feat: add email-otp plugin

.gitignore

@@ -10,4 +10,22 @@ tmp/
 limen-publish
 go.work
 go.work.sum
-examples/kitchen/
+examples/kitchen/
+
+# Generated per-developer migration SQL produced by `limen generate migrations`.
+# Each developer regenerates these against their own database; they should not be checked in.
+examples/*/migrations/
+
+# Locally-built CLI binaries from `cd cmd/limen && go build`.
+cmd/limen/limen
+cmd/limen/limen.exe
+
+# Local test artifacts (curl cookie jars, etc.).
+cookies.txt
+
+# Claude Code local configuration.
+.claude/
+
+# Go build artifacts left in example dirs (e.g. `go build` without `-o`).
+examples/*/*.exe
+examples/*/*/*.exe

constants.go

@@ -37,6 +37,7 @@ const (
 	PluginOAuth              PluginName = "oauth"
 	PluginSessionJWT         PluginName = "session-jwt"
 	PluginMagicLink          PluginName = "magic-link"
+	PluginEmailOTP           PluginName = "email-otp"
 )
 
 // ============================================================================

examples/README.md

@@ -17,6 +17,7 @@ DATABASE_URL="postgres://..." go run ./examples/basic
 DATABASE_URL="postgres://..." go run ./examples/gin
 DATABASE_URL="postgres://..." GOOGLE_CLIENT_ID=... GOOGLE_CLIENT_SECRET=... go run ./examples/oauth-google
 DATABASE_URL="postgres://..." go run ./examples/two-factor
+DATABASE_URL="postgres://..." go run ./examples/email-otp
 DATABASE_URL="postgres://..." go run ./examples/adapters/gorm
 DATABASE_URL="postgres://..." go run ./examples/adapters/sql
 ```
@@ -29,6 +30,7 @@ DATABASE_URL="postgres://..." go run ./examples/adapters/sql
 | `gin` | GORM | credential-password | -- |
 | `oauth-google` | GORM | OAuth (Google) | `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET` |
 | `two-factor` | GORM | credential-password, two-factor | -- |
+| `email-otp` | `database/sql` | email-otp | -- |
 | `adapters/gorm` | GORM | credential-password | -- |
 | `adapters/sql` | `database/sql` | credential-password | -- |
 

examples/email-otp/go.mod

@@ -0,0 +1,22 @@
+module example/email-otp
+
+go 1.25.0
+
+require (
+	github.com/lib/pq v1.10.9
+	github.com/thecodearcher/limen v0.1.1
+	github.com/thecodearcher/limen/adapters/sql v0.0.1
+	github.com/thecodearcher/limen/plugins/email-otp v0.0.0
+)
+
+require (
+	github.com/jmoiron/sqlx v1.4.0 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+)
+
+replace (
+	github.com/thecodearcher/limen => ../..
+	github.com/thecodearcher/limen/adapters/sql => ../../adapters/sql
+	github.com/thecodearcher/limen/plugins/email-otp => ../../plugins/email-otp
+)

examples/email-otp/go.sum

@@ -0,0 +1,42 @@
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
+github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
+modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/sqlite v1.46.1 h1:eFJ2ShBLIEnUWlLy12raN0Z1plqmFX9Qe3rjQTKt6sU=
+modernc.org/sqlite v1.46.1/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=

examples/email-otp/main.go

@@ -0,0 +1,71 @@
+package main
+
+import (
+	"database/sql"
+	"encoding/json"
+	"log"
+	"net/http"
+	"os"
+
+	_ "github.com/lib/pq"
+
+	"github.com/thecodearcher/limen"
+	sqladapter "github.com/thecodearcher/limen/adapters/sql"
+	emailotp "github.com/thecodearcher/limen/plugins/email-otp"
+)
+
+func main() {
+	dsn := os.Getenv("DATABASE_URL")
+	if dsn == "" {
+		log.Fatal("set DATABASE_URL")
+	}
+
+	db, err := sql.Open("postgres", dsn)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer db.Close()
+
+	auth, err := limen.New(&limen.Config{
+		BaseURL:  "http://localhost:8080",
+		Database: sqladapter.NewPostgreSQL(db),
+		Secret:   []byte("0123456789abcdef0123456789abcdef"),
+		HTTP:     limen.NewDefaultHTTPConfig(limen.WithHTTPBasePath("/api/auth")),
+		CLI:      &limen.CLIConfig{Enabled: true},
+		Plugins: []limen.Plugin{
+			emailotp.New(
+				emailotp.WithSendOTP(func(msg emailotp.EmailOTPMessage) {
+					// In production, send via your transactional email
+					// provider. Here we just log so you can copy the OTP
+					// out of the terminal during local testing.
+					log.Printf("email-otp: type=%s email=%s otp=%s", msg.Type, msg.Email, msg.OTP)
+				}),
+			),
+		},
+	})
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	mux := http.NewServeMux()
+	mux.Handle("/api/auth/", auth.Handler())
+
+	mux.HandleFunc("GET /api/profile", func(w http.ResponseWriter, r *http.Request) {
+		session, err := auth.GetSession(r)
+		if err != nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"user":    session.User,
+			"session": session.Session,
+		})
+	})
+
+	log.Println("email-otp example listening on :8080")
+	log.Println("  POST /api/auth/email-otp/send-otp      {\"email\":\"you@example.com\"}")
+	log.Println("  POST /api/auth/email-otp/sign-in       {\"email\":\"you@example.com\",\"otp\":\"123456\"}")
+	log.Println("  POST /api/auth/email-otp/verify-email  {\"email\":\"you@example.com\",\"otp\":\"123456\"}")
+	log.Fatal(http.ListenAndServe(":8080", mux))
+}

plugins/email-otp/api.go

@@ -0,0 +1,21 @@
+package emailotp
+
+import (
+	"context"
+
+	"github.com/thecodearcher/limen"
+)
+
+// API is the public interface for the email-otp plugin. Obtain a type-safe
+// reference via Use().
+type API interface {
+	SendOTP(ctx context.Context, email string, opts ...*SendOTPOptions) (*EmailOTPMessage, error)
+	SignInWithOTP(ctx context.Context, email, otp string, opts ...*SignInOptions) (*limen.AuthenticationResult, error)
+	VerifyOTP(ctx context.Context, email, otp string) (*limen.AuthenticationResult, error)
+}
+
+// Use returns the email-otp plugin's API from a Limen instance. Panics if the
+// plugin was not registered in Config.Plugins.
+func Use(a *limen.Limen) API {
+	return limen.Use[API](a, limen.PluginEmailOTP)
+}