From 7e399830e5d0cb95f079a68c1a0590a6a311a35b Mon Sep 17 00:00:00 2001
From: dswbx <dennis.senn@gmx.ch>
Date: Fri, 7 Nov 2025 09:12:58 +0100
Subject: [PATCH] add validation for used OTP codes

---
 app/src/plugins/auth/email-otp.plugin.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/src/plugins/auth/email-otp.plugin.ts b/app/src/plugins/auth/email-otp.plugin.ts
index 48a913e..8a97b4c 100644
--- a/app/src/plugins/auth/email-otp.plugin.ts
+++ b/app/src/plugins/auth/email-otp.plugin.ts
@@ -293,6 +293,10 @@ async function getValidatedCode(
    if (otpData.expires_at < new Date()) {
       throw new OTPError("Code expired");
    }
+   
+   if (otpData.used_at) {
+      throw new OTPError("Code already used");
+   }
 
    return otpData;
 }