fix: treat Lua nil return as locked when OTP key is missing

waleedlatif1 · claude · waleedlatif1 · commit 13132655c914 · 2026-03-26T16:00:54.000-07:00
When the Redis key is deleted/expired between getOTP and
incrementOTPAttempts, the Lua script returns nil. Handle this
as 'locked' instead of silently treating it as 'incremented'.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/chat/[identifier]/otp/route.ts b/apps/sim/app/api/chat/[identifier]/otp/route.ts
@@ -143,7 +143,8 @@ async function incrementOTPAttempts(
     }
     const key = `otp:${email}:${chatId}`
     const result = await redis.eval(ATOMIC_INCREMENT_SCRIPT, 1, key, MAX_OTP_ATTEMPTS)
-    return result === 'LOCKED' ? 'locked' : 'incremented'
+    if (result === null || result === 'LOCKED') return 'locked'
+    return 'incremented'
   }
 
   // DB path: optimistic locking with retry on conflict

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,8 @@ async function incrementOTPAttempts(`
`143`	`143`	`}`
`144`	`144`	const key = `otp:${email}:${chatId}`
`145`	`145`	`const result = await redis.eval(ATOMIC_INCREMENT_SCRIPT, 1, key, MAX_OTP_ATTEMPTS)`
`146`		`- return result === 'LOCKED' ? 'locked' : 'incremented'`
	`146`	`+ if (result === null \|\| result === 'LOCKED') return 'locked'`
	`147`	`+ return 'incremented'`
`147`	`148`	`}`
`148`	`149`
`149`	`150`	`// DB path: optimistic locking with retry on conflict`