From 354e60a99eee13ed65d0c4e757158e4b7d233c1c Mon Sep 17 00:00:00 2001
From: Hamza-Ayed <hamzaayedflutter@gmail.com>
Date: Sat, 23 May 2026 18:23:34 +0300
Subject: [PATCH] Deploy: 2026-05-23 18:23:34

---
 backend/api/request-otp.php | 4 ++--
 backend/api/verify-otp.php  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/backend/api/request-otp.php b/backend/api/request-otp.php
index 319461d..9146334 100644
--- a/backend/api/request-otp.php
+++ b/backend/api/request-otp.php
@@ -97,8 +97,8 @@ if (!$rateLimit->checkIp($clientIp, 'request-otp', 30, 60)) {
     exit;
 }
 
-// Generate 3-digit OTP (cryptographically secure)
-$otpCode = str_pad((string) random_int(0, 999), 3, '0', STR_PAD_LEFT);
+// Generate 3-digit OTP (cryptographically secure, always between 100 and 999)
+$otpCode = (string) random_int(100, 999);
 
 // Determine delivery method
 $method = 'flash_call'; // Default fallback
diff --git a/backend/api/verify-otp.php b/backend/api/verify-otp.php
index e0140f9..af241d1 100644
--- a/backend/api/verify-otp.php
+++ b/backend/api/verify-otp.php
@@ -57,8 +57,8 @@ if (!preg_match('/^\+[1-9]\d{6,14}$/', $phone)) {
     exit;
 }
 
-// Validate OTP format (4 digits)
-if (!preg_match('/^\d{4}$/', $otp)) {
+// Validate OTP format (3 or 4 digits)
+if (!preg_match('/^\d{3,4}$/', $otp)) {
     http_response_code(400);
     echo json_encode(['success' => false, 'message' => 'invalid_otp_format']);
     RequestLogger::log('verify-otp', 'POST', $input, 400, 'invalid_otp_format');