From b6717f023775f4d334cb240f690da9ef25433150 Mon Sep 17 00:00:00 2001
From: dswbx <dennis.senn@gmx.ch>
Date: Mon, 10 Nov 2025 10:25:33 +0100
Subject: [PATCH] otp: update docs on permissions, only require email driver if
 sendEmail is not false

---
 app/src/plugins/auth/email-otp.plugin.spec.ts | 44 +++++++++++++++++++
 app/src/plugins/auth/email-otp.plugin.ts      |  2 +-
 .../(documentation)/extending/plugins.mdx     |  5 ++-
 3 files changed, 48 insertions(+), 3 deletions(-)

diff --git a/app/src/plugins/auth/email-otp.plugin.spec.ts b/app/src/plugins/auth/email-otp.plugin.spec.ts
index 88779a4..84d1a47 100644
--- a/app/src/plugins/auth/email-otp.plugin.spec.ts
+++ b/app/src/plugins/auth/email-otp.plugin.spec.ts
@@ -24,6 +24,50 @@ describe("otp plugin", () => {
       expect(res.status).toBe(404);
    });
 
+   test("should require email driver if sendEmail is true", async () => {
+      const app = createApp({
+         config: {
+            auth: {
+               enabled: true,
+            },
+         },
+         options: {
+            plugins: [emailOTP()],
+         },
+      });
+      await app.build();
+      const res = await app.server.request("/api/auth/otp/login", {
+         method: "POST",
+         headers: {
+            "Content-Type": "application/json",
+         },
+         body: JSON.stringify({ email: "test@test.com" }),
+      });
+      expect(res.status).toBe(404);
+
+      {
+         const app = createApp({
+            config: {
+               auth: {
+                  enabled: true,
+               },
+            },
+            options: {
+               plugins: [emailOTP({ sendEmail: false })],
+            },
+         });
+         await app.build();
+         const res = await app.server.request("/api/auth/otp/register", {
+            method: "POST",
+            headers: {
+               "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ email: "test@test.com" }),
+         });
+         expect(res.status).toBe(201);
+      }
+   });
+
    test("should prevent mutations of the OTP entity", async () => {
       const app = createApp({
          config: {
diff --git a/app/src/plugins/auth/email-otp.plugin.ts b/app/src/plugins/auth/email-otp.plugin.ts
index 6d7b93b..c75a1d7 100644
--- a/app/src/plugins/auth/email-otp.plugin.ts
+++ b/app/src/plugins/auth/email-otp.plugin.ts
@@ -126,7 +126,7 @@ export function emailOTP({
          onBuilt: async () => {
             const auth = app.module.auth;
             invariant(auth && auth.enabled === true, "Auth is not enabled");
-            invariant(app.drivers?.email, "Email driver is not registered");
+            invariant(!sendEmail || app.drivers?.email, "Email driver is not registered");
 
             const generateCode =
                _generateCode ?? (() => Math.floor(100000 + Math.random() * 900000).toString());
diff --git a/docs/content/docs/(documentation)/extending/plugins.mdx b/docs/content/docs/(documentation)/extending/plugins.mdx
index c278541..df20327 100644
--- a/docs/content/docs/(documentation)/extending/plugins.mdx
+++ b/docs/content/docs/(documentation)/extending/plugins.mdx
@@ -263,10 +263,11 @@ export default {
 
 ### `emailOTP`
 
-<Callout type="info">
-  This plugin requires the `email` driver to be registered.
+<Callout type="warning">
+  Make sure to setup proper permissions to restrict reading from the OTP entity. Also, this plugin requires the `email` driver to be registered.
 </Callout>
 
+
 A plugin that adds email OTP functionality to your app. It will add two endpoints to your app:
 - `POST /api/auth/otp/login` to login a user with an OTP code
 - `POST /api/auth/otp/register` to register a user with an OTP code