refactor: make email be the primary verification method and allow it to be the only verfication method

.env.example

@@ -91,4 +91,4 @@ MESSAGING_TWILIO_AUTH_TOKEN=
 # Required when NODE_ENV=production.
 # SEAMLESS_JWKS_ACTIVE_KID=main_2026_04
 # SEAMLESS_JWKS_KEY_main_2026_04_PRIVATE="-----BEGIN PRIVATE KEY-----..."
-# SEAMLESS_JWKS_PUBLIC_KEYS={"keys":[{"kid":"main_2026_04","pem":"-----BEGIN PUBLIC KEY-----...","createdAt":"2026-04-22T00:00:00.000Z"}]}
+# JWKS_PUBLIC_KEYS={"keys":[{"kid":"main_2026_04","pem":"-----BEGIN PUBLIC KEY-----...","createdAt":"2026-04-22T00:00:00.000Z"}]}

docs/production-operations.md

@@ -24,7 +24,7 @@ Production deployments should define:
 - `OAUTH_STATE_SECRET`
 - `SEAMLESS_JWKS_ACTIVE_KID`
 - `SEAMLESS_JWKS_KEY_<kid>_PRIVATE`
-- `SEAMLESS_JWKS_PUBLIC_KEYS`
+- `JWKS_PUBLIC_KEYS`
 - OAuth client-secret environment variables referenced by provider `clientSecretEnv`
 - Messaging provider credentials when direct delivery is enabled
 
@@ -35,7 +35,7 @@ Do not store raw secrets in `system_config`.
 Access tokens are signed with configured JWKS signing keys. A typical rotation is:
 
 1. Generate a new key pair.
-2. Publish the new public key in `SEAMLESS_JWKS_PUBLIC_KEYS`.
+2. Publish the new public key in `JWKS_PUBLIC_KEYS`.
 3. Deploy with both old and new public keys available.
 4. Switch `SEAMLESS_JWKS_ACTIVE_KID` to the new key id.
 5. Keep retired public keys until all tokens signed with them expire.

src/controllers/admin.ts

@@ -94,7 +94,7 @@ export const createUser = async (req: Request, res: Response) => {
 
     const user = await User.create({
       email,
-      phone: phone,
+      phone: phone ?? null,
       roles: roles ?? [],
     });
 

src/controllers/jwks.ts

@@ -29,7 +29,7 @@ export function __resetJwksCache() {
 async function loadJwksFromSecrets(): Promise<JWK[]> {
   logger.info('Loading JWKS from Secrets Manager');
 
-  const raw = await getSecret('SEAMLESS_JWKS_PUBLIC_KEYS');
+  const raw = await getSecret('JWKS_PUBLIC_KEYS');
   const parsed = JSON.parse(raw);
 
   const jwks: JWK[] = [];

src/controllers/otp.ts

@@ -56,7 +56,6 @@ export const sendPhoneOTP = async (req: Request, res: Response) => {
   const authReq = req as AuthenticatedRequest;
   const user = authReq.user;
   const phone = user.phone;
-  const normalizedPhone = normalizePhoneNumber(phone);
   const useExternalDelivery = await canReturnExternalDelivery(req);
 
   if (!phone) {
@@ -73,6 +72,8 @@ export const sendPhoneOTP = async (req: Request, res: Response) => {
   logger.info('Sending phone OTP');
 
   try {
+    const normalizedPhone = normalizePhoneNumber(phone);
+
     if (!isValidPhoneNumber(phone) || !normalizedPhone) {
       logger.warn('Invalid phone provided');
       AuthEventService.log({
@@ -231,7 +232,6 @@ export const verifyPhoneNumber = async (req: Request, res: Response) => {
 
   const authReq = req as AuthenticatedRequest;
   let user = authReq.user;
-  const email = user.email;
   const phone = user.phone;
 
   logger.info('Verifying phone number');
@@ -248,7 +248,7 @@ export const verifyPhoneNumber = async (req: Request, res: Response) => {
   }
 
   try {
-    if (!verificationToken || !phone || !email) {
+    if (!verificationToken || !phone) {
       logger.warn(`Missing data from verify phone numnber request.`);
       await AuthEventService.log({
         userId: user.id,
@@ -300,7 +300,6 @@ export const verifyEmail = async (req: Request, res: Response) => {
   const authReq = req as AuthenticatedRequest;
   let user = authReq.user;
   const email = user.email;
-  const phone = user.phone;
 
   logger.info('Verifying email');
 
@@ -326,8 +325,8 @@ export const verifyEmail = async (req: Request, res: Response) => {
     return res.status(401).json({ error: 'Invalid data' });
   }
 
-  if (!email || !phone) {
-    logger.warn(`Missing email or phone`);
+  if (!email) {
+    logger.warn(`Missing email`);
     await AuthEventService.log({
       userId: user.id,
       type: 'verify_otp_suspicious',
@@ -348,17 +347,17 @@ export const verifyEmail = async (req: Request, res: Response) => {
       userId: user.id,
       type: 'verify_otp_success',
       req,
-      metadata: { reason: 'User verified their email number' },
+      metadata: { reason: 'User verified their email' },
     });
 
-    if (user.phoneVerified && user.emailVerified && user.verified) {
+    if (user.emailVerified && user.verified) {
       logger.info('User is fully verified. Logging in...');
 
       await AuthEventService.log({
         userId: user.id,
         type: 'verify_otp_success',
         req,
-        metadata: { reason: 'User completed verification of phone and email' },
+        metadata: { reason: 'User completed email verification' },
       });
 
       await issueSessionAndRespond({
@@ -488,7 +487,6 @@ export const verifyLoginEmail = async (req: Request, res: Response) => {
   const authReq = req as AuthenticatedRequest;
   let user = authReq.user;
   const email = user.email;
-  const phone = user.phone;
 
   if (await rejectDisabledLoginMethod('email_otp', req, res)) {
     return;
@@ -522,8 +520,8 @@ export const verifyLoginEmail = async (req: Request, res: Response) => {
     return res.status(401).json({ error: 'Not allowed' });
   }
 
-  if (!email || !phone) {
-    logger.warn(`Missing email or phone`);
+  if (!email) {
+    logger.warn(`Missing email`);
     await AuthEventService.log({
       userId: user.id,
       type: 'verify_otp_suspicious',
@@ -546,14 +544,14 @@ export const verifyLoginEmail = async (req: Request, res: Response) => {
       req,
     });
 
-    if (user.phoneVerified && user.emailVerified && user.verified) {
+    if (user.emailVerified && user.verified) {
       logger.info('User is fully verified. Logging in...');
 
       await AuthEventService.log({
         userId: user.id,
         type: 'verify_otp_success',
         req,
-        metadata: { reason: 'User completed verification of phone and email' },
+        metadata: { reason: 'User completed email verification' },
       });
 
       await issueSessionAndRespond({