supabase · hf · May 14, 2025 · cstockton · May 14, 2025 · hf
@@ -303,7 +303,7 @@ func (a *API) sendConfirmation(r *http.Request, tx *storage.Connection, u *model
 	maxFrequency := config.SMTP.MaxFrequency
 	otpLength := config.Mailer.OtpLength
 
-	if err = validateSentWithinFrequencyLimit(u.ConfirmationSentAt, maxFrequency); err != nil {
+	if err = validateSentWithinFrequencyLimitEmail(u.ConfirmationSentAt, maxFrequency); err != nil {
 		return err
 	}
 	oldToken := u.ConfirmationToken
@@ -370,7 +370,7 @@ func (a *API) sendPasswordRecovery(r *http.Request, tx *storage.Connection, u *m
 	config := a.config
 	otpLength := config.Mailer.OtpLength
 
-	if err := validateSentWithinFrequencyLimit(u.RecoverySentAt, config.SMTP.MaxFrequency); err != nil {
+	if err := validateSentWithinFrequencyLimitEmail(u.RecoverySentAt, config.SMTP.MaxFrequency); err != nil {
 		return err
 	}
 
@@ -407,7 +407,7 @@ func (a *API) sendReauthenticationOtp(r *http.Request, tx *storage.Connection, u
 	maxFrequency := config.SMTP.MaxFrequency
 	otpLength := config.Mailer.OtpLength
 
-	if err := validateSentWithinFrequencyLimit(u.ReauthenticationSentAt, maxFrequency); err != nil {
+	if err := validateSentWithinFrequencyLimitEmail(u.ReauthenticationSentAt, maxFrequency); err != nil {
 		return err
 	}
 
@@ -445,7 +445,7 @@ func (a *API) sendMagicLink(r *http.Request, tx *storage.Connection, u *models.U
 
 	// since Magic Link is just a recovery with a different template and behaviour
 	// around new users we will reuse the recovery db timer to prevent potential abuse
-	if err := validateSentWithinFrequencyLimit(u.RecoverySentAt, config.SMTP.MaxFrequency); err != nil {
+	if err := validateSentWithinFrequencyLimitEmail(u.RecoverySentAt, config.SMTP.MaxFrequency); err != nil {
 		return err
 	}
 
@@ -482,7 +482,7 @@ func (a *API) sendEmailChange(r *http.Request, tx *storage.Connection, u *models
 	config := a.config
 	otpLength := config.Mailer.OtpLength
 
-	if err := validateSentWithinFrequencyLimit(u.EmailChangeSentAt, config.SMTP.MaxFrequency); err != nil {
+	if err := validateSentWithinFrequencyLimitEmail(u.EmailChangeSentAt, config.SMTP.MaxFrequency); err != nil {
 		return err
 	}
 
@@ -553,13 +553,20 @@ func (a *API) validateEmail(email string) (string, error) {
 	return strings.ToLower(email), nil
 }
 
-func validateSentWithinFrequencyLimit(sentAt *time.Time, frequency time.Duration) error {
+func validateSentWithinFrequencyLimitEmail(sentAt *time.Time, frequency time.Duration) error {
 	if sentAt != nil && sentAt.Add(frequency).After(time.Now()) {
 		return apierrors.NewTooManyRequestsError(apierrors.ErrorCodeOverEmailSendRateLimit, generateFrequencyLimitErrorMessage(sentAt, frequency))
 	}
 	return nil
 }
 
+func validateSentWithinFrequencyLimitSMS(sentAt *time.Time, frequency time.Duration) error {
+	if sentAt != nil && sentAt.Add(frequency).After(time.Now()) {
+		return apierrors.NewTooManyRequestsError(apierrors.ErrorCodeOverSMSSendRateLimit, generateFrequencyLimitErrorMessage(sentAt, frequency))
+	}
+	return nil
+}
+
 var emailLabelPattern = regexp.MustCompile("[+][^@]+@")
 
 func (a *API) checkEmailAddressAuthorization(email string) bool {

@@ -70,8 +70,8 @@ func (a *API) sendPhoneConfirmation(r *http.Request, tx *storage.Connection, use
 
 	// intentionally keeping this before the test OTP, so that the behavior
 	// of regular and test OTPs is similar
-	if sentAt != nil && !sentAt.Add(config.Sms.MaxFrequency).Before(time.Now()) {
-		return "", apierrors.NewTooManyRequestsError(apierrors.ErrorCodeOverSMSSendRateLimit, generateFrequencyLimitErrorMessage(sentAt, config.Sms.MaxFrequency))
+	if err := validateSentWithinFrequencyLimitSMS(sentAt, config.Sms.MaxFrequency); err != nil {
+		return "", err
 	}
 
 	now := time.Now()

@@ -181,6 +181,9 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	var sendEmailChange, sendPhoneConfirmation bool
+	flowType := getFlowFromChallenge(params.CodeChallenge)
+
 	err := db.Transaction(func(tx *storage.Connection) error {
 		var terr error
 		if params.Password != nil {
@@ -223,17 +226,18 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 				}
 
 			} else {
-				flowType := getFlowFromChallenge(params.CodeChallenge)
 				if isPKCEFlow(flowType) {
 					_, terr := generateFlowState(tx, models.EmailChange.String(), models.EmailChange, params.CodeChallengeMethod, params.CodeChallenge, &user.ID)
 					if terr != nil {
 						return terr
 					}
-
 				}
-				if terr = a.sendEmailChange(r, tx, user, params.Email, flowType); terr != nil {
-					return terr
+
+				if err := validateSentWithinFrequencyLimitEmail(user.EmailChangeSentAt, config.SMTP.MaxFrequency); err != nil {
+					return err
 				}
+
+				sendEmailChange = true
 			}
 		}
 
@@ -247,9 +251,11 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 					return terr
 				}
 			} else {
-				if _, terr := a.sendPhoneConfirmation(r, tx, user, params.Phone, phoneChangeVerification, params.Channel); terr != nil {
-					return terr
+				if err := validateSentWithinFrequencyLimitSMS(user.ReauthenticationSentAt, config.SMTP.MaxFrequency); err != nil {
+					return err
 				}
+
+				sendPhoneConfirmation = true
 			}
 		}
 
@@ -263,5 +269,19 @@ func (a *API) UserUpdate(w http.ResponseWriter, r *http.Request) error {
 		return err
 	}
 
+	if sendEmailChange {
+		// email sending should not hold a database transaction open as latency incurred by SMTP or HTTP hooks can exhaust the database pool
+		if err := a.sendEmailChange(r, db, user, params.Email, flowType); err != nil {
+			return err
+		}
+	}
+
+	if sendPhoneConfirmation {
+		// SMS sending should not hold a database transaction open as latency incurred by SMTP or HTTP hooks can exhaust the database pool
+		if _, err := a.sendPhoneConfirmation(r, db, user, params.Phone, phoneChangeVerification, params.Channel); err != nil {
+			return err
+		}
+	}
+
 	return sendJSON(w, http.StatusOK, user)
 }