feat(identity): sms login implementation#2
Draft
agniev-a-hub wants to merge 2 commits into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
New files:
stdout)
(anti-enumeration, 60s cooldown, SHA-256 hashed code, 5-min TTL) + verify (5-attempt cancellation,
TOTP bypass, direct session insert, RG block check)
scenarios
Modified files:
smsOtpSession table + migration generated
PhoneLoginVerifyInputSchema added; UserSchema extended with phone fields; 3 new domain events
MockSmsAdapter as default
event when max attempts exhausted)
attemptsRemaining in failed-login event
Acceptance criteria
[ ] - Player can select "Log in with phone number" as an alternative on the login page
[ ] - Player enters their registered phone number and receives an SMS OTP
[ ] - OTP is valid for 5 minutes and single-use
[ ] - Valid OTP creates a session identical to email login
[ ] - Invalid/expired OTP shows an error - player can resend after 60 seconds
[ ] - Previous OTP is invalidated when a new one is requested
[ ] - After 5 failed OTP attempts, login attempt is cancelled and player is returned to login page
[ ] - Login method (phone) is recorded in the audit log
[ ] - "Remember me" option available same as email login
Phone number must be verified on the account before this method is available
TOTP 2FA is not applied on top of phone login
Checklist
pnpm verifyis green (typecheck + lint + boundaries + module-shape + tests)pnpm verify:driftis green (catalog / OpenAPI not stale) - runpnpm regenif not/schemasubpath (no direct module imports)tenantIdand are RLS-covered (pnpm regenrunsgen:rls)