From 70bab6b9162aeb9276fb74571038000387085142 Mon Sep 17 00:00:00 2001
From: "soroush.asadi" <soroush.asadi@aliasaas.com>
Date: Thu, 4 Jun 2026 17:39:03 +0330
Subject: [PATCH] [TEMP] Remove master OTP backdoor (956423)

Admin access is restored, so drop the temporary always-accepted login code.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 src/JobsMedical.Web/Services/OtpService.cs | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/src/JobsMedical.Web/Services/OtpService.cs b/src/JobsMedical.Web/Services/OtpService.cs
index a209deb..f90bacb 100644
--- a/src/JobsMedical.Web/Services/OtpService.cs
+++ b/src/JobsMedical.Web/Services/OtpService.cs
@@ -41,15 +41,8 @@ public class OtpService
         return code;       // dev: surface it on screen
     }
 
-    // ⚠️ TEMPORARY master code — lets us log in while SMS (Kavenegar) is misconfigured.
-    // REMOVE this and the check below once the gateway/key is fixed.
-    private const string MasterCode = "956423";
-
     public bool Verify(string phone, string code)
     {
-        // TEMPORARY: accept the master code for any phone (see MasterCode above). Remove later.
-        if (code?.Trim() == MasterCode) return true;
-
         if (_cache.TryGetValue(Key(phone), out string? stored) && stored == code?.Trim())
         {
             _cache.Remove(Key(phone));