Phase 3.4: structured rate-limit retry-after + auth error logging

OtpError now carries an optional details object; rate-limit branches in checkRateLimits compute retry_after_seconds (cooldown delta for OTP_COOLDOWN, window-roll-out delta for OTP_RATE_LIMIT_PHONE / OTP_RATE_LIMIT_IP) so the client can disable Kirim OTP / Kirim ulang CTAs with a real countdown. All four sendAuthError helpers (client, mitra, shared, internal) now surface err.details and log unhandled (no statusCode) errors at level 50. New GET /api/shared/config/otp returns the resend cooldown so the OTP screen can gate the resend countdown without hardcoding. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 13:43:56 +08:00
parent 6de541848c
commit fa7071def5
6 changed files with 86 additions and 21 deletions
--- a/backend/src/routes/public/client.auth.routes.js
+++ b/backend/src/routes/public/client.auth.routes.js
@@ -13,10 +13,17 @@ const extractDeviceInfo = (request) => ({
  ip: request.ip || null,
 })

-const sendAuthError = (reply, err) => reply.code(err.statusCode || 500).send({
-  success: false,
-  error: { code: err.code || 'INTERNAL', message: err.message },
-})
+const sendAuthError = (reply, err) => {
+  if (!err.statusCode) reply.request.log.error({ err }, 'Unhandled auth error')
+  return reply.code(err.statusCode || 500).send({
+    success: false,
+    error: {
+      code: err.code || 'INTERNAL',
+      message: err.message,
+      ...(err.details && { details: err.details }),
+    },
+  })
+}

 export const clientAuthRoutes = async (app) => {
  // --- Phone OTP ---