Skip to content

Implement OTP-based mobile authentication with HttpOnly JWT cookies#10

Open
Aguthcoder wants to merge 1 commit intocodex/add-events-system-and-payment-featuresfrom
codex/implement-real-authentication-system
Open

Implement OTP-based mobile authentication with HttpOnly JWT cookies#10
Aguthcoder wants to merge 1 commit intocodex/add-events-system-and-payment-featuresfrom
codex/implement-real-authentication-system

Conversation

@Aguthcoder
Copy link
Copy Markdown
Owner

@Aguthcoder Aguthcoder commented Feb 12, 2026

Motivation

  • Replace the fake email/password flow with a secure, MVP-friendly mobile OTP login to support Persian (fa-IR) users and later Telegram group flows.
  • Use short-lived JWT access tokens and long-lived refresh tokens stored as HttpOnly cookies to prevent client-side token leaks and avoid localStorage auth.
  • Provide a clear, copy-paste guide and DTOs so the Next.js frontend can integrate with minimal friction (RTL / Persian UX).

Description

  • Added OTP persistence entity OtpCodeEntity (otp_codes) with otp_hash, expires_at, consumed_at, attempts, and created_at to store only hashed OTPs.
  • Reworked authentication endpoints to OTP flow: POST /api/auth/request-otp, POST /api/auth/verify-otp, and POST /api/auth/logout, with request/verify DTOs (RequestOtpDto, VerifyOtpDto) validating fa-IR mobile and 6-digit OTP.
  • Implemented AuthService logic to normalize Iranian mobile numbers, throttle requests (60s), generate 6-digit OTPs, HMAC-SHA256 hash OTPs with OTP_SECRET, enforce expiry (2 minutes) and attempt limits (max 5), auto-create UserEntity by mobile_number, and issue JWT accessToken/refreshToken.
  • Changed cookie strategy to set HttpOnly cookies for accessToken (path /, TTL 15m) and refreshToken (path /api/auth, TTL 30d), and updated JWT guard to read accessToken from cookies instead of Authorization header.
  • Updated UserEntity to add nullable mobileNumber and preserved existing fields; registered OtpCodeEntity in AuthModule; added documentation backend/docs/otp-auth-mvp.md with schema, API examples, Next.js middleware sample, and frontend usage (with Persian UX notes).

Testing

  • Attempted an automated backend build with cd backend && npm run build, but the build failed in this environment because the nest binary was not available.
  • Dependency installation was attempted in-session (npm install / npm ci) but could not produce a working build in this restricted environment, so unit/e2e tests were not executed.
  • Static validation: TypeScript files and DTOs were added and compiled locally not executed; manual code inspection and logging (server-side OTP log) are present to validate OTP generation in an MVP environment.

Codex Task

@vercel
Copy link
Copy Markdown

vercel bot commented Feb 12, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ravi-platformm Error Error Feb 12, 2026 4:06pm
ravi-platformm-n5vj Error Error Feb 12, 2026 4:06pm
ravi-platformm-wcx8 Error Error Feb 12, 2026 4:06pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Aguthcoder