You sometimes send HTTP 200 OK when validation fails for the passwordless recipe

[raoulmillais]

This should always be HTTP 400 as per the HTTP spec - the response is definitely not OK - we POSTed but the server could not process the request because the input was invalid. 200 OK implies that the link was sent.

There is a SendNon200ResponseWithMessage in utils.go which appears to only be used by the default supertokens.errorHandler -which sends an HTTP 400 when called with a BadInputError. This is already being used in "passwordless" for a missing preAuthSessionId, when a user supplies both an email and a phone as well as a few other invalid cases.

This probably needs a fix in the client libraries and other backend SDKS sadly. I'm filing this because I am writing my own simple pure JavaScript client because I am using HTMX and not a SPA framework.

[raoulmillais]

I think what I'm going to do in my situation is completely ignore the default implementation of createCode and consumeCode and rewrite them from scratch bassed onthe original implementation but not calling it. I'm already doing custom things in both of these with method overrides.