Update to API spec

Author: tollsimy

src/auth/otp/otp.go

@@ -0,0 +1,23 @@
+package otp
+
+import (
+	"fmt"
+	"math/rand"
+	"time"
+)
+
+const OTP_EXPIRATION_TIME = 15 * time.Minute
+
+func GenerateOTP() (string, time.Time, error) {
+	// Generate a random OTP (6 digits)
+	otp := fmt.Sprintf("%06d", rand.Intn(1000000))
+	exp_date := time.Now().Add(OTP_EXPIRATION_TIME)
+	return otp, exp_date, nil
+}
+
+func ValidateOTP(otp string, expDate time.Time) (bool, error) {
+	if time.Now().After(expDate) {
+		return false, fmt.Errorf("OTP has expired")
+	}
+	return true, nil
+}

src/dao/user.go

@@ -2,18 +2,21 @@ package dao
 
 import (
 	"OPP/auth/api"
+	"OPP/auth/auth/otp"
 	"OPP/auth/db"
 	"context"
 	"errors"
 	"fmt"
 	"strings"
+	"time"
 )
 
 var (
 	ErrUserAlreadyExists = errors.New("user already exists")
 	ErrInvalidUser       = errors.New("invalid user data")
 	ErrUserNotFound      = errors.New("user not found")
 	ErrInvalidPassword   = errors.New("invalid password")
+	ErrOTPNotFound       = errors.New("OTP not found")
 )
 
 type UserDao struct {
@@ -240,3 +243,59 @@ func (d *UserDao) DeleteUserById(c context.Context, id int64) error {
 	}
 	return nil
 }
+
+func (d *UserDao) GenerateOTP(c context.Context, username string) (api.OTPResponse, error) {
+	user, err := d.GetUserByUsername(c, username)
+	if err != nil {
+		return api.OTPResponse{}, fmt.Errorf("failed to get user: %w", err)
+	}
+
+	// Create OTP
+	otpCode, exp_date, err := otp.GenerateOTP()
+	if err != nil {
+		return api.OTPResponse{}, fmt.Errorf("failed to generate OTP: %w", err)
+	}
+	query := "INSERT INTO otps (user_id, otp_code, expires_at) VALUES ($1, $2, $3) RETURNING otp_id"
+	row := d.db.QueryRow(c, query, user.Id, otpCode, exp_date)
+	var otpId int64
+	err = row.Scan(&otpId)
+	if err != nil {
+		if strings.Contains(err.Error(), "UNIQUE constraint failed") {
+			return api.OTPResponse{}, ErrUserAlreadyExists
+		}
+		return api.OTPResponse{}, fmt.Errorf("failed to insert OTP: %w", err)
+	}
+	return api.OTPResponse{
+		Otp:        otpCode,
+		ValidUntil: exp_date,
+	}, nil
+}
+
+func (d *UserDao) ValidateOTP(c context.Context, otpCode string) (bool, error) {
+	// Check for currently valid OTP
+	query := `
+        SELECT otp_id, user_id, expires_at FROM otps 
+        WHERE otp_code = $1 AND expires_at > CURRENT_TIMESTAMP
+        ORDER BY created_at DESC LIMIT 1
+    `
+	var otpID int64
+	var userID int64
+	var expiresAt time.Time
+
+	row := d.db.QueryRow(c, query, otpCode)
+	if err := row.Scan(&otpID, &userID, &expiresAt); err != nil {
+		if strings.Contains(err.Error(), "no rows in result set") {
+			return false, ErrOTPNotFound
+		}
+		return false, fmt.Errorf("failed to validate OTP: %w", err)
+	}
+
+	// Delete already used OTP
+	deleteQuery := "DELETE FROM otps WHERE otp_id = $1"
+	_, err := d.db.Exec(c, deleteQuery, otpID)
+	if err != nil {
+		fmt.Printf("Failed to delete used OTP: %v\n", err)
+	}
+
+	return true, nil
+}

src/db/postgres_schema_v1.sql

@@ -7,4 +7,13 @@ CREATE TABLE IF NOT EXISTS users (
     email TEXT NOT NULL UNIQUE,
     password TEXT NOT NULL,
     role TEXT NOT NULL CHECK (role IN ('driver', 'controller', 'admin', 'superuser'))
+);
+
+-- OTP table
+CREATE TABLE IF NOT EXISTS otps (
+    otp_id SERIAL PRIMARY KEY,
+    user_id INTEGER NOT NULL REFERENCES users(user_id) ON DELETE CASCADE,
+    otp_code TEXT NOT NULL,
+    created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    expires_at TIMESTAMP NOT NULL
 );

src/handlers/session.go

@@ -234,3 +234,45 @@ func (h *SessionHandlers) GetSession(c *gin.Context) {
 	}
 	c.JSON(http.StatusOK, sessionResponse)
 }
+
+func (h *SessionHandlers) GenerateOTP(c *gin.Context) {
+	user, userRole, err := getLoggedUser(c, h.dao)
+	if err != nil || user == nil {
+		return
+	}
+
+	if userRole != api.UserRequestRoleSuperuser && userRole != api.UserRequestRoleAdmin {
+		c.JSON(http.StatusForbidden, gin.H{"error": "Only admins can generate OTP"})
+		return
+	}
+
+	otp, err := h.dao.GenerateOTP(c.Request.Context(), user.Username)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate OTP"})
+		return
+	}
+	c.JSON(http.StatusOK, otp)
+}
+
+func (h *SessionHandlers) ValidateOTP(c *gin.Context) {
+	var otpRequest api.OTPValidationRequest
+	if err := c.ShouldBindJSON(&otpRequest); err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "Invalid request body"})
+		return
+	}
+	if otpRequest.Otp == "" {
+		c.JSON(http.StatusBadRequest, gin.H{"error": "OTP code is required"})
+		return
+	}
+
+	valid, err := h.dao.ValidateOTP(c.Request.Context(), otpRequest.Otp)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to validate OTP"})
+		return
+	}
+	if !valid {
+		c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid or expired OTP"})
+		return
+	}
+	c.JSON(http.StatusOK, gin.H{"message": "OTP validated successfully"})
+}