Skip to content

Example №2

Task Deadline
[Jira Task ] [10/12/24]

Problem

We do not have the verification of the phone number from user required to complete an authentication. This make our application vulnerable towards undesired spam and access protection from users.

Solution

Integrate OTP server provider to verify user’s phone nubmers and protect the application from unnesseary spam.

Acceptance Criteria

  • Users can verify the phone number via OTP request
  • Users do not have an access to other endpoints until they have verified the phone.

Introduction

In order to setup the OTP verification server we will be using EngageLabs OTP provider.

So, to test this we will need to login into their console and proceed with their steps. Additionally we will need to create templates for the OTP provider itself.

Acccording to documentation the required request for OTP verification is the following

  • Send OTP request:
curl -X POST https://otp.api.engagelab.cc/v1/messages \
-H 'Authorization: Basic Y3Q4ZzVma2FvOWhjbmRpYXM3czA6bW1uZnRwYjNiZnZ3Nnk2bThpYmFyOXd5' \
-H 'Content-Type: application/json' \
-d '{
    "to": "4479123123",
    "template": {
        "id": "end_consumers",
        "language": "default"
    }
}'
  • Verify OTP request:
url -X POST https://otp.api.engagelab.cc/v1/verifications \
-H 'Authorization: Basic Y3Q4ZzVma2FvOWhjbmRpYXM3czA6bW1uZnRwYjNiZnZ3Nnk2bThpYmFyOXd5' \
-H 'Content-Type: application/json' \
-d '{
    "message_id": "123123123123",
    "verify_code": "175727"
}'

Important Since we di not want to expose the technical implementation and usage of other external API service we will need to create our own endpoints /request-otp/ andverify-otp/. Details can be found below within#Implementation` part.

Schema of sending the OTP request will be the following TODO

Schema of verifying the OTP request will be the following

TODO

Database Changes

Column Name Column Type Nullable Default
id UUID No Generated UUID
name VARCHAR(180) No -
email VARCHAR(180) No -
password VARCHAR(180) No -
status ENUM No active/inactive
last_login TIMESTAMP Yes -
created_at TIMESTAMP No CURRENT_TIMESTAMP

Note: Ensure each new table is added as a separate migration file following the format {date}-{change} (e.g., 2024-19-07-create_student_table).

Endpoints

Define all endpoints related to the issue, along with descriptions, methods, expected payloads, and responses. Separate endpoints based on functionality (e.g., student vs. teacher authentication) for clarity and maintainability.

Example: Authentication Endpoints

Students
Method Endpoint Description Payload
POST /v1/auth/student/register Register a new student { "name": "string", "email": "string", "password": "string" }
POST /v1/auth/student/login Authenticate a student { "email": "string", "password": "string" }
POST /v1/auth/student/logout Log out a student { "token": "string" }
POST /v1/auth/student/reset-password Request password reset for student { "email": "string" }

Implementation

  1. Password Hashing: Use bcrypt for password hashing to ensure security.
  2. Token Management:
  3. Use JWT (JSON Web Tokens) for access and refresh tokens.
  4. Store refresh tokens securely in the database.
  5. Route Protection:
  6. Use decorators to enforce authentication and role-based access control, e.g., @auth and @roles.
def roles(required_roles: List[str]):
    def decorator(func):
        def wrapper(*args, **kwargs):
            user = get_current_user()
            if user.role not in required_roles:
                raise HTTPException(status_code=403, detail="Operation not permitted")
            return func(*args, **kwargs)
        return wrapper
    return decorator
  1. Service Implementation: Suggested services:
  2. StudentService: For student operations.
  3. AuthService: For handling JWT generation, validation, and token management.
  4. TokenService: For managing refresh tokens.

Tests

Unit Tests: List unit tests needed for each endpoint, detailing what each test should validate.

Example: test_student_auth.py

Name Purpose
test_student_register Tests registration endpoint with valid inputs
test_student_login Validates successful login and JWT generation
test_student_reset_password Confirms password reset flow

Integration Tests: Outline end-to-end flows, such as registration and login, for both student and teacher.

Example: test_auth_flow.py

Name Purpose
integration_student_auth_flow E2E flow for student registration and login
integration_teacher_auth_flow E2E flow for teacher registration and login

Implementation Checklist

  • Review task dependencies and confirm any blockers are resolved.
  • Follow database schema guidelines and complete migrations.
  • Ensure all authentication flows are implemented correctly for students and teachers.
  • Implement password hashing and JWT management.
  • Write unit, integration, and security tests to validate functionality and security.
  • Confirm routes are protected with decorators.
  • Add documentation for each endpoint and update API documentation.