fix(otp): don't leak caught error.message; fail-closed on DB retry exhaust

waleedlatif1 · claude · waleedlatif1 · commit d4173b252e6c · 2026-05-16T22:10:42.000-07:00
- Chat/form OTP routes: replace `error.message || fallback` with generic
  `Failed to process request` in 500 responses (logger still captures detail).
- otp.ts incrementOTPAttempts DB path: on MAX_RETRIES exhaustion, delete the
  verification row and return `'locked'` instead of trusting a possibly-
  undercounted final read.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/chat/[identifier]/otp/route.ts b/apps/sim/app/api/chat/[identifier]/otp/route.ts
@@ -143,12 +143,9 @@ export const POST = withRouteHandler(
 
       logger.info(`[${requestId}] OTP sent to ${email} for chat ${deployment.id}`)
       return addCorsHeaders(createSuccessResponse({ message: 'Verification code sent' }), request)
-    } catch (error: any) {
+    } catch (error) {
       logger.error(`[${requestId}] Error processing OTP request:`, error)
-      return addCorsHeaders(
-        createErrorResponse(error.message || 'Failed to process request', 500),
-        request
-      )
+      return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)
     }
   }
 )
@@ -239,12 +236,9 @@ export const PUT = withRouteHandler(
       setChatAuthCookie(response, deployment.id, deployment.authType, deployment.password)
 
       return response
-    } catch (error: any) {
+    } catch (error) {
       logger.error(`[${requestId}] Error verifying OTP:`, error)
-      return addCorsHeaders(
-        createErrorResponse(error.message || 'Failed to process request', 500),
-        request
-      )
+      return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)
     }
   }
 )
diff --git a/apps/sim/app/api/form/[identifier]/otp/route.ts b/apps/sim/app/api/form/[identifier]/otp/route.ts
@@ -149,12 +149,9 @@ export const POST = withRouteHandler(
 
       logger.info(`[${requestId}] OTP sent to ${email} for form ${deployment.id}`)
       return addCorsHeaders(createSuccessResponse({ message: 'Verification code sent' }), request)
-    } catch (error: any) {
+    } catch (error) {
       logger.error(`[${requestId}] Error processing OTP request:`, error)
-      return addCorsHeaders(
-        createErrorResponse(error.message || 'Failed to process request', 500),
-        request
-      )
+      return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)
     }
   }
 )
@@ -256,12 +253,9 @@ export const PUT = withRouteHandler(
       setFormAuthCookie(response, deployment.id, deployment.authType, deployment.password)
 
       return response
-    } catch (error: any) {
+    } catch (error) {
       logger.error(`[${requestId}] Error verifying OTP:`, error)
-      return addCorsHeaders(
-        createErrorResponse(error.message || 'Failed to process request', 500),
-        request
-      )
+      return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)
     }
   }
 )
diff --git a/apps/sim/lib/core/security/otp.ts b/apps/sim/lib/core/security/otp.ts
@@ -220,10 +220,14 @@ export async function incrementOTPAttempts(
     value = fresh
   }
 
-  const final = await getOTP(kind, deploymentId, email)
-  if (!final) return 'locked'
-  const { attempts: finalAttempts } = decodeOTPValue(final)
-  return finalAttempts >= MAX_OTP_ATTEMPTS ? 'locked' : 'incremented'
+  /**
+   * Retry exhaustion under heavy DB-path contention: this request did not
+   * succeed in writing its own +1, so the stored count may not reflect it.
+   * Fail closed — invalidate the OTP rather than return `'incremented'` with
+   * a possibly-undercounted attempt total.
+   */
+  await db.delete(verification).where(eq(verification.identifier, identifier))
+  return 'locked'
 }
 
 export async function deleteOTP(

Original file line number	Diff line number	Diff line change
`@@ -143,12 +143,9 @@ export const POST = withRouteHandler(`
`143`	`143`
`144`	`144`	logger.info(`[${requestId}] OTP sent to ${email} for chat ${deployment.id}`)
`145`	`145`	`return addCorsHeaders(createSuccessResponse({ message: 'Verification code sent' }), request)`
`146`		`- } catch (error: any) {`
	`146`	`+ } catch (error) {`
`147`	`147`	logger.error(`[${requestId}] Error processing OTP request:`, error)
`148`		`- return addCorsHeaders(`
`149`		`- createErrorResponse(error.message \|\| 'Failed to process request', 500),`
`150`		`- request`
`151`		`- )`
	`148`	`+ return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)`
`152`	`149`	`}`
`153`	`150`	`}`
`154`	`151`	`)`
`@@ -239,12 +236,9 @@ export const PUT = withRouteHandler(`
`239`	`236`	`setChatAuthCookie(response, deployment.id, deployment.authType, deployment.password)`
`240`	`237`
`241`	`238`	`return response`
`242`		`- } catch (error: any) {`
	`239`	`+ } catch (error) {`
`243`	`240`	logger.error(`[${requestId}] Error verifying OTP:`, error)
`244`		`- return addCorsHeaders(`
`245`		`- createErrorResponse(error.message \|\| 'Failed to process request', 500),`
`246`		`- request`
`247`		`- )`
	`241`	`+ return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)`
`248`	`242`	`}`
`249`	`243`	`}`
`250`	`244`	`)`
Original file line number	Diff line number	Diff line change
`@@ -149,12 +149,9 @@ export const POST = withRouteHandler(`
`149`	`149`
`150`	`150`	logger.info(`[${requestId}] OTP sent to ${email} for form ${deployment.id}`)
`151`	`151`	`return addCorsHeaders(createSuccessResponse({ message: 'Verification code sent' }), request)`
`152`		`- } catch (error: any) {`
	`152`	`+ } catch (error) {`
`153`	`153`	logger.error(`[${requestId}] Error processing OTP request:`, error)
`154`		`- return addCorsHeaders(`
`155`		`- createErrorResponse(error.message \|\| 'Failed to process request', 500),`
`156`		`- request`
`157`		`- )`
	`154`	`+ return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)`
`158`	`155`	`}`
`159`	`156`	`}`
`160`	`157`	`)`
`@@ -256,12 +253,9 @@ export const PUT = withRouteHandler(`
`256`	`253`	`setFormAuthCookie(response, deployment.id, deployment.authType, deployment.password)`
`257`	`254`
`258`	`255`	`return response`
`259`		`- } catch (error: any) {`
	`256`	`+ } catch (error) {`
`260`	`257`	logger.error(`[${requestId}] Error verifying OTP:`, error)
`261`		`- return addCorsHeaders(`
`262`		`- createErrorResponse(error.message \|\| 'Failed to process request', 500),`
`263`		`- request`
`264`		`- )`
	`258`	`+ return addCorsHeaders(createErrorResponse('Failed to process request', 500), request)`
`265`	`259`	`}`
`266`	`260`	`}`
`267`	`261`	`)`