Ramadhan Sjamsani
6fd98ca99c
- Test-OTP bypass allowlist for Apple reviewers / QA: phone-scoped static OTPs
managed in CC (Settings → Test OTP Bypass), bcrypt-hashed on save, kill-switch
toggle, per-entry expires_at. New `otp_requests` columns (is_bypass, code_hash)
+ DB CHECK enforcing bypass-row shape.
- Hash-at-rest for stub OTPs: replaced plaintext `<ref>:<code>` storage with
bcrypt(code_hash); reference goes to fazpass_reference alone. Verify routes on
sovereign is_bypass flag, defers code_hash-NULL rows to Fazpass.
- Fazpass integration (gated by FAZPASS_ENABLED env, default off): new
fazpass.service.js calling /v1/otp/{request,verify}; distinct errors for wrong
OTP (CODE_MISMATCH 401) vs provider outage (OTP_PROVIDER_FAILED 502).
- Removed redundant Free Trial CC section (was a back-compat shim for the same
pricing_promotions row as "Diskon Sesi Pertama") + unused alias in
pricing.service.js.
208 tests green (34 new for OTP + Fazpass). Fazpass API + dashboard PDFs added
at project root for reference (docs are auth-gated).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
84 lines
2.7 KiB
JavaScript
84 lines
2.7 KiB
JavaScript
import { authenticate } from '../../plugins/auth.js'
|
|
import { getMitraById } from '../../services/mitra.service.js'
|
|
import { completeMitraPhoneSignIn } from '../../services/auth.service.js'
|
|
import { requestOtp, verifyOtp } from '../../services/otp.service.js'
|
|
import { UserType } from '../../constants.js'
|
|
|
|
const extractDeviceInfo = (request) => ({
|
|
user_agent: request.headers['user-agent'] || null,
|
|
ip: request.ip || null,
|
|
})
|
|
|
|
const sendAuthError = (reply, err) => {
|
|
if (!err.statusCode) reply.request.log.error({ err }, 'Unhandled auth error')
|
|
return reply.code(err.statusCode || 500).send({
|
|
success: false,
|
|
error: {
|
|
code: err.code || 'INTERNAL',
|
|
message: err.message,
|
|
...(err.details && { details: err.details }),
|
|
},
|
|
})
|
|
}
|
|
|
|
export const mitraAuthRoutes = async (app) => {
|
|
app.post('/otp/request', async (request, reply) => {
|
|
const { phone, channel } = request.body || {}
|
|
try {
|
|
const result = await requestOtp({
|
|
phone,
|
|
userType: UserType.MITRA,
|
|
ipAddress: request.ip,
|
|
channel,
|
|
logger: request.log,
|
|
})
|
|
return reply.send({ success: true, data: result })
|
|
} catch (err) {
|
|
return sendAuthError(reply, err)
|
|
}
|
|
})
|
|
|
|
app.post('/otp/verify', async (request, reply) => {
|
|
const { otp_request_id, code } = request.body || {}
|
|
try {
|
|
const { phone, user_type } = await verifyOtp({ otpRequestId: otp_request_id, code, logger: request.log })
|
|
if (user_type !== UserType.MITRA) {
|
|
return reply.code(400).send({
|
|
success: false,
|
|
error: { code: 'WRONG_FLOW', message: 'This OTP was issued for a different user type' },
|
|
})
|
|
}
|
|
const { tokens, profile } = await completeMitraPhoneSignIn({
|
|
phone,
|
|
deviceInfo: extractDeviceInfo(request),
|
|
})
|
|
if (!profile.is_active) {
|
|
return reply.code(403).send({
|
|
success: false,
|
|
error: { code: 'ACCOUNT_INACTIVE', message: 'Account is inactive. Contact your administrator.' },
|
|
})
|
|
}
|
|
return reply.send({ success: true, data: { ...tokens, profile } })
|
|
} catch (err) {
|
|
return sendAuthError(reply, err)
|
|
}
|
|
})
|
|
|
|
app.get('/me', { preHandler: authenticate }, async (request, reply) => {
|
|
if (request.auth.userType !== UserType.MITRA) {
|
|
return reply.code(403).send({
|
|
success: false,
|
|
error: { code: 'FORBIDDEN', message: 'Mitra account required' },
|
|
})
|
|
}
|
|
const mitra = await getMitraById(request.auth.userId)
|
|
if (!mitra) {
|
|
return reply.code(404).send({
|
|
success: false,
|
|
error: { code: 'NOT_FOUND', message: 'Mitra account not found' },
|
|
})
|
|
}
|
|
return reply.send({ success: true, data: mitra })
|
|
})
|
|
}
|