feat(eliza-app): implement phone-first auth with auto-provision

[0xbbjoker]

Summary

Simplifies eliza-app authentication by removing OTP flow in favor of auto-provision:

• iMessage: Auto-provision users on first message (supports both phone and Apple ID email)
• Telegram: Require OAuth + phone number input to prevent bot abuse
• Cross-platform: Same phone number links accounts across Telegram and iMessage

Changes

Backend

• blooio/route.ts: Auto-provision users by phone OR email (removed rejection of Apple IDs)
• telegram/route.ts: Keep OAuth enforcement, phone number required
• user-service.ts: Added findOrCreateByEmail, findOrCreateByTelegramWithPhone, cross-platform linking

Removed

• OTP service and endpoints (send-otp, verify-otp routes)
• Related tests (otp-service.test.ts, phone-auth-routes.test.ts)

Added

• SPEC-eliza-app-auth-flow.md: Comprehensive specification document
• cleanup-eliza-app-user.ts: Development script for testing
• oauth-enforcement.test.ts: New tests for auth logic (37 passing)

Test plan

• Run bun test tests/unit/eliza-app/oauth-enforcement.test.ts - 37 tests pass
• Test iMessage from phone number → auto-provision works
• Test iMessage from Apple ID email → auto-provision works
• Test Telegram DM without signup → shows OAuth redirect
• Test Telegram OAuth + phone → creates account
• Test cross-platform: iMessage first → Telegram OAuth links accounts

🤖 Generated with Claude Code

---

Note

Medium Risk
Medium risk because it changes core authentication/user-linking flows and identity mapping (phone/email/Telegram) used to create sessions and route messages; mistakes could cause account conflicts or mis-association across platforms.

Overview
Eliza App auth is reworked to remove phone OTP login and standardize on Telegram OAuth + phone linking. The /auth/telegram endpoint now requires a phone_number (validated/normalized to E.164) and calls findOrCreateByTelegramWithPhone, returning conflict errors (409) when the phone is already linked or mismatched.

iMessage (Blooio) webhook now auto-provisions by sender identifier (phone or Apple ID email) with new email validation/normalization helpers, and it switches conversation entityId to user.id for unified cross-platform memory. The Telegram webhook stops auto-provisioning and instead enforces prior OAuth registration, responding with a signup link when the user isn’t registered.

OTP API routes/service and their unit tests are deleted, a new unit test suite covers OAuth enforcement/identifier handling, and a cleanup-eliza-app-user.ts script is added to remove test users/orgs and clear session keys.

^{Written by Cursor Bugbot for commit efa35f4. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
eliza-cloud-v2	Ready	Preview, Comment	Feb 2, 2026 7:32pm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[0xbbjoker]

Claude says: Fixed both Cursor Bugbot issues in commit 3c86417:

Issue 1 - Missing conflict check (Medium Severity):
Added phone uniqueness check in Scenario 1 before updating phone on existing Telegram user. Now checks if phone is already owned by another user and throws PHONE_ALREADY_LINKED error, which the auth route catches and returns as a proper 409 response instead of 500.

Issue 2 - Missing race condition handling (Low Severity):
Wrapped createUserWithOrganization in Scenario 3 with try-catch and isUniqueConstraintError recovery, matching the pattern used in findOrCreateByPhone and findOrCreateByEmail.

~ Claude Opus 4.5

[0xbbjoker]

Claude says: Fixed both new Bugbot issues in commit bf55f98:

Issue: Race condition in Scenario 2 (cross-platform linking)
Added re-check of telegram_id before linking Telegram to phone user. If another request linked a different Telegram account in the meantime, returns PHONE_ALREADY_LINKED error.

Issue: Scenario 1 returns mismatched phone
Added check: if existing Telegram user already has a different phone linked, returns new PHONE_MISMATCH error instead of silently returning mismatched data.

~ Claude Opus 4.5

[0xbbjoker]

Claude says: Fixed in commit d9fb254.

Wrapped usersRepository.update calls in Scenarios 1 and 2 with try-catch for unique constraint violations. Now all three scenarios handle race conditions consistently - database errors are caught and converted to proper PHONE_ALREADY_LINKED responses instead of 500 errors.

Also removed the spec doc from the PR as requested.

~ Claude Opus 4.5

[0xbbjoker]

Thanks for the thorough review!

Re: Critical Issues

1. TOCTOU Race Condition (pre-flight checks) - Good catch. Will remove the redundant pre-flight checks in the route handler since the service layer already handles this properly with database constraints and try-catch blocks.

2. Auto-Provision by Unverified Email - Acknowledged. The email_verified: false flag is intentional for this reason. Email verification flow can be added in a follow-up PR if needed.

Re: Medium Priority Issues

3. Weak Email Validation - Will update linkEmailToUser to use isValidEmail() utility for consistency.

4. Per-User Rate Limiting - This is actually handled at the application layer: each user starts with $1 in credits, and once depleted, they cannot perform actions that consume credits. This serves as a natural per-user rate limit. Additionally, the ASSISTANT mode actions have credit costs, so spam is self-limiting. Global rate limits remain as secondary protection against abuse before account creation.

5. Error Handling - Will add a catch-all error handler to prevent 500s from unhandled error types.

Will implement fixes 1, 3, and 5 after the next review iteration.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}