

                        const user = await app.createUser({
+                           ...rest,
                           email,
                           password: randomString(32, true),
                        });