mirror of
https://github.com/TronoSfera/Law.git
synced 2026-05-18 18:13:46 +03:00
27 lines
1 KiB
Markdown
27 lines
1 KiB
Markdown
# OTP Service Context
|
|
|
|
## Purpose
|
|
Secure public access for:
|
|
- Creating request (phone confirmation is mandatory)
|
|
- Viewing request status/chat/files by `track_number`
|
|
|
|
## Flow
|
|
1. Send OTP (`CREATE_REQUEST` / `VIEW_REQUEST`)
|
|
2. Store hashed code
|
|
3. Expire in 10 minutes
|
|
4. Max attempts limit
|
|
5. On verify -> issue public JWT cookie (7 days, same device)
|
|
6. If valid JWT exists on device, do not resend OTP until cookie expiration
|
|
|
|
## Current Dev Mode
|
|
- OTP code is printed to backend console log (`[OTP MOCK] ... code=XXXXXX`)
|
|
- SMS provider call is mocked (`sms_response.provider = mock_sms`)
|
|
- `CREATE_REQUEST` verification issues cookie with `purpose=CREATE_REQUEST` and `sub=<phone>`
|
|
- Request creation endpoint requires that cookie and then switches cookie to `purpose=VIEW_REQUEST`, `sub=<track_number>`
|
|
- `VIEW_REQUEST` verification issues cookie with `purpose=VIEW_REQUEST` and `sub=<track_number>`
|
|
|
|
## Anti-abuse
|
|
- Rate limit (Redis)
|
|
- Cooldown between sends
|
|
- Lock after N failed attempts
|
|
- Throttling by phone + track number + IP
|