Email Verification (OTP) for Booknetic

Add 6-digit OTP email verification to Booknetic and block booking progress until the customer verifies their email.

Email Verification for Booknetic adds a one-time password flow to the Booking Information step.

What this addon includes:

• OTP verification with a 6-digit numeric code.

• OTP expiration set to 10 minutes.

• “Send Verification Code”, “Verify”, “Resend Code”, and “Change Email” flow inside booking form.

• Automatic blocking of next step until verification is completed.

• Auto-submit when 6 digits are entered.

• Session-aware verification state during booking.

• Success state UI after verification.

• Resend timer UI in mm:ss.

Verification modes:

• Normal mode: once an email is approved, it stays approved for future bookings.

• Every booking session mode: customer must verify again on each new session, even for autofill/existing customer scenarios.

Rate limiting and protection:

• Per-email resend cooldown (UI options: 60 / 120 / 180 seconds).

• Backend minimum cooldown enforcement: 15 seconds.

• Start verification IP limit: 10 requests per 5 minutes.

• Verify attempt limits: 5 failed attempts per email, 20 failed attempts per IP.

• Lockout duration after too many failed attempts: 15 minutes.

• Email/IP tracking keys are stored as SHA-256 hashes.

Email delivery:

• Uses Booknetic mail configuration.

• Supports SMTP, Gmail SMTP, and wp_mail fallback.

• Uses configured sender email/name and reply-to.

• Falls back to WordPress admin_email and blogname if sender fields are empty.

Email template system:

• Custom email subject.

• Template placeholders: {otp_code}, {site_url}.

• Visual editor and code editor.

• Built-in template presets: Default, Modern, Minimal, Professional, Colorful.

• Rich text controls: bold, italic, underline, alignment, lists, font size, text color.

• One-click “Send Test” email from settings.

SaaS behavior:

• Tenant capability registration for email verification.

• SaaS admin can control global enable/disable.

• Tenant-level settings supported (when capability is allowed).

Logging and localization:

• Logs send attempts and verification success to WorkflowLog.

• Translation-ready .pot language file included.

Changelog

2.0.0 — 2026-03-01

Refactored

• Refactored OTP email templates.

• Simplified frontend/backend template and layout structure.

• Removed {customer_name} shortcode from templates.

Improved

• Stabilized template rendering to reduce email-client layout issues (more compatible HTML structure).

• Updated the backend JS for template selection/creation.

• Improved SMTP and Gmail SMTP integrations.

• Strengthened gateway fallback logic.

• Added wp_mail() fallback to ensure email delivery when needed.

• Simplified the “Verify your email” UI.

• Fixed OTP field + verify button alignment.

• Reverted problematic parts introduced after theme-color changes while keeping theme color compatibility.

Changed

• Restricted SaaS admin settings to global enable/disable only.

• Moved tenant-specific settings to be stored/managed on the tenant side.

• Disabled the “Send test email” action for SaaS admins.

Added

• Added booknetic-email-verification.pot and completed string coverage.

• Added server-side security protections:

  • OTP request rate limiting

  • Verify lockout after incorrect code attempts