Fix/otp double submit

[Aman01kumar]

This PR fixes a small issue in the OTP verification flow.

What was happening

VerifyEmailForm could call executeAsync twice:

• once when the form is submitted
• again when the OTP input completes

This could lead to duplicate verification/account creation attempts.

What changed

Added a simple handleVerify guard to make sure the request only runs once while pending or redirecting.

Result

OTP verification now triggers only a single request, making the signup flow more stable.

Summary by CodeRabbit

• Bug Fixes
  • Email verification form now includes stricter OTP code validation with a minimum length requirement.
  • Added safeguards to prevent accidental repeated submission attempts during the verification process.
  • Form submission button is now disabled appropriately based on code validation status and pending operations.
  • Improved overall reliability of the email verification workflow.

[vercel]

Someone is attempting to deploy a commit to the Dub Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

aman seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This change adds validation and guard logic to the email verification form to prevent duplicate OTP submissions. A new handleVerify helper function validates the OTP code length and checks application state before submission, then wired to both form submission and OTP completion handlers.

Changes

Cohort / File(s)	Summary
OTP Submission Validation apps/web/ui/auth/register/verify-email-form.tsx	Added handleVerify helper function to guard against pending/redirecting states and validate OTP code (minimum 6 characters). Refactored form submission and OTP completion handlers to use this helper. Extended input trimming on change and expanded submit button disabled logic.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A safety check we now embrace,
No double-clicks in this OTP space,
Six digits trimmed with gentle care,
Validation guards beyond compare!
One submission, smooth and true,
The verification form stays new! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing a double submit issue in OTP verification, which matches the core objective of preventing duplicate executeAsync calls.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Aman01kumar]

Hi maintainers, this is my first contribution. Let me know if any changes are needed.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/web/ui/auth/register/verify-email-form.tsx (1)

34-40: ⚠️ Potential issue | 🔴 Critical

isRedirecting is never reset on sign-in failure — form becomes permanently locked.

If signIn returns ok: false (or throws), isRedirecting stays true, the button remains disabled, and handleVerify bails out. The user is stuck with no way to retry.

Proposed fix

      if (response?.ok) {
        router.push("/onboarding");
      } else {
+       setIsRedirecting(false);
        toast.error(
          "Failed to sign in with credentials. Please try again or contact support.",
        );
      }

Also consider wrapping the signIn call in a try/catch to handle network errors:

+     try {
        const response = await signIn("credentials", {
          email,
          password,
          redirect: false,
        });

        if (response?.ok) {
          router.push("/onboarding");
        } else {
+         setIsRedirecting(false);
          toast.error(
            "Failed to sign in with credentials. Please try again or contact support.",
          );
        }
+     } catch {
+       setIsRedirecting(false);
+       toast.error("Something went wrong. Please try again.");
+     }

🤖 Fix all issues with AI agents

In `@apps/web/ui/auth/register/verify-email-form.tsx`:
- Around line 78-79: The comment "Trim code input slightly for safety" is
misleading because setCode(code) doesn't trim; update the handler that calls
setCode (the place where the local variable code is set) to actually trim
whitespace before storing (e.g., call setCode(code.trim())) or remove/edit the
comment to match behavior; ensure you update the comment near setCode(...) in
verify-email-form.tsx to reflect the change and keep the trimming consistent
wherever the input is normalized.
- Around line 54-59: handleVerify currently closes over stale code state and
returns early when called from input-otp.onComplete; change handleVerify to
accept an optional parameter (e.g., completedCode?: string) and use
completedCode ?? code for validation and for the executeAsync call (keep the
isPending/isRedirecting checks). Then update the input-otp onComplete prop to
call handleVerify with the completed value so auto-submit uses the fresh OTP;
apply the same change to the second occurrence (the handler around lines
105-108) to ensure both auto-submit paths use the passed value instead of stale
state.

🧹 Nitpick comments (1)

apps/web/ui/auth/register/verify-email-form.tsx (1)

123-124: Formatting nit: missing space before !code.

Proposed fix

- disabled={ isPending || isRedirecting ||!code || code.length < 6}
+ disabled={isPending || isRedirecting || !code || code.length < 6}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@apps/web/ui/auth/register/verify-email-form.tsx`:
- Around line 54-59: The handleVerify function's body and closing brace are
mis-indented; reformat the block so the body statements (the guard return on
isPending/isRedirecting, computing finalCode, the length check, and the
executeAsync call) are indented one level inside the handleVerify declaration
and the closing brace aligns with the function declaration. Locate the
handleVerify declaration and adjust indentation for its internal statements and
closing brace so they are not flush with the function signature (references:
handleVerify, isPending, isRedirecting, finalCode, code, executeAsync).

🧹 Nitpick comments (1)

apps/web/ui/auth/register/verify-email-form.tsx (1)

95-95: Nit: extra leading space on closing </div>.

Line 95 has one extra space of indentation compared to its opening tag on line 93. Likely a whitespace slip.