fix(auth): allow phone-first users to attach and verify email (#38482)

[Adityakk9031]

Description

This PR addresses supabase/supabase#38482
.

When a user signs up with a phone number and later tries to add & verify an email with:

await supabase.auth.signInWithOtp({
email: "[email protected]",
options: { shouldCreateUser: false }
})

the API currently returns:

signup is not enabled for otp

because the request is mistakenly routed through the OTP signup flow instead of the email change/verification flow.

✅ Changes

Updated internal/api/otp.go (Otp handler) to detect when:

a user is already authenticated, and

shouldCreateUser == false with an email provided
→ Route to email verification / change flow instead of OTP signup.

Added startEmailChangeVerification helper to reuse existing email-change logic.

Added regression test in internal/api/otp_test.go:

TestAttachEmailToPhoneUser ensures attaching an email to a phone-first account now works correctly.

🧪 Test Plan

Run go test ./internal/api -run TestAttachEmailToPhoneUser.

Verified:

Normal OTP email/phone signups still pass.

Email-first users can still add phone.

Phone-first users can now add email without hitting "signup is not enabled for otp".

🔗 Related Issue

Closes supabase/supabase#38482

📚 Notes for Maintainers

No impact on fresh signups.

Only affects the signInWithOtp case when shouldCreateUser=false and a user session already exists.

Restores symmetry between email-first → add phone and phone-first → add email onboarding flows.

📸 Screenshots / Demo

N/A — server-side change. Confirmed via tests.

What kind of change does this PR introduce?

Bug fix, feature, docs update, ...

What is the current behavior?

Please link any relevant issues here.

What is the new behavior?

Feel free to include screenshots if it includes visual changes.

Additional context

Add any other context or screenshots.