logicspike/docs

Authentication & Team

Workflow: Login with Phone Number (Passwordless)

This document details the flow for logging in using a Phone Number and OTP.

1. The Flow Chart

2. Step-by-Step Logic

Step 1: Request OTP

  • Endpoint: POST /auth/login/phone
  • Body: phone (E.164 format: +1234567890).
  • Logic:
    1. Clean/Validate phone number.
    2. Find user where phone = ?.
    3. If found:
      • Generate 6-digit OTP.
      • Store in verifications (identifier=phone, type='login').
      • Send SMS (via Twilio/SNS - Provider TBD).
    4. Return 200 OK.

Step 2: Verify OTP

  • Endpoint: POST /auth/login/phone/verify
  • Body: phone, code.
  • Logic:
    1. Find valid OTP in verifications.
    2. If valid:
      • Get user by phone.
      • Check 2FA: If user also has 2FA enabled (e.g., TOTP), this OTP counts as "Knowledge" + "Possession"? Or just "Possession"?
        • Policy*: Phone OTP usually counts as strong authentication (Possession of SIM). We can skip further 2FA unless strictly required.
      • Issue Access/Refresh Tokens.

3. Registration with Phone

If the phone number is new, the flow redirects to Registration:

  1. Verify Phone (OTP).
  2. POST /register with phone + verification_token.
Authentication & Team